Serious Windows Vulnerability
#1
Banned
Thread Starter
Join Date: Jan 2005
Location: San Francisco Bay area
Posts: 2,882
Likes: 0
Received 0 Likes
on
0 Posts
My Ride: '05 545i, silver gray, black leather with anthracite maple wood, sport package, premium sound, navigation, cold weather package, electric rear sunshade, folding rear seat, satellite radio prep, PIAA 4150K fogs, red rear reflectors, hardwired Valentine One
![Default](https://5series.net/forums/images/icons/icon1.gif)
There's a serious vulnerability in Windows--see WSJ story below for details.
Microsoft will release a fix next Tuesday (
), so you can follow the instructions here to protect your PCs in the meanwhile:
http://isc.sans.org/
I've included the important steps here:
* What can I do to protect myself?
1. Microsoft has not yet released a patch. An unofficial patch was made available by Ilfak Guilfanov. Our own Tom Liston reviewed the patch and we tested it. The reviewed and tested version is available here (now at v1.4, MD5: 15f0a36ea33f39c1bcf5a98e51d4f4f6), PGP signature (signed with ISC key) here. THANKS to Ilfak Guilfanov for providing the patch!!
2. You can unregister the related DLL.
3. Virus checkers provide some protection.
To unregister the DLL:
* Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks... our editor keeps swallowing the backslashes... its %windir%(backslash)system32(backslash)shimgvw.dll) , and then click OK.
* A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.
Our current "best practice" recommendation is to both unregister the DLL and to use the unofficial patch.
http://online.wsj.com/article/BT-CO-200601...ml?mod=INDUSTRY
NEW YORK -- Microsoft Corp. (MSFT) plans to release a patch for a new security flaw at its next scheduled update release on Jan. 10, leaving users largely unprotected until then from a rapidly spreading computer virus strain known as "metasploit."
"Microsoft's delay is inexcusable," said Alan Paller, director of research at computer security group SANS Institute. "There's no excuse other than incompetence and negligence."
SANS Institute, via its Internet Storm Center, has taken the unusual step of releasing its own patch for the problem until a Microsoft-approved fix is available. "It's not something we like to do," said Paller.
The Internet Storm Center, which tracks viruses and other outbreaks on the Web, increased the threat level to "yellow" -- a warning that means a significant new threat is developing.
Microsoft said evaluation and testing affect the timing of security patches. "Creating security updates that effectively fix vulnerabilities is an extensive process. There are many factors that impact the length of time between the discovery of a vulnerability and the release of a security update," Microsoft said in a security advisory on its Web site.
The attack is the latest to hit Microsoft, despite its redoubled efforts to respond to security threats. With more than 90% of personal computers running Windows, it represents the biggest target for hackers.
The virus began spreading last week, as hackers took advantage of a previously unknown flaw in Windows Meta File code in what is known as a "zero-day attack."
"The flaw is fairly significant in terms of its reach," said Alain Sergile, product manager at Internet Security Systems Inc.'s (ISSX) X-Force threat analysis service.
The bug was found in current server and desktop versions of Windows and is considered serious because it requires relatively minor user interaction to be unleashed. The virus is carried in picture files and can be triggered if an image is viewed in an email or on an infected Web site.
Johannes Ullrich, chief research officer at SANS Institute, said there are hundreds of Web sites that carry the infected images, and he's tracking the possibility that an online ad service is serving up infected image files. He says 5% to 10% of users appear to be infected, "an order of magnitude more than other attacks."
The virus takes advantage of the way Windows processes Windows Meta Files, or WMF, images. These file types can carry more common .jpg extensions, but still carry the malicious code.
Microsoft recommends users unregister a file called shimgvw.dll. "While this workaround will not correct the underlying vulnerability, it helps block known attack vectors," the software maker says in its security advisory.
Microsoft will release a fix next Tuesday (
![Think](https://5series.net/forums/images/smilies/imported/think.gif)
http://isc.sans.org/
I've included the important steps here:
* What can I do to protect myself?
1. Microsoft has not yet released a patch. An unofficial patch was made available by Ilfak Guilfanov. Our own Tom Liston reviewed the patch and we tested it. The reviewed and tested version is available here (now at v1.4, MD5: 15f0a36ea33f39c1bcf5a98e51d4f4f6), PGP signature (signed with ISC key) here. THANKS to Ilfak Guilfanov for providing the patch!!
2. You can unregister the related DLL.
3. Virus checkers provide some protection.
To unregister the DLL:
* Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks... our editor keeps swallowing the backslashes... its %windir%(backslash)system32(backslash)shimgvw.dll) , and then click OK.
* A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.
Our current "best practice" recommendation is to both unregister the DLL and to use the unofficial patch.
http://online.wsj.com/article/BT-CO-200601...ml?mod=INDUSTRY
NEW YORK -- Microsoft Corp. (MSFT) plans to release a patch for a new security flaw at its next scheduled update release on Jan. 10, leaving users largely unprotected until then from a rapidly spreading computer virus strain known as "metasploit."
"Microsoft's delay is inexcusable," said Alan Paller, director of research at computer security group SANS Institute. "There's no excuse other than incompetence and negligence."
SANS Institute, via its Internet Storm Center, has taken the unusual step of releasing its own patch for the problem until a Microsoft-approved fix is available. "It's not something we like to do," said Paller.
The Internet Storm Center, which tracks viruses and other outbreaks on the Web, increased the threat level to "yellow" -- a warning that means a significant new threat is developing.
Microsoft said evaluation and testing affect the timing of security patches. "Creating security updates that effectively fix vulnerabilities is an extensive process. There are many factors that impact the length of time between the discovery of a vulnerability and the release of a security update," Microsoft said in a security advisory on its Web site.
The attack is the latest to hit Microsoft, despite its redoubled efforts to respond to security threats. With more than 90% of personal computers running Windows, it represents the biggest target for hackers.
The virus began spreading last week, as hackers took advantage of a previously unknown flaw in Windows Meta File code in what is known as a "zero-day attack."
"The flaw is fairly significant in terms of its reach," said Alain Sergile, product manager at Internet Security Systems Inc.'s (ISSX) X-Force threat analysis service.
The bug was found in current server and desktop versions of Windows and is considered serious because it requires relatively minor user interaction to be unleashed. The virus is carried in picture files and can be triggered if an image is viewed in an email or on an infected Web site.
Johannes Ullrich, chief research officer at SANS Institute, said there are hundreds of Web sites that carry the infected images, and he's tracking the possibility that an online ad service is serving up infected image files. He says 5% to 10% of users appear to be infected, "an order of magnitude more than other attacks."
The virus takes advantage of the way Windows processes Windows Meta Files, or WMF, images. These file types can carry more common .jpg extensions, but still carry the malicious code.
Microsoft recommends users unregister a file called shimgvw.dll. "While this workaround will not correct the underlying vulnerability, it helps block known attack vectors," the software maker says in its security advisory.
#2
Contributors
Join Date: Mar 2005
Posts: 2,573
Likes: 0
Received 0 Likes
on
0 Posts
My Ride: 2006 530i Sport
Silver Gray - Black Leather - Anthracite Maple
Manual Transmission
Premium Audio
Cold Weather Package
Rear sunshade
Sirius Radio
Autobahnd Roadblock (3M) film kit
![Default](https://5series.net/forums/images/icons/icon1.gif)
Hrmmm - in one hand I have a pretty potentially bad vulnerability. In the other, I have a piece of code from some random hack that will "fix" everything. I'm just not comfortable, and many of my peers (this is our field) aren't comfortable either. I am not advising... by all means do what you like, but I'm not loading the makeshift fix.
Here's another option (the one I'm currently using) - download the latest iteration of Firefox (stop using IE at least temporarily). It should prompt you before loading any offending material according to the advisory. If you really want to be insane (like me) go into Tools>>>Options>>>Content and uncheck "Load Image". Websites will no longer contain any images making them pretty boring for a while, but hey - you should be safe until Jan 10th when you can get the MS patch. You can add a list of exception websites (perhaps intranet stuff for work) that the browser will load images for.
Again, I am not advising. I am simply offering an alternative and admonishing all to be very very cautious. Remember to think things through and use common sense.
Here's another option (the one I'm currently using) - download the latest iteration of Firefox (stop using IE at least temporarily). It should prompt you before loading any offending material according to the advisory. If you really want to be insane (like me) go into Tools>>>Options>>>Content and uncheck "Load Image". Websites will no longer contain any images making them pretty boring for a while, but hey - you should be safe until Jan 10th when you can get the MS patch. You can add a list of exception websites (perhaps intranet stuff for work) that the browser will load images for.
Again, I am not advising. I am simply offering an alternative and admonishing all to be very very cautious. Remember to think things through and use common sense.
#3
Banned
Thread Starter
Join Date: Jan 2005
Location: San Francisco Bay area
Posts: 2,882
Likes: 0
Received 0 Likes
on
0 Posts
My Ride: '05 545i, silver gray, black leather with anthracite maple wood, sport package, premium sound, navigation, cold weather package, electric rear sunshade, folding rear seat, satellite radio prep, PIAA 4150K fogs, red rear reflectors, hardwired Valentine One
![Default](https://5series.net/forums/images/icons/icon1.gif)
Originally Posted by UUronL' post='218799' date='Jan 3 2006, 02:33 PM
Hrmmm - in one hand I have a pretty potentially bad vulnerability. In the other, I have a piece of code from some random hack that will "fix" everything. I'm just not comfortable, and many of my peers (this is our field) aren't comfortable either. I am not advising... by all means do what you like, but I'm not loading the makeshift fix.
#4
Senior Members
Join Date: Mar 2005
Location: Queens, NYC
Posts: 702
Likes: 0
Received 0 Likes
on
0 Posts
My Ride: 335i Sedan
![Default](https://5series.net/forums/images/icons/icon1.gif)
how bout save yourself all this trouble, head to an apple store next to you and pick up a new mac mini or better yet head over apple.com and order whatever you want! lol
machintosh-cuz life is too short
machintosh-cuz life is too short
#5
Super Moderator
Join Date: Mar 2004
Location: Pittsburgh, PA USA
Posts: 17,310
Likes: 0
Received 2 Likes
on
2 Posts
My Ride: G30 M550i
Model Year: 2018
![Default](https://5series.net/forums/images/icons/icon1.gif)
Although stream's link and information is likely accurate, if there is any doubt, the following link will take you to similar information about this vulnerability but it is from US-CERT -- the most respected cyber security source on the planet (and just happens to be located right here in my hometown.)
http://www.us-cert.gov/cas/techalerts/TA05-362A.html
The link also provides a workaround that will help out until Microsoft does it's job...
Thanks stream!
http://www.us-cert.gov/cas/techalerts/TA05-362A.html
The link also provides a workaround that will help out until Microsoft does it's job...
Thanks stream!
#6
Contributors
Join Date: Jul 2004
Location: Costa Mesa, CA
Posts: 1,591
Likes: 0
Received 0 Likes
on
0 Posts
My Ride: Gone: 2004 525i Jet Black, Built 03/04, Premium Package, Black Dakota Leather, Halogen to Euro Spec Bi-Xenons Retrofit, Dark Poplar Wood Trim, Steptronic Breyton Spirit Reps 20x9F 20x10R - Nitto NT555 245/35/20F-275/30/20R, M5 Front Bumper, H&R Sport Springs, Chrome Grills, 20% Tint, Euro Reflectors, Debadged, Aux Input, CIP v19.x
![Default](https://5series.net/forums/images/icons/icon1.gif)
Unofficial patch released:
How does the unofficial patch work?
http://isc.sans.org/diary.php?storyid=994
* The wmfhotfix.dll is injected into any process loading user32.dll. The DLL then patches (in memory) gdi32.dll's Escape() function so that it ignores any call using the SETABORTPROC (ie. 0x09) parameter. This should allow Windows programs to display WMF files normally while still blocking the exploit. The version of the patch located here has been carefully checked against the source code provided as well as tested against all known versions of the exploit. It should work on WinXP (SP1 and SP2) and Win2K.
http://handlers.sans.org/tliston/wmffix_hexblog14.exe
How does the unofficial patch work?
http://isc.sans.org/diary.php?storyid=994
* The wmfhotfix.dll is injected into any process loading user32.dll. The DLL then patches (in memory) gdi32.dll's Escape() function so that it ignores any call using the SETABORTPROC (ie. 0x09) parameter. This should allow Windows programs to display WMF files normally while still blocking the exploit. The version of the patch located here has been carefully checked against the source code provided as well as tested against all known versions of the exploit. It should work on WinXP (SP1 and SP2) and Win2K.
http://handlers.sans.org/tliston/wmffix_hexblog14.exe
#7
Contributors
Join Date: Mar 2005
Posts: 2,573
Likes: 0
Received 0 Likes
on
0 Posts
My Ride: 2006 530i Sport
Silver Gray - Black Leather - Anthracite Maple
Manual Transmission
Premium Audio
Cold Weather Package
Rear sunshade
Sirius Radio
Autobahnd Roadblock (3M) film kit
![Default](https://5series.net/forums/images/icons/icon1.gif)
Again, all of that is well and good, but based on an element of trust (unless you've personally inspected the code). Professionals in any field do disagree from time to time. I'm personally not loading any images via my browser (Firefox) for a week.
#8
Contributors
Join Date: Nov 2004
Location: NYC & LI
Posts: 2,460
Likes: 0
Received 0 Likes
on
0 Posts
![Default](https://5series.net/forums/images/icons/icon1.gif)
Originally Posted by Simple1' post='218863' date='Jan 3 2006, 09:49 PM
how bout save yourself all this trouble, head to an apple store next to you and pick up a new mac mini or better yet head over apple.com and order whatever you want! lol
machintosh-cuz life is too short
machintosh-cuz life is too short
...this is definitely the BEST answer to this BS from windows...never use a PC unless forced (paid) to
![Devil](https://5series.net/forums/images/smilies/imported/devil.gif)
just use Safari and your problems are solved....be the 5% rebel not the 95% cattle!!!!!
MAC forever!!!!
![Laughing](https://5series.net/forums/images/smilies/imported/laughing.gif)
#9
Contributors
Join Date: Mar 2005
Posts: 2,573
Likes: 0
Received 0 Likes
on
0 Posts
My Ride: 2006 530i Sport
Silver Gray - Black Leather - Anthracite Maple
Manual Transmission
Premium Audio
Cold Weather Package
Rear sunshade
Sirius Radio
Autobahnd Roadblock (3M) film kit
![Default](https://5series.net/forums/images/icons/icon1.gif)
Yeah, I've considered loading OS X onto my Dell Latitude, but I don't want to piss off our IT department with a rogue, unlicensed copy of something that isn't supposed to be available. Also, they don't support Apple.
I do plan to purchase an Apple laptop sometime this year. There should be an announcement in a week or so for the Intel Yonah-based dual-core Mac laptops. Dell and others will be shipping these units in February, and Apple won't be left out. They're coming...
I do plan to purchase an Apple laptop sometime this year. There should be an announcement in a week or so for the Intel Yonah-based dual-core Mac laptops. Dell and others will be shipping these units in February, and Apple won't be left out. They're coming...
#10
Contributors
Join Date: Mar 2005
Posts: 2,573
Likes: 0
Received 0 Likes
on
0 Posts
My Ride: 2006 530i Sport
Silver Gray - Black Leather - Anthracite Maple
Manual Transmission
Premium Audio
Cold Weather Package
Rear sunshade
Sirius Radio
Autobahnd Roadblock (3M) film kit