WARNING! Indymedia images infected with windows exploit!
Virus Warning! | 04.01.2006 15:25 | Indymedia | Technology
Anyone using windows based operating systems should avoid using indymedia (and many many other sites) until they have installed the security patch expected to be issued by microsoft next week.
A previously unknown 'feature' of windows media formats has been exploited by malicious hackers that enables them to execute code on somebodies machine without their knowledge. All that is required is a windows machine to view a specially prepared image file and the embedded code will be run. These images are being uploaded to hundred of websites around the world and open pulishing sites such as indymedia are the most vunerable to the attacks.
Images contained in emails are also being used to infect machines that then become zombies used for mass commerical spamming, hired out to the highest bidder. Ironically it appear to be anti-capitalist sites including indymedia that are the delivery method of choice.
A previously unknown 'feature' of windows media formats has been exploited by malicious hackers that enables them to execute code on somebodies machine without their knowledge. All that is required is a windows machine to view a specially prepared image file and the embedded code will be run. These images are being uploaded to hundred of websites around the world and open pulishing sites such as indymedia are the most vunerable to the attacks.
Images contained in emails are also being used to infect machines that then become zombies used for mass commerical spamming, hired out to the highest bidder. Ironically it appear to be anti-capitalist sites including indymedia that are the delivery method of choice.
"The WMF vulnerability" probably affects more computers than any other security vulnerability, ever.
When Windows Metafiles were designed in late 1980s, a feature was included that allowed the image files to contain actual code. This code would be executed via a callback in special situations. This was not a bug; this was something which was needed at the time.
The feature now in the limelight is known as the Escape() function and especially the SetAbortProc subfunction. This function was designed to be called by Windows if a print job needed to be canceled during spooling.
This really means two things:
1) There are probably other vulnerable functions in WMF files in addition to SetAbortProc
2) This bug seems to affect all versions of Windows, starting from Windows 3.0 - shipped in 1990!
! Blocking files with the WMF extension doesn't help as exploited files can be rename as .JPG or .GIF etc and windows will automatically spot that they are WMF files and so render and execute the malicious code anyway!
Hackers take advantage of Windows WMF flaw
Tom Espiner
ZDNet UK
January 03, 2006, 18:20 GMT
Exploits for the Windows Metafile vulnerability are coming 'fast and furious', say experts, as businesses are warned to educate their users
Hackers are stepping up their attempts to exploit the WMF vulnerability that was discovered within Microsoft Windows last year, experts warned on Tuesday.
Security experts say the vulnerability is potentially very dangerous as conventional antivirus software and IDS signatures do not recognise malicious code that exploits it.
Exploit code is hidden within seemingly normal JPEG, GIF, or Bitmap files which can be spread through emails or instant messages. These files can also be embedded within a Web page, and security vendor Websense has warned that users need only visit a compromised or fake website to be attacked.
"The sites number in the hundreds, and they're still coming out fast and furious," said Dan Hubbard, senior director of security and research at Websense. "The potential for a major outbreak is there. There's no patch from Microsoft, and there are a number of kits online that allow easy exploit building."
Businesses should be aware that employees need educating about the danger from WMF exploits, said Hubbard, advising IT professionals to block picture files and restrict administrative access.
"Pictures are not seen as being dangerous by general users, and systems administrators don't normally block WMF files in email. You need to create very restrictive filters at your email gateway, and err on the side of caution," Hubbard explained.
The Internet Storm Center has advised businesses to use an unofficial patch developed by security software developer Ilfak Guilfanov, because the official Microsoft patch will not be available until next Tuesday.
"The Microsoft WMF vulnerability is bad. It is very, very bad." said Tom Liston of the Internet Storm Center. "This is a bad situation that will only get worse."
"On December 31st, we received word that a "new and improved" version of the WMF exploit had been published. This new exploit code generated WMF files that were sufficiently different that they bypassed nearly all AV and IDS signatures. Publishing exploit code such as this for an unpatched vulnerability on a holiday weekend is, without any doubt, a totally irresponsible act."
A Microsoft spokesperson recommended that businesses wait for a week for the official patch, as it could not guarantee third party updates would be effective.
"Microsoft recommends that customers download and deploy the security update for the WMF vulnerability that we are targeting for release on January 10, 2006. Microsoft cannot provide assurance for independent third party security updates," Microsoft said.
The Internet Storm Center felt that businesses could not afford to wait for the official patch.
"You cannot wait for the official MS patch, you cannot block this one at the border, and you cannot leave your systems unprotected," said Liston.
Instruct all your windows users to leave their email uncollected and avoid visiting websites that allow any users to upload images for public viewing until a microsoft patch has been released .
When Windows Metafiles were designed in late 1980s, a feature was included that allowed the image files to contain actual code. This code would be executed via a callback in special situations. This was not a bug; this was something which was needed at the time.
The feature now in the limelight is known as the Escape() function and especially the SetAbortProc subfunction. This function was designed to be called by Windows if a print job needed to be canceled during spooling.
This really means two things:
1) There are probably other vulnerable functions in WMF files in addition to SetAbortProc
2) This bug seems to affect all versions of Windows, starting from Windows 3.0 - shipped in 1990!
! Blocking files with the WMF extension doesn't help as exploited files can be rename as .JPG or .GIF etc and windows will automatically spot that they are WMF files and so render and execute the malicious code anyway!
Hackers take advantage of Windows WMF flaw
Tom Espiner
ZDNet UK
January 03, 2006, 18:20 GMT
Exploits for the Windows Metafile vulnerability are coming 'fast and furious', say experts, as businesses are warned to educate their users
Hackers are stepping up their attempts to exploit the WMF vulnerability that was discovered within Microsoft Windows last year, experts warned on Tuesday.
Security experts say the vulnerability is potentially very dangerous as conventional antivirus software and IDS signatures do not recognise malicious code that exploits it.
Exploit code is hidden within seemingly normal JPEG, GIF, or Bitmap files which can be spread through emails or instant messages. These files can also be embedded within a Web page, and security vendor Websense has warned that users need only visit a compromised or fake website to be attacked.
"The sites number in the hundreds, and they're still coming out fast and furious," said Dan Hubbard, senior director of security and research at Websense. "The potential for a major outbreak is there. There's no patch from Microsoft, and there are a number of kits online that allow easy exploit building."
Businesses should be aware that employees need educating about the danger from WMF exploits, said Hubbard, advising IT professionals to block picture files and restrict administrative access.
"Pictures are not seen as being dangerous by general users, and systems administrators don't normally block WMF files in email. You need to create very restrictive filters at your email gateway, and err on the side of caution," Hubbard explained.
The Internet Storm Center has advised businesses to use an unofficial patch developed by security software developer Ilfak Guilfanov, because the official Microsoft patch will not be available until next Tuesday.
"The Microsoft WMF vulnerability is bad. It is very, very bad." said Tom Liston of the Internet Storm Center. "This is a bad situation that will only get worse."
"On December 31st, we received word that a "new and improved" version of the WMF exploit had been published. This new exploit code generated WMF files that were sufficiently different that they bypassed nearly all AV and IDS signatures. Publishing exploit code such as this for an unpatched vulnerability on a holiday weekend is, without any doubt, a totally irresponsible act."
A Microsoft spokesperson recommended that businesses wait for a week for the official patch, as it could not guarantee third party updates would be effective.
"Microsoft recommends that customers download and deploy the security update for the WMF vulnerability that we are targeting for release on January 10, 2006. Microsoft cannot provide assurance for independent third party security updates," Microsoft said.
The Internet Storm Center felt that businesses could not afford to wait for the official patch.
"You cannot wait for the official MS patch, you cannot block this one at the border, and you cannot leave your systems unprotected," said Liston.
Instruct all your windows users to leave their email uncollected and avoid visiting websites that allow any users to upload images for public viewing until a microsoft patch has been released .
Virus Warning!
Additions
More info
04.01.2006 15:54
The threat is real, but as yet we are not aware of any image being uploaded to indymedia sites. Any that we hear of will be deleted. To let us know email imc-uk-tech [AT] lists.indymedia.org
In the meantime there are unofficial fixes available
http://isc1.sans.org/diary.php?storyid=1010
http://support.f-secure.com/enu/home/wmf_download.shtml
Another one is
START
From the Fsecure website here is the workaround to disable the
vulnerable poretion of Windows, should be done on all windows boxes
until a patched viewer is released:
Un-register the Windows Picture and Fax Viewer (Shimgvw.dll)
1. Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK.
2. A dialog box appears to confirm that the un-registration process
has succeeded. Click OK to close the dialog box.
Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.
To undo this change, re-register Shimgvw.dll by following the above steps.
Replace the text in Step 1 with “regsvr32 %windir%\system32\shimgvw.dll” (without the quotation marks).
END
Another option is to turn off images. This is definitely possible in firefox, though we're not sure about Internet Explorer.
More info
http://news.zdnet.com/2100-1009_22-6016747.html?tag=st.num
http://www.f-secure.com/zero-day/
In the meantime there are unofficial fixes available
http://isc1.sans.org/diary.php?storyid=1010 http://support.f-secure.com/enu/home/wmf_download.shtml Another one is
START
From the Fsecure website here is the workaround to disable the
vulnerable poretion of Windows, should be done on all windows boxes
until a patched viewer is released:
Un-register the Windows Picture and Fax Viewer (Shimgvw.dll)
1. Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK.
2. A dialog box appears to confirm that the un-registration process
has succeeded. Click OK to close the dialog box.
Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.
To undo this change, re-register Shimgvw.dll by following the above steps.
Replace the text in Step 1 with “regsvr32 %windir%\system32\shimgvw.dll” (without the quotation marks).
END
Another option is to turn off images. This is definitely possible in firefox, though we're not sure about Internet Explorer.
More info
http://news.zdnet.com/2100-1009_22-6016747.html?tag=st.num http://www.f-secure.com/zero-day/
dmish (an IMC admin)
Official Microsoft Patch now available
13.01.2006 12:51
The patch, MS06-001, is available here.
http://www.microsoft.com/technet/security/Bulletin/MS06-001.mspx
http://www.microsoft.com/technet/security/Bulletin/MS06-001.mspx
dmish
Comments
Hide the following 10 comments
Confirmed danger
04.01.2006 15:43
Could somebody confirm that actual infected images have been found on indymedia at this stage?
Best thing is to stay offline until the microsoftware patch is available which won't be till late next week according to the microsoft website.
"Trojans attack unpatched Microsoft vulnerability
Exploit code is appearing for an unpatched vulnerability in Microsoft's Windows operating system, but users will have to wait another eight days before their computers will be safe. The problem lies in the system for handling Windows Meta Files (WMF) and was discovered on 27 December. Exploit code started to appear shortly afterwards.
"Microsoft is aware of the public release of detailed exploit code that could allow an attacker to execute arbitrary code in the security context of the logged-on user, when such user is visiting a website which contains a specially crafted WMF image," said the company in a statement.
The statement added that Microsoft engineers devised a patch within days of the discovery and will be releasing it on 10 January as part of the company's regular patch releases. The software giant also advised users not to open unsolicited emails and to avoid visiting unknown websites."
Simon
Where are the WMF files you are warning about?
04.01.2006 15:47
Of course what is needed is a server-side check for uploaded files containing malcious code... perhaps this will get implemented someday...
IMC Techie
report infected images to admin
04.01.2006 15:55
Any indymedia reports older than a a couple of weeks old should be safe unless they contain comments.
Any new indymedia reports with images should be avoiding (non windows users are completely safe)
Any indymedia reports with comments or addtions should be avoided as these might contain images and are not flaged as containing images so you can't tell until it is too late.
Be careful out there.
iffected
calm down...
04.01.2006 16:36
The second part of the posting above is a partial cut and paste from this article. The paragraph about instructing windows users to not download mails was included by the poster for added drama, it seems.
Indymedia is not more and not less affected than any other website. The WMF vulnerability hits your computer when downloading JPEG, GIF, or Bitmap files from emails or instant messages. These files can also be embedded within a Web page.
g.rep
Open to abuse
04.01.2006 16:49
It's as simple as that.
curl
Or...
04.01.2006 18:01
Me.
Windows Exploit fix links
04.01.2006 20:01
Unofficial Fix from:
Official Fix will be found via:
worth checking out anyway if you have not before.
Also see:
Also to see if anything taken advantage already:
Check for malware with adaware:
Virus checker:
but that one only detect on scans and not live detect like:
Although Gov't/Corp sponsored one site that I think it may be worth many a internet user looking over is:
bunny
Homepage:
http://j12.org/sb/internet.htm
Ditch windows, there is always a threat
04.01.2006 20:07
Run a live linux distro like Knoppix
nix
Homepage:
http://www.knoppix.org
Also check...
05.01.2006 16:47
Note to everyone.. there is no patch for older versions windows win95/win98/winME, only win2K and above.. if you have an older OS it's defin8ly time 2 upgrade!!!
r0g
test
27.01.2006 20:26
.