*** URGENT *** CRITICAL Windows XP SP1/SP2 Vulnerability

[BrAinZ]

Nothing to do with our 1st passion, but very important to read unless you want your computer system hacked...

The reason this is so important is that you only need to visit ANY website that displays a certain type of picture and your computer security WILL be compromised!!

*** URGENT *** CRITICAL Windows XP SP1/SP2 Vulnerability (maybe Win98/ME as well)

A new vulnerability has been found, and exploits are out there NOW (so this is not an idle warning). Computers running Windows XP with SP2, Windows XP with SP1, and Microsoft Windows Server 2003 SP0/SP1 are affected by this vulnerability.

EDIT: Windows2000 SP4, Windows98, Windows98 SE and Windows ME may also be affected.

The vulnerability itself is regarded as extremely critical (the highest possible rating). As yet, there is no patch for this vulnerability.

The vulnerability functions in Internet Explorer, and may function in Firefox and other browsers if certain conditions are met.

Taken from Neowin:

Antivirus and security experts F-Secure have issued a warning to users of Microsoft Windows XP that includes fully patched Service Pack 2 machines. The exploit is carried out via WMF files carrying a zero-day WMF exploit detected as W32/PFV-Exploit A, B, and C. According to F-Secure it is very easy to fall victim to this exploit, especially if you are using Internet Explorer. It's as simple as visiting an infected web site or viewing a folder with infected files with Windows Explorer. F-Secure has informed Microsoft and while a patch is expected to be issued quickly, they warn that Windows administrators and/or users may want to filter all WMF files until a patch is released.

F-Secure state:

Over the last 24 hours, we've seen three different WMF files carrying the zero-day WMF exploit. We currently detect them as W32/PFV-Exploit.A, .B and .C.

Fellow researchers at Sunbelt have also blogged about this. They have discovered more sites that are carrying malicious WMF files. You might want to block these sites at your firewall while waiting for a Microsoft patch:

Crackz [dot] ws
unionseek [dot] com
www.tfcco [dot] com
Iframeurl [dot] biz
beehappyy [dot] biz

And funnily enough, according to WHOIS, domain beehappyy.biz is owned by a previous president of Soviet Union:

Registrant Name: Mikhail Sergeevich Gorbachev
Registrant Address1: Krasnaya ploshad, 1
Registrant City: Moscow
Registrant Postal Code: 176098
Registrant Country: Russian Federation
Registrant Country Code: RU

"Krasnaya ploshad" is the Red Square in Moscow...

Do note that it's really easy to get burned by this exploit if you're analysing it under Windows. All you need to do is to access an infected web site with IE or view a folder with infected files with the Windows Explorer.

You can get burned even while working in a DOS box! This happened on one of our test machines where we simply used the WGET command-line tool to download a malicious WMF file. That's it, it was enough to download the file. So how on earth did it have a chance to execute?
Google desktop
The test machine had Google Desktop installed. It seems that Google Desktop creates an index of the metadata of all images too, and it issues an API call to the vulnerable Windows component SHIMGVW.DLL to extract this info. This is enough to invoke the exploit and infect the machine. This all happens in realtime as Google Desktop contains a file system filter and will index new files in realtime.

So, be careful out there. And disable indexing of media files (or get rid of Google Desktop) if you're handling infected files under Windows.

[BrAinZ]

Microsoft now have an advisory notice

http://www.microsoft.com/technet/se...ory/912840.mspx

Microsoft detail a workaround:

Microsoft has tested the following workaround. While this workaround will not correct the underlying vulnerability, it will help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.

Un-register the Windows Picture and Fax Viewer (Shimgvw.dll) on Windows XP Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and Windows Server 2003 Service Pack 1

To un-register Shimgvw.dll, follow these steps:

1.
Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK.

2.
A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.

To undo this change, re-register Shimgvw.dll by following the above steps. Replace the text in Step 1 with “regsvr32 %windir%\system32\shimgvw.dll” (without the quotation marks).

Of course, it goes without saying that you should have up to date AV, as well as spyware/adware detection programs. Also, don't be tempted to click on a link unless you are sure where it goes AND that the email/site containing that likn is trusted.

[01xdime]

That link is bad Brainz.

[Denali44]

ahhh English please.

[01xdime]

I think he's trying to tell us something. What is it boy? What? Little Timmy fell in the river?! just playing

[Pale Rider]

Whatever it is , it doesn`t sound good!? We have windows XP, service pack 1, I never installed service pack 2.

Doesn`t the Norton anti virus internet security/firewall prevent this type of intrusion?...PR...

[Tiplickhahaha]

I think he's trying to tell us something. What is it boy? What? Little Timmy fell in the river?! just playing

I way 2 lazy to re read that in order to understand it

[11]

Whatever it is , it doesn`t sound good!? We have windows XP, service pack 1, I never installed service pack 2.

Doesn`t the Norton anti virus internet security/firewall prevent this type of intrusion?...PR...

Norton is HORRIBLY intrusive, AVG and Adaware are much better.

And instal SP2, it's well worth it.

[BrAinZ]

Love the replies... so, in plain English...

Hackers have discovered a way to break YOUR systems, and worryingly it's incredibly easy for them to do it. By placing a simple picture on a website, all a user would have to do was to open the website and ANY software could then download/install/run on your system (think nasty virus here!).

As this has only just been discovered, as yet Microsoft do not have a "fix" for it, and since MANY websites already have this "virus picture" on them, then you are likely to get caught out unless you are careful.

The best (and easiest) way to protect yourself, as a quick temp fix until Microsoft/Norton etc sort out a more permanent solution, is to follow the instructions above.

This does mean that your Microsoft Picture/Fax viewer won't work as normal... BUT it's a damn site better than catching a nasty virus!

Was that better?

[BrAinZ]

I REALLY hope that you have all you can to protect your systems against this vulnerability. There are now some REALLY nasty virus using this exploit method. Don't say I didn't warn you!

If you would like to see if your system is vulnerable, you can SAFELY check it here....

http://www.hexblog.com/2006/01/wmf_v...y_checker.html