URGENT: New Windows WMF File Vulnerability Exploit
On December 28, 2005, a new Windows zero-day exploit was released concerning a design feature in Windows which allows an external program to be executed in the event that a WMF file can't be successfully loaded. It is possible to install a Malware program on to a Windows machine and have Windows itself execute the program by having the user load a bad WMF file using email, a Web browser, IM, or viewing the file using the Thumbnail view in Windows Explorer. The WMF file can have any file extension and the exploit will still run. This exploit affect ALL VERSIONS OF WINDOWS starting with Window 95.
This is a very effective and easily exploitable vulnerability. Over fifty Malware programs have so far been identified as using it. More are certainly being created, and this problem will be in the news for weeks to come. This vulnerability makes the Sony BMG rootkit look like script kiddie stuff.
Although Microsoft has not yet issued a effective solution for this vulnerability, an independent programmer, Ilfak Guilfanov, has released a tool that permanently fixes the vulnerability for Windows NT, 2000, XP, Server 2003, and 64-bit XP. (There is no known fix for Windows 9x and ME.)
The security researcher Steve Gibson worked with Ilfak to to create this tool and fully endorses its effectiveness. You can download the fix from Gibson's Security Now web site at http://grc.com/sn/notes-020.htm, or directly from Ilfak's web site at http://www.hexblog.com/2005/12/wmf_vuln.html. The full source code to the tool is also on Ilfak's Web site.
If you do not think that your Web browsing, file downloading, and image file viewing habits put you at an immediate risk, then you may prefer to wait until an official patch is released by Microsoft. When such a patch will be available is not currently known.
This is a very effective and easily exploitable vulnerability. Over fifty Malware programs have so far been identified as using it. More are certainly being created, and this problem will be in the news for weeks to come. This vulnerability makes the Sony BMG rootkit look like script kiddie stuff.
Although Microsoft has not yet issued a effective solution for this vulnerability, an independent programmer, Ilfak Guilfanov, has released a tool that permanently fixes the vulnerability for Windows NT, 2000, XP, Server 2003, and 64-bit XP. (There is no known fix for Windows 9x and ME.)
The security researcher Steve Gibson worked with Ilfak to to create this tool and fully endorses its effectiveness. You can download the fix from Gibson's Security Now web site at http://grc.com/sn/notes-020.htm, or directly from Ilfak's web site at http://www.hexblog.com/2005/12/wmf_vuln.html. The full source code to the tool is also on Ilfak's Web site.
If you do not think that your Web browsing, file downloading, and image file viewing habits put you at an immediate risk, then you may prefer to wait until an official patch is released by Microsoft. When such a patch will be available is not currently known.
Comments
-
rossonieri#1 Member Posts: 799 ■■■□□□□□□□you are right, JD
this is everybody problem - right now.
we want to protect our network as safe as possible - but new exploits on Windows machine comes everyday, i guess.
first we use anti virus, then firewall, then proxies to protect general internet access, limiting users/type access, but now *.PPS encapsulating pictures, *.DOC contains executable script etc...
anybody has better idea to stop this??the More I know, that is more and More I dont know. -
TheShadow Member Posts: 1,057 ■■■■■■□□□□Thanks for the link JD I did not know that someone had a fix yet. Every year now MS seems to get caught during the holidays.
Every day is the dawn of a new error.Who knows what evil lurks in the heart of technology?... The Shadow DO -
JDMurray Admin Posts: 13,101 AdminSANS just blessed Ilfak Guilfanov's unofficial patch for the Windows WMF flaw. That makes it as good as it can get.
http://isc.sans.org/diary.php?storyid=1010 -
Plantwiz Mod Posts: 5,057 ModNice to see MS is expected to have a patch around the 10th of JanPlantwiz
_____
"Grammar and spelling aren't everything, but this is a forum, not a chat room. You have plenty of time to spell out the word "you", and look just a little bit smarter." by Phaideaux
***I'll add you can Capitalize the word 'I' to show a little respect for yourself too.
'i' before 'e' except after 'c'.... weird? -
JDMurray Admin Posts: 13,101 AdminYes, Microsoft reports that they will release their official WMF vulnerability patch on January 10th. I guess "quality" takes long time.
http://www.cnn.com/2006/TECH/internet/01/04/microsoft.patch.reut/index.html -
Plantwiz Mod Posts: 5,057 ModYes, that's it! Quality.
Plantwiz
_____
"Grammar and spelling aren't everything, but this is a forum, not a chat room. You have plenty of time to spell out the word "you", and look just a little bit smarter." by Phaideaux
***I'll add you can Capitalize the word 'I' to show a little respect for yourself too.
'i' before 'e' except after 'c'.... weird? -
JDMurray Admin Posts: 13,101 AdminPlantwiz wrote:Yes, that's it! Quality.
Let's just hope that Windows Update will install the patch even if a Windows XP machine doesn't have SP1 installed, or Windows 9x is being used. -
Plantwiz Mod Posts: 5,057 Modjdmurray wrote:Plantwiz wrote:Yes, that's it! Quality.
You are correct. I had forgotten what day/date it was too. Good observation Master Sleuth.Let's just hope that Windows Update will install the patch even if a Windows XP machine doesn't have SP1 installed, or Windows 9x is being used.
I would hope it will, since all version are at risk. Or does that fall into the 'they are obscelete?' Security issues were supposed to be maintained or so I thought.Plantwiz
_____
"Grammar and spelling aren't everything, but this is a forum, not a chat room. You have plenty of time to spell out the word "you", and look just a little bit smarter." by Phaideaux
***I'll add you can Capitalize the word 'I' to show a little respect for yourself too.
'i' before 'e' except after 'c'.... weird? -
Plantwiz Mod Posts: 5,057 ModPlantwiz
_____
"Grammar and spelling aren't everything, but this is a forum, not a chat room. You have plenty of time to spell out the word "you", and look just a little bit smarter." by Phaideaux
***I'll add you can Capitalize the word 'I' to show a little respect for yourself too.
'i' before 'e' except after 'c'.... weird? -
darkuser Member Posts: 620 ■■■□□□□□□□microsoft caved ..... they are releasing the patch @ 5pm est today !!!!
see
http://isc.sans.org
they're been ranting for two weeks .......rm -rf / -
JDMurray Admin Posts: 13,101 Admindarkuser wrote:microsoft caved ..... they are releasing the patch @ 5pm est today !!!!
Security Update for Windows XP (KB912919)
Typical download size: 196 KB , less than 1 minute
A remote code execution security issue has been identified in the
Graphics Rendering Engine that could allow an attacker to remotely
compromise your Windows-based system and gain control over it.
Yada, yada, yada, ...
http://go.microsoft.com/fwlink/?LinkId=58471 -
mobri09 Users Awaiting Email Confirmation Posts: 723Thanks for keeping us all updated about the flaw JDMurray!
I just downloaded the patch. -
TheShadow Member Posts: 1,057 ■■■■■■□□□□Microsoft is wasting no time with it. 4 of the 8 systems in my lab had it installed when I got home. So I will have to see if they destroy thereselves before I update the rest. Just started reading the dshield list for the day and saw a funny quote.
"It is said that the Internet is a public utility. As such, it is best compared to a sewer. A big, fat pipe with a bunch of crap sloshing against your ports."
Who knows what evil lurks in the heart of technology?... The Shadow DO -
JDMurray Admin Posts: 13,101 AdminLet's hear it for Windows users pounding on Microsoft!
CNN.com - Windows users pushed Microsoft to release patch - Jan 6, 2006
http://www.cnn.com/2006/TECH/internet/01/06/wmfflaw/index.html
Also, the Security Now! podcast with Steve Gibson and Leo Laporte talk in depth and this vulnerability, and interview the creator of the first patch for it.
http://thisweekintech.com/sn21