RetouchPRO

Go Back   RetouchPRO > Community > Salon
Register Blogs FAQ Site Nav Search Today's Posts Mark Forums Read


Salon Just hanging around...
(Social area, where non-retouching talk is encouraged)

WARNING: Virus Hidden In IMAGES

Reply
 
Thread Tools
  #1  
Old 01-04-2006, 07:31 AM
stonercreek stonercreek is offline
Junior Member
 
Join Date: Jan 2006
Posts: 1
Exclamation WARNING: Virus Hidden In IMAGES

Bad bug...really bad! Microsoft security guys scrambling.

This virus hides in graphic files and auto infects Windows PCs that simply visit the page on which the image is located.

Bad news: Microsoft won't have a fix for it until next Tuesday, January 10th.
Good news: The SANS group has developed one in the meantime.

More Info: http://money.cnn.com/2006/01/03/tech...ex.htm?cnn=yes

Link to SANS fix
http://isc.sans.org/diary.php?storyid=1010
Reply With Quote top
  #2  
Old 01-04-2006, 08:26 AM
Doug Nelson's Avatar
Doug Nelson Doug Nelson is offline
Janitor
 
Join Date: Aug 2001
Posts: 7,068
Blog Entries: 21
This is true, though as I understand it the only format involved is WMV files, not any normal still web format. However, they can be embedded in any webpage or email, and don't need to be "opened" to do their damage. Even Firefox is vulnerable, but less so (it asks first if you want to view WMV files).
Reply With Quote top
  #3  
Old 01-04-2006, 08:49 AM
Marthig's Avatar
Marthig Marthig is offline
Senior Member
 
Join Date: Apr 2005
Location: Buenos Aires, Argentina
Posts: 325
I am concerned about this, though I don't open many unknown sites, except yahoo and google when searching for images (!!! ) But what are WMV files ? or what do the initials stand for ?

Thanks - Martha
Reply With Quote top
  #4  
Old 01-04-2006, 09:58 AM
silica silica is offline
Junior Member
 
Join Date: Aug 2003
Posts: 3
Quote:
Originally Posted by Marthig
I am concerned about this, though I don't open many unknown sites, except yahoo and google when searching for images (!!! ) But what are WMV files ? or what do the initials stand for ?

Thanks - Martha
It's not WMV files, those are windows media player files. It's WMF or windows meta files.
Reply With Quote top
  #5  
Old 01-04-2006, 10:07 AM
Doug Nelson's Avatar
Doug Nelson Doug Nelson is offline
Janitor
 
Join Date: Aug 2001
Posts: 7,068
Blog Entries: 21
Yes, I should have typed WMF instead of WMV.

Here's the info from MS:
http://www.microsoft.com/technet/sec...ry/912840.mspx

"Does this vulnerability affect image formats other than Windows Metafile (WMF)?
The only image format affected is the Windows Metafile (WMF) format. It is possible however that an attacker could rename the file extension of a WMF file to that of a different image format. In this situation, it is likely that the Graphic Rendering engine would detect and render the file as a WMF image which could allow exploitation."
Reply With Quote top
  #6  
Old 01-04-2006, 12:55 PM
silica silica is offline
Junior Member
 
Join Date: Aug 2003
Posts: 3
Some of the best and earliest information on this security problem came from Steve Gibson. There is an unofficial fix for the problem developed by Ilfak Guilfanov. If you want to see further information on this, go to

http://www.grc.com/sn/notes-020.htm
Reply With Quote top
  #7  
Old 01-05-2006, 12:13 AM
Craig Walters's Avatar
Craig Walters Craig Walters is offline
Senior Member
 
Join Date: Apr 2005
Location: somewhere over there
Posts: 8,786
Blog Entries: 4
here is another source of information about this: http://securityresponse.symantec.com...ent/16074.html .

what i want to know is in this:
Quote:
Description
Microsoft Windows WMF graphics rendering engine is affected by a remote code execution vulnerability. This issue affects the 'SetAbortProc' function.
what is the WMF and what is the 'graphics rendering engine'? is this graphics engine something that we ALL have or is it something that is only used by some programs? i've never even seen a .wmf file or know of anything that even recognizes it. do painter and psp and ps recognize these formats, for instance and if not, would we then be vulnerable to this thing?

from what i can see on the symantec site, the only things affected by this are these:
Platforms Affected
Avaya DefinityOne Media Servers
Avaya IP600 Media Servers
Avaya S3400 Message Application Server
Avaya S8100 Media Servers

Components Affected
IBM Lotus Notes 6.5
IBM Lotus Notes 6.5.1
IBM Lotus Notes 6.5.2

craig
Reply With Quote top
  #8  
Old 01-05-2006, 03:06 AM
Gary Richardson's Avatar
Gary Richardson Gary Richardson is offline
Senior Member
 
Join Date: Mar 2004
Location: Yorkshire, England
Posts: 2,717
WMF = Windows MetaFile

A metafile is a list of commands that can be played back to draw a graphic. Typically, a metafile is made up of commands to draw objects such as lines, polygons and text and commands to control the style of these objects. NOTE: Some people equate metafiles with vector graphics. In most cases this is fine; but, strictly speaking, a metafile can contain any mix of vector and raster graphics. For example, a metafile could contain just one command to display a bitmap! Unless the distinction is important, we will consider a metafile to be a kind of vector graphic in this FAQ.

A Windows metafile is a 16-bit metafile that can be used by Windows 3.x, Windows 95, 98 and Windows NT to display a picture.

Most Windows programs support WMF files.

Microsoft's Advisory http://www.microsoft.com/technet/sec...ry/912840.mspx as usual woefully misleading and naive as to the risk posed by this exploit. We have already seen victims infected by this exploit, and it's a horror.

Best advice is to download the unofficial patch by Ifan Guilfanov http://www.grc.com/sn/notes-020.htm until the official Microsoft patch becomes available.
It is easily removed by uninstalling, using Add/Remove programmes in Control Panel. The program is Windows WMF Metafile Vulnerability Hotfix 1.2

Uninstall it before downloading the Microsoft patch to avoid possible conflicts.
Reply With Quote top
  #9  
Old 01-05-2006, 09:09 AM
rondon rondon is offline
Senior Member
 
Join Date: Mar 2002
Location: north central florida
Posts: 470
No Sweat!

I have my RestoreIT point all freshened up and ready to negate any problems.
Reply With Quote top
  #10  
Old 01-05-2006, 09:40 AM
Gary Richardson's Avatar
Gary Richardson Gary Richardson is offline
Senior Member
 
Join Date: Mar 2004
Location: Yorkshire, England
Posts: 2,717
Now I recall, so you did.

One of the senior helpers at MRU got hit with this on his m/c on 24th Dec, it went straight through his perimeter defences no trouble. Even hovering your mouse near to the infected link was enough to activate the loader.

Luckily his internal defences stopped the download, so it was only necessary to get rid of the loading mechanism, a full infection was avoided.

nuff said.
Reply With Quote top
Reply

  RetouchPRO > Community > Salon


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Resizing images for RetouchPRO jeaniesa Photo Retouching 19 11-05-2016 09:28 PM
Reconsidering 16 bit Ed_L Input/Output/Workflow 14 11-01-2005 10:41 AM
New virus warning. Please read. Ed_L Salon 4 05-26-2005 04:19 PM
Hidden Power Dynamic Image Richard_Lynch Hidden Power Support 11 02-10-2005 05:09 AM
$ for RetouchPro - images roger_ele Website Feedback 0 12-04-2002 11:24 PM


All times are GMT -6. The time now is 11:54 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
SEO by vBSEO ©2011, Crawlability, Inc.
Copyright © 2016 Doug Nelson. All Rights Reserved