Page 1 of 2 12 LastLast
Results 1 to 10 of 19

Thread: Windows flaw

  1. #1
    peat moss's Avatar Software Farmer BT Rep: +15BT Rep +15BT Rep +15
    Join Date
    May 2003
    Location
    Delta B.C. Canada
    Posts
    10,547
    [news=http://news.google.ca/news?imgefp=a7_0CJr5hTkJ&imgurl=www.gameshout.com/news/122005/images/122005_2167.jpg]Secunia, Kaspersky and others have alerts up today about a new vulnerability in the way Windows handles Metafile files (*.wmf). It's a bad one: it has the highest possible risk rating, there aren't patches yet, and there are known exploits in the wild that take advantage of the hole.

    According to Kaspersky, it hits IE and "may function in Firefox if certain conditions are met." The AV company's post lists two Web sites that attempt to install a Trojan using the hole.

    Both notices strongly caution against opening any untrusted *.wmf files and recommend setting your IE security setting to "High." And of course keep your AV programs updated.

    Source: http://blogs.pcworld.com/staffblog/archives/001149.html[/news]

  2. News (Archive)   -   #2
    4play's Avatar knob jockey
    Join Date
    Jan 2003
    Location
    London
    Age
    41
    Posts
    3,824
    there is a bug in firefox 1.5 that opens these wmf files in windows media player otherwise anything that will send a wmf file to the picture viewer will need to be treated with caution.

    exploit code looks like a simple buffer overflow.

  3. News (Archive)   -   #3
    tarzan's Avatar lore keeper
    Join Date
    May 2003
    Posts
    326
    You can try unhooking the part of Windows that views those image files. To do this, click Start -> Run and type regsvr32 /u shimgvw.dll then press OK. You will get a confirmation message. To undo this, repeat but type regsvr32 shimgvw.dll instead. Note: This only has a minimal benefit - it only disables the image viewer itself. It doesn't prevent against viewing the exploit image in Internet Explorer, for example. Messing around with this is at your own risk

  4. News (Archive)   -   #4
    twisterX's Avatar Poster
    Join Date
    Jul 2003
    Location
    CoNNecticut
    Posts
    3,062
    good for me i have no antivirus.

  5. News (Archive)   -   #5
    Quote Originally Posted by twisterX
    good for me i have no antivirus.
    the link that tarzan posted is not a real fix to the problem.

    here is a fix from the somethingawful.com forum. it seems to work just fine, and should be good enough until Microsoft gets an official patch released next week (or whenever):
    Quote Originally Posted by R1CH
    USE AT YOUR OWN RISK. IF YOU MAKE A MISTAKE, WINDOWS COULD BE RENDERED INOPERABLE!

    Installation instructions v3. Again, this is ONLY for Windows XP SP2 fully patched systems, with gdi32.dll file version "5.1.2600.2770 (xpsp_sp2_gdr.051005-1513)" and SHA-1 hash fa02573ce6239d1c375db93058810fb968390485.

    0. Search your Windows directory for "gdi32.dll". Delete any that aren't in system32. Be sure to set advanced options / search hidden files.
    1. Download http://r-1.ch/gdi32.zip
    2. Extract to windows/system32/dllcache. Yes to overwrite if prompted.
    3. Rename windows/system32/gdi32.dll to gdi32.old
    4. Copy windows/system32/dllcache/gdi32.dll to windows/system32/
    5. Cancel any Windows File Protection prompts. Note that if you don't get a Windows File Protection dialog, the patch did NOT work and you'll find Windows has reverted the file in system32 to an earlier version.
    6. Reboot.

    NOTE: If automatic updates or Windows Update finds the November patch (KB896424) for gdi32.dll, then my patch did NOT work as the patch you are seeing is because Windows reverted to a much older gdi32.dll.
    these instructions must be followed very carefully and you must delete every single copy of gdi32.dll on your system EXCEPT for the one in \windows\system32 first, before trying to install the one from the zip file. after rebooting, you should still have gdi32.dll labelled version 5.1.2600.2770 (the same as Microsoft's current official version), but this is a version that R1CH has hacked to eliminate the vulnerability.

    you can check the version number by right-clicking gdi32.dll and clicking properties, then clicking version. if you have a gdi32.dll version earlier than 5.1.2600.2770, then you've applied the fix wrong, Windows has installed an outdated backup from its System Restore folder (which Windows Update will try to replace with version 5.1.2600.2770 as soon as you connect to Windows Update), and you have not corrected the problem yet. run another hard drive search and delete EVERY copy of gdi32.dll, except the one mentioned above, then try again until Windows tries to stop you with the "Protected File" warning.

    here is a test file: http://r-1.ch/test.wmf
    it is not a virus. it's a test to see whether the vulnerability still exists on your system. if it does nothing or it crashes the browser, then you are not vulnerable. if it reboots Windows, then you are vulnerable, because it proves that a picture file is able to start a program in your system. you can cancel the reboot by: Start -> Run -> type shutdown -a

    if you apply the patch correctly, Windows will think that it has the official gdi32.dll version 5.1.2600.2770 from Microsoft even though you really have a hacked version, and the test.wmf should not be able to reboot Windows.

    also: DO NOT reboot without a copy of gdi32.dll in \windows\system32
    you could seriously mess up your computer if you don't know what you're doing, here.
    Last edited by 3RA1N1AC; 01-01-2006 at 06:51 AM.

  6. News (Archive)   -   #6
    here's a patch which i believe works very similar to the R1CH patch (replaces gdi32.dll with a hacked version), but it has an installer to make it easier: http://www.hexblog.com/2005/12/wmf_vuln.html

    also. a tip for anybody whose router or firewall software has URL blocking: you can add .wmf to your list of blocked addresses. this may not catch every single wmf file (because there are lots of ways for files to reach your computer, without having the file extension in the URL), but it should block wmf files from webpages at least.
    Last edited by 3RA1N1AC; 01-01-2006 at 08:02 PM.

  7. News (Archive)   -   #7
    tarzan's Avatar lore keeper
    Join Date
    May 2003
    Posts
    326
    what i posted was a minor work around till rich posted his patch
    Last edited by tarzan; 01-02-2006 at 03:06 AM.

  8. News (Archive)   -   #8
    yes, no offense intended. what i meant by "not a real fix" was that it dealt with one way (shimgvw.dll, the shell image viewer) of accessing the exploited file, but didn't fix the file that's actually being exploited (gdi32.dll, the image renderer).

  9. News (Archive)   -   #9
    you can add .wmf to your list of blocked addresses.
    Since the hole can still be exploited if the .wmf file is renamed .jpg or some other image type you should not rely on URL blocking providing any security.

    I recommend the hexblog patch and not using Internet Explorer at all.
    "I went over to a friend's house the other day. He was having problems with his computer and he asked me to look at it, and I realized he had Windows Me and it's like, oh no—that's your first problem."-Michael Dell, founder and CEO of Dell.

  10. News (Archive)   -   #10
    hippychick's Avatar Memo, what memo? BT Rep: +5
    Join Date
    Dec 2003
    Location
    In a State Of Confusion
    Posts
    2,973

    Angry

    I ran a search and didnt come up with another post on this.
    Its suppose to be a bad virus, MS hasnt made a patch for it yet.
    What is your input on this and has anyone else heard of it? And is there another fix beside the one listed?
    Here is more.

    Anyone using Windows OS needs to read about the new Windows WMF security threat that's been issued recently. Some of you have already heard about this, but if you haven't, the threat involves a vulnerability in Windows that allows for malicious code to be installed on your computer without your intervention whatsoever, just by visiting a website and viewing a picture that, without a single click from you, could install any number of things on your computer.

    We're not talking about spyware here. That's bad enough. This is far worse in that an attacker can hide the code in an image file that, just by it be viewed in your browser, can activate the malicious code. This is serious, folks.

    What this means is, you can be browsing a webpage with an image on it that has dangerous code attached to it which can infect your computer simply by viewing the image on the page. This happens without any intervention on your part whatsoever.

    My point is be very careful where you browse, as Microsoft currently has no patch available at the moment, although they're working on the problem and claim one will be available in a week. A WEEK???? However, all hope is not lost. There's an unofficial hotfix for this issue that I recommend you all download.

    If you want more information on the problem, read about it here:

    Microsoft website: http://www.microsoft.com/technet/sec...ry/912840.mspx

    Slashdot.org: http://it.slashdot.org/it/06/01/03/1...id=172&tid=218

    Internet Storm Center's Alert: http://isc.sans.org/diary.php?storyid=996

    Get the HOTFIX here:

    http://isc.sans.org/diary.php (on that page it's called WMFHotfix-1.4.msi)re. http://www.sophos.com/pressoffice/ne...mfexploit.html

    This is not something to be taken lightly. This exploit is currently billed as the worst infection in history. It can hide rootkits, it can even hide itself.

    Why do ppl do this shit?

Page 1 of 2 12 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •