stream

There's a serious vulnerability in Windows--see WSJ story below for details.

Microsoft will release a fix next Tuesday ( ), so you can follow the instructions here to protect your PCs in the meanwhile:
http://isc.sans.org/

I've included the important steps here:
* What can I do to protect myself?

1. Microsoft has not yet released a patch. An unofficial patch was made available by Ilfak Guilfanov. Our own Tom Liston reviewed the patch and we tested it. The reviewed and tested version is available here (now at v1.4, MD5: 15f0a36ea33f39c1bcf5a98e51d4f4f6), PGP signature (signed with ISC key) here. THANKS to Ilfak Guilfanov for providing the patch!!
2. You can unregister the related DLL.
3. Virus checkers provide some protection.

To unregister the DLL:
* Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks... our editor keeps swallowing the backslashes... its %windir%(backslash)system32(backslash)shimgvw.dll) , and then click OK.
* A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

Our current "best practice" recommendation is to both unregister the DLL and to use the unofficial patch.

http://online.wsj.com/article/BT-CO-200601...ml?mod=INDUSTRY

NEW YORK -- Microsoft Corp. (MSFT) plans to release a patch for a new security flaw at its next scheduled update release on Jan. 10, leaving users largely unprotected until then from a rapidly spreading computer virus strain known as "metasploit."

"Microsoft's delay is inexcusable," said Alan Paller, director of research at computer security group SANS Institute. "There's no excuse other than incompetence and negligence."

SANS Institute, via its Internet Storm Center, has taken the unusual step of releasing its own patch for the problem until a Microsoft-approved fix is available. "It's not something we like to do," said Paller.

The Internet Storm Center, which tracks viruses and other outbreaks on the Web, increased the threat level to "yellow" -- a warning that means a significant new threat is developing.

Microsoft said evaluation and testing affect the timing of security patches. "Creating security updates that effectively fix vulnerabilities is an extensive process. There are many factors that impact the length of time between the discovery of a vulnerability and the release of a security update," Microsoft said in a security advisory on its Web site.

The attack is the latest to hit Microsoft, despite its redoubled efforts to respond to security threats. With more than 90% of personal computers running Windows, it represents the biggest target for hackers.

The virus began spreading last week, as hackers took advantage of a previously unknown flaw in Windows Meta File code in what is known as a "zero-day attack."

"The flaw is fairly significant in terms of its reach," said Alain Sergile, product manager at Internet Security Systems Inc.'s (ISSX) X-Force threat analysis service.

The bug was found in current server and desktop versions of Windows and is considered serious because it requires relatively minor user interaction to be unleashed. The virus is carried in picture files and can be triggered if an image is viewed in an email or on an infected Web site.

Johannes Ullrich, chief research officer at SANS Institute, said there are hundreds of Web sites that carry the infected images, and he's tracking the possibility that an online ad service is serving up infected image files. He says 5% to 10% of users appear to be infected, "an order of magnitude more than other attacks."

The virus takes advantage of the way Windows processes Windows Meta Files, or WMF, images. These file types can carry more common .jpg extensions, but still carry the malicious code.

Microsoft recommends users unregister a file called shimgvw.dll. "While this workaround will not correct the underlying vulnerability, it helps block known attack vectors," the software maker says in its security advisory.

UUronL

Hrmmm - in one hand I have a pretty potentially bad vulnerability. In the other, I have a piece of code from some random hack that will "fix" everything. I'm just not comfortable, and many of my peers (this is our field) aren't comfortable either. I am not advising... by all means do what you like, but I'm not loading the makeshift fix.


Here's another option (the one I'm currently using) - download the latest iteration of Firefox (stop using IE at least temporarily). It should prompt you before loading any offending material according to the advisory. If you really want to be insane (like me) go into Tools>>>Options>>>Content and uncheck "Load Image". Websites will no longer contain any images making them pretty boring for a while, but hey - you should be safe until Jan 10th when you can get the MS patch. You can add a list of exception websites (perhaps intranet stuff for work) that the browser will load images for.


Again, I am not advising. I am simply offering an alternative and admonishing all to be very very cautious. Remember to think things through and use common sense.

stream

I agree that using a random hack would be risky, but this site http://isc.sans.org/ is well respected, and has tested the code, so it's a trade off between being vulnerable for a week, or trusting that site.

Simple1

how bout save yourself all this trouble, head to an apple store next to you and pick up a new mac mini or better yet head over apple.com and order whatever you want! lol

machintosh-cuz life is too short

Rudy

Although stream's link and information is likely accurate, if there is any doubt, the following link will take you to similar information about this vulnerability but it is from US-CERT -- the most respected cyber security source on the planet (and just happens to be located right here in my hometown.)

http://www.us-cert.gov/cas/techalerts/TA05-362A.html

The link also provides a workaround that will help out until Microsoft does it's job...

Thanks stream!

Busta

Unofficial patch released:


How does the unofficial patch work?
http://isc.sans.org/diary.php?storyid=994

* The wmfhotfix.dll is injected into any process loading user32.dll. The DLL then patches (in memory) gdi32.dll's Escape() function so that it ignores any call using the SETABORTPROC (ie. 0x09) parameter. This should allow Windows programs to display WMF files normally while still blocking the exploit. The version of the patch located here has been carefully checked against the source code provided as well as tested against all known versions of the exploit. It should work on WinXP (SP1 and SP2) and Win2K.


http://handlers.sans.org/tliston/wmffix_hexblog14.exe

UUronL

Again, all of that is well and good, but based on an element of trust (unless you've personally inspected the code). Professionals in any field do disagree from time to time. I'm personally not loading any images via my browser (Firefox) for a week.

m630

...this is definitely the BEST answer to this BS from windows...never use a PC unless forced (paid) to

just use Safari and your problems are solved....be the 5% rebel not the 95% cattle!!!!!

MAC forever!!!!

UUronL

Yeah, I've considered loading OS X onto my Dell Latitude, but I don't want to piss off our IT department with a rogue, unlicensed copy of something that isn't supposed to be available. Also, they don't support Apple.


I do plan to purchase an Apple laptop sometime this year. There should be an announcement in a week or so for the Intel Yonah-based dual-core Mac laptops. Dell and others will be shipping these units in February, and Apple won't be left out. They're coming...

UUronL

http://www.theinquirer.net/?article=28735