Update on the WMF Exploit

Not a whole lot has been happening on the exploit front. Much talk has been over whether or not Windows 9x is actually vulnerable. From what I read, it seems Windows 9x, by default, is not vulnerable. But the user can install third-party software that could open up an attack vector.

Another issue regarding the older versions of Windows, especially Windows 98, was worrisome users of older systems who were worried about not being supported by Microsoft in Tuesday’s upcoming patch. Yeah, thats something I forgot to mention. Microsoft decided against releasing a patch for the WMF early and deferred it next Tuesday’s regular update schedule. Though, it does seem that Windows 98 users should be included in this update, but no official word thus far.

Amid the update news, it seems Steve Gibson, of GRC.com, has gotten a hold of a leaked copy of the upcoming patch for this exploit. It is just a recoded version of GDI32.DLL and will work just fine with the unofficial patch still installed. Gibson said in the GRC newsgroups, “The new replacement GDI32.DLL, which is the only thing replaced, is dated 12/28/2005 at 6:54 PM … so they clearly jumped on this right now.” So it seems like Microsoft can’t be ripped on too much for not working to fix this issue in a timely fashion. Testing the fix is the main time consumer at this time, as Microsoft doesn’t want to introduce a new bug or break systems through the patch. That might be an even worse black eye in the public opinion than the WMF exploit.

For once, I can’t be too angry at Microsoft for slow playing a patch.

technorati tags: , ,

2006
01/03
CATEGORY
tech
Write comment

More on the WMF Exploit

Quite a lot has happened since I last posted about the security issue, and I am still trying to read up on everything that has happened. The situation has gotten worse, much worse. We are seeing very fast mutation of the attacks, with a “second generation” attack coming out one day after the first. Read on for more info.

The brief rundown: Early Decemeber 31, a patch was issued by Ilfak Guilfanov that will temporarily fix the situation. Normally, I wouldn’t suggest installed 3rd-party patches to the operating system. But all the security experts that I have read are saying that this is a must right now. For more information on the the patch, look to http://www.hexblog.com/2005/12/wmf_vuln.htm, http://www.grc.com/sn/notes-020.htm, http://www.f-secure.com/weblog/archives/archive-122005.html#00000756.

Especially look at the F-Secure link, they have a concise set of steps to take to secure your computer at the present time.

Next on the timeline, later on the 31st, the first WMF exploit worm was found.
“It was only a matter of time, the first IM-Worm exploiting the wmf vulnerability has been spotted.

We have received multiple reports from the Netherlands about an IM-Worm which spreads via MSN using a link to “http://[snip]/xmas-2006 FUNNY.jpg”.”
-Viruslist.com Weblog, full post at: http://www.viruslist.com/en/weblog?discuss=176892530&return=1.

This so far seemed to be an isolated event, with only about 1000 infections.

On, the 1st, an email-based attack of this exploit was found. Details can be found here: http://www.f-secure.com/weblog/archives/archive-012006.html#00000759. Be wary of emails with subjects like “Happy New Year”, and contain an image attachment of “HappyNewYear.jpg”.

That is a brief recap, follow the links posted above for a detailed explanation of the problem. If you stuck using a Windows machine, please be very carefully browsing the web, checking email, and using IM clients. The problem is very bad: even visiting the wrong website will infect your computer. I would highly suggest installing the 3rd-party patch for this problem and uninstalling it when Microsoft finally releases an official.

These are the time when I am glad to be using a Linux box.

*UPDATE*

I forgot a pretty important link on the situation. Ilfak Guilfanov also has come up with a program that checks if you are vulnerable. It only checks one variant of the problem right now, but it still better than nothing. I would highly suggest running this application as well. It can be found here: http://www.hexblog.com/2006/01/wmf_vulnerability_checker.html

*UPDATE Number 2*

Check out the SANS blog for a complete FAQ on this situation. http://isc.sans.org/diary.php?storyid=994

technorati tags: , ,

2006
01/01
CATEGORY
tech
Write comment

Welcome

This is my first blog post at my official Simply Tech site. I have been blogging a little on a more personal level at www.homesauce.wordpress.com. As I and my podcasting co-host Zach get back to school, we will working on a new site design of Gamer-Station. Then, hopefully by Febuary 1st, we can start focusing on Simply Tech and give your great, informative tech content.

Oh, and an aside of Windows users. Watch out for the new vulnerability in Windows XP, and possibly older versions as well. An error in the way Microsoft renders Windows Meta Files (WMF) can allow attacks to gain access to your computer and install various software. There is a partial fix floating around the internet right now, but that is said to fix only a part of the problem. Be careful viewing any pictures until Microsoft issues a patch; it is as simple as viewing a webpage to get infected.

Links for those who want know more:

http://isc.sans.org/diary.php

http://secunia.com/advisories/18255/

http://www.kb.cert.org/vuls/id/181038

http://www.microsoft.com/technet/security/Bulletin/MS05-053.msp

http://news.bbc.co.uk/1/hi/technology/4566504.stm

technorati tags: , ,

2005
12/30
CATEGORY
Simply Tech
tech
3 comments