Skip to content or view screen version

WARNING! Indymedia images infected with windows exploit!

Virus Warning! | 04.01.2006 15:25 | Indymedia | Technology

Anyone using windows based operating systems should avoid using indymedia (and many many other sites) until they have installed the security patch expected to be issued by microsoft next week.

A previously unknown 'feature' of windows media formats has been exploited by malicious hackers that enables them to execute code on somebodies machine without their knowledge. All that is required is a windows machine to view a specially prepared image file and the embedded code will be run. These images are being uploaded to hundred of websites around the world and open pulishing sites such as indymedia are the most vunerable to the attacks.

Images contained in emails are also being used to infect machines that then become zombies used for mass commerical spamming, hired out to the highest bidder. Ironically it appear to be anti-capitalist sites including indymedia that are the delivery method of choice.

"The WMF vulnerability" probably affects more computers than any other security vulnerability, ever.

When Windows Metafiles were designed in late 1980s, a feature was included that allowed the image files to contain actual code. This code would be executed via a callback in special situations. This was not a bug; this was something which was needed at the time.

The feature now in the limelight is known as the Escape() function and especially the SetAbortProc subfunction. This function was designed to be called by Windows if a print job needed to be canceled during spooling.

This really means two things:
1) There are probably other vulnerable functions in WMF files in addition to SetAbortProc
2) This bug seems to affect all versions of Windows, starting from Windows 3.0 - shipped in 1990!

! Blocking files with the WMF extension doesn't help as exploited files can be rename as .JPG or .GIF etc and windows will automatically spot that they are WMF files and so render and execute the malicious code anyway!

Hackers take advantage of Windows WMF flaw

Tom Espiner
ZDNet UK
January 03, 2006, 18:20 GMT

Exploits for the Windows Metafile vulnerability are coming 'fast and furious', say experts, as businesses are warned to educate their users

Hackers are stepping up their attempts to exploit the WMF vulnerability that was discovered within Microsoft Windows last year, experts warned on Tuesday.

Security experts say the vulnerability is potentially very dangerous as conventional antivirus software and IDS signatures do not recognise malicious code that exploits it.

Exploit code is hidden within seemingly normal JPEG, GIF, or Bitmap files which can be spread through emails or instant messages. These files can also be embedded within a Web page, and security vendor Websense has warned that users need only visit a compromised or fake website to be attacked.

"The sites number in the hundreds, and they're still coming out fast and furious," said Dan Hubbard, senior director of security and research at Websense. "The potential for a major outbreak is there. There's no patch from Microsoft, and there are a number of kits online that allow easy exploit building."

Businesses should be aware that employees need educating about the danger from WMF exploits, said Hubbard, advising IT professionals to block picture files and restrict administrative access.

"Pictures are not seen as being dangerous by general users, and systems administrators don't normally block WMF files in email. You need to create very restrictive filters at your email gateway, and err on the side of caution," Hubbard explained.

The Internet Storm Center has advised businesses to use an unofficial patch developed by security software developer Ilfak Guilfanov, because the official Microsoft patch will not be available until next Tuesday.

"The Microsoft WMF vulnerability is bad. It is very, very bad." said Tom Liston of the Internet Storm Center. "This is a bad situation that will only get worse."

"On December 31st, we received word that a "new and improved" version of the WMF exploit had been published. This new exploit code generated WMF files that were sufficiently different that they bypassed nearly all AV and IDS signatures. Publishing exploit code such as this for an unpatched vulnerability on a holiday weekend is, without any doubt, a totally irresponsible act."

A Microsoft spokesperson recommended that businesses wait for a week for the official patch, as it could not guarantee third party updates would be effective.

"Microsoft recommends that customers download and deploy the security update for the WMF vulnerability that we are targeting for release on January 10, 2006. Microsoft cannot provide assurance for independent third party security updates," Microsoft said.

The Internet Storm Center felt that businesses could not afford to wait for the official patch.

"You cannot wait for the official MS patch, you cannot block this one at the border, and you cannot leave your systems unprotected," said Liston.

Instruct all your windows users to leave their email uncollected and avoid visiting websites that allow any users to upload images for public viewing until a microsoft patch has been released .

Virus Warning!

Additions

More info

04.01.2006 15:54

The threat is real, but as yet we are not aware of any image being uploaded to indymedia sites. Any that we hear of will be deleted. To let us know email imc-uk-tech [AT] lists.indymedia.org

In the meantime there are unofficial fixes available

 http://isc1.sans.org/diary.php?storyid=1010

 http://support.f-secure.com/enu/home/wmf_download.shtml

Another one is

START
From the Fsecure website here is the workaround to disable the
vulnerable poretion of Windows, should be done on all windows boxes
until a patched viewer is released:

Un-register the Windows Picture and Fax Viewer (Shimgvw.dll)

1. Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK.

2. A dialog box appears to confirm that the un-registration process
has succeeded. Click OK to close the dialog box.

Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.

To undo this change, re-register Shimgvw.dll by following the above steps.

Replace the text in Step 1 with “regsvr32 %windir%\system32\shimgvw.dll” (without the quotation marks).
END

Another option is to turn off images. This is definitely possible in firefox, though we're not sure about Internet Explorer.

More info

 http://news.zdnet.com/2100-1009_22-6016747.html?tag=st.num

 http://www.f-secure.com/zero-day/

dmish (an IMC admin)


Official Microsoft Patch now available

13.01.2006 12:51

The patch, MS06-001, is available here.

 http://www.microsoft.com/technet/security/Bulletin/MS06-001.mspx

dmish


Comments