Announcement

Collapse
No announcement yet.

WARNING: Virus Hidden In IMAGES

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • WARNING: Virus Hidden In IMAGES

    Bad bug...really bad! Microsoft security guys scrambling.

    This virus hides in graphic files and auto infects Windows PCs that simply visit the page on which the image is located.

    Bad news: Microsoft won't have a fix for it until next Tuesday, January 10th.
    Good news: The SANS group has developed one in the meantime.

    More Info: http://money.cnn.com/2006/01/03/tech...ex.htm?cnn=yes

    Link to SANS fix
    http://isc.sans.org/diary.php?storyid=1010

  • #2
    This is true, though as I understand it the only format involved is WMV files, not any normal still web format. However, they can be embedded in any webpage or email, and don't need to be "opened" to do their damage. Even Firefox is vulnerable, but less so (it asks first if you want to view WMV files).
    Learn by teaching
    Take responsibility for learning

    Comment


    • #3
      I am concerned about this, though I don't open many unknown sites, except yahoo and google when searching for images (!!! ) But what are WMV files ? or what do the initials stand for ?

      Thanks - Martha

      Comment


      • #4
        Originally posted by Marthig
        I am concerned about this, though I don't open many unknown sites, except yahoo and google when searching for images (!!! ) But what are WMV files ? or what do the initials stand for ?

        Thanks - Martha
        It's not WMV files, those are windows media player files. It's WMF or windows meta files.

        Comment


        • #5
          Yes, I should have typed WMF instead of WMV.

          Here's the info from MS:
          http://www.microsoft.com/technet/sec...ry/912840.mspx

          "Does this vulnerability affect image formats other than Windows Metafile (WMF)?
          The only image format affected is the Windows Metafile (WMF) format. It is possible however that an attacker could rename the file extension of a WMF file to that of a different image format. In this situation, it is likely that the Graphic Rendering engine would detect and render the file as a WMF image which could allow exploitation."
          Learn by teaching
          Take responsibility for learning

          Comment


          • #6
            Some of the best and earliest information on this security problem came from Steve Gibson. There is an unofficial fix for the problem developed by Ilfak Guilfanov. If you want to see further information on this, go to

            http://www.grc.com/sn/notes-020.htm

            Comment


            • #7
              here is another source of information about this: http://securityresponse.symantec.com...ent/16074.html .

              what i want to know is in this:
              Description
              Microsoft Windows WMF graphics rendering engine is affected by a remote code execution vulnerability. This issue affects the 'SetAbortProc' function.
              what is the WMF and what is the 'graphics rendering engine'? is this graphics engine something that we ALL have or is it something that is only used by some programs? i've never even seen a .wmf file or know of anything that even recognizes it. do painter and psp and ps recognize these formats, for instance and if not, would we then be vulnerable to this thing?

              from what i can see on the symantec site, the only things affected by this are these:
              Platforms Affected
              Avaya DefinityOne Media Servers
              Avaya IP600 Media Servers
              Avaya S3400 Message Application Server
              Avaya S8100 Media Servers

              Components Affected
              IBM Lotus Notes 6.5
              IBM Lotus Notes 6.5.1
              IBM Lotus Notes 6.5.2

              craig

              Comment


              • #8
                WMF = Windows MetaFile

                A metafile is a list of commands that can be played back to draw a graphic. Typically, a metafile is made up of commands to draw objects such as lines, polygons and text and commands to control the style of these objects. NOTE: Some people equate metafiles with vector graphics. In most cases this is fine; but, strictly speaking, a metafile can contain any mix of vector and raster graphics. For example, a metafile could contain just one command to display a bitmap! Unless the distinction is important, we will consider a metafile to be a kind of vector graphic in this FAQ.

                A Windows metafile is a 16-bit metafile that can be used by Windows 3.x, Windows 95, 98 and Windows NT to display a picture.

                Most Windows programs support WMF files.

                Microsoft's Advisory http://www.microsoft.com/technet/sec...ry/912840.mspx as usual woefully misleading and naive as to the risk posed by this exploit. We have already seen victims infected by this exploit, and it's a horror.

                Best advice is to download the unofficial patch by Ifan Guilfanov http://www.grc.com/sn/notes-020.htm until the official Microsoft patch becomes available.
                It is easily removed by uninstalling, using Add/Remove programmes in Control Panel. The program is Windows WMF Metafile Vulnerability Hotfix 1.2

                Uninstall it before downloading the Microsoft patch to avoid possible conflicts.

                Comment


                • #9
                  No Sweat!

                  I have my RestoreIT point all freshened up and ready to negate any problems.

                  Comment


                  • #10
                    Now I recall, so you did.

                    One of the senior helpers at MRU got hit with this on his m/c on 24th Dec, it went straight through his perimeter defences no trouble. Even hovering your mouse near to the infected link was enough to activate the loader.

                    Luckily his internal defences stopped the download, so it was only necessary to get rid of the loading mechanism, a full infection was avoided.

                    nuff said.

                    Comment


                    • #11
                      Thanks, guys!

                      Thanks, silica, Doug, Craig, Chris, Gary -- I've downloaded the fix from Gibson's site and downloaded the vulnerability test --- ran it before and after, with the after showing the fix worked.

                      At least I'm safer now until Microsoft has their fix ready "officially" (below is info from Gibson's site that says the Microsoft fix has been leaked and that Ilfak's fix can be removed AFTER the Microsoft fix is applied).

                      From http://www.grc.com/sn/notes-020.htm
                      "As expected, Ilfak's WMF vulnerability suppression patch, and his WMF vulnerability testing utility, both interact smoothly and seamlessly with Microsoft's forthcoming official security update. Ilfak's code can be left running while installing Microsoft's security update, then safely removed forever once the system has rebooted from the update.

                      Also, Ilfak's vulnerability tester properly recognizes the system's true WMF vulnerability condition under every combination of patch installations (either Ilfak's, Microsoft's, both, or neither). So, you may use Ilfak's solutions with confidence while Microsoft completes their extensive compatibility and regression testing for this forthcoming security update. Once the update is ready, install Microsoft's update, then safely remove Ilfak's patcher."
                      Last edited by CJ Swartz; 01-05-2006, 10:03 AM. Reason: added update from grc.com

                      Comment


                      • #12
                        Glad to know the patch can be removed After installing the Microsoft fix. thanks for that CJ.

                        Comment


                        • #13
                          I installed Microsoft's fix, and removed Ilfak's fix and ran his vulnerability tester and still passed (after re-booting -- it shows your computer as vulnerable until you re-boot). Hopefully, this will be the last for a month or two...

                          Comment


                          • #14
                            Chris or Gary or ??

                            Will one of you guys please check out what happened to byRo when his computer malfunctioned after installation of the "fix"?

                            http://www.retouchpro.com/forums/showthread.php?t=12481

                            Comment


                            • #15
                              Looks like Windows Explorer (explorer.exe) got corrupted in some way (probably corrupted registry settings).

                              Have posted a possible way to get out of this for anyone who gets these symptoms. (see byRo's post).

                              Comment

                              Related Topics

                              Collapse

                              • Steve Conway
                                Searching for streaming video recorder
                                by Steve Conway
                                Does anyone know where I can get a streaming video recorder that will record videos, (with audio), of webcams? I use it to record members of the family who are on vacation where there are webcams.

                                I have a freebie now that does record from webcams directly or from Windows Media Player,...
                                08-19-2006, 08:36 AM
                              • Cameraken
                                Java Class Files ???
                                by Cameraken
                                Hi Everyone.

                                I have found some software/Filters that I wanted to try. It downloaded as a .tar.gz file and said it was a Java file.

                                I’ve extracted the files and now I have a bunch of *.class files.

                                Can anyone please tell me what to do with these files?...
                                10-28-2005, 12:31 PM
                              • patrickt
                                .ORF files-Batch import for PSE2.0
                                by patrickt
                                Can I import RAW Olympus files, .ORF files, as a batch into PSE2.0?
                                08-04-2003, 02:09 PM
                              • pushdog
                                XMP Files
                                by pushdog
                                I have a DVD with camera RAW images. I have been working off of that disk, instead of putting them on my hard drive first. Because of this, i am not getting any XMP files. If i work from the harddrive it will put the XMP files right in the folder i am saving my images to. However, since i am working...
                                10-29-2009, 08:40 AM
                              • bcarll
                                Backing Up Files
                                by bcarll
                                What's the opinion here on using FLASH DRIVES to backup files and to store home snapshots on? Seems I read somewhere that the flashdrives are great for short term storage but avoiid long time storage.

                                bcarll
                                01-24-2007, 07:35 AM
                              Working...
                              X