Skip to content or view mobile version

Home | Mobile | Editorial | Mission | Privacy | About | Contact | Help | Security | Support

A network of individuals, independent and alternative media activists and organisations, offering grassroots, non-corporate, non-commercial coverage of important social and political issues.

WARNING! Indymedia images infected with windows exploit!

Virus Warning! | 04.01.2006 15:25 | Indymedia | Technology

Anyone using windows based operating systems should avoid using indymedia (and many many other sites) until they have installed the security patch expected to be issued by microsoft next week.

A previously unknown 'feature' of windows media formats has been exploited by malicious hackers that enables them to execute code on somebodies machine without their knowledge. All that is required is a windows machine to view a specially prepared image file and the embedded code will be run. These images are being uploaded to hundred of websites around the world and open pulishing sites such as indymedia are the most vunerable to the attacks.

Images contained in emails are also being used to infect machines that then become zombies used for mass commerical spamming, hired out to the highest bidder. Ironically it appear to be anti-capitalist sites including indymedia that are the delivery method of choice.

"The WMF vulnerability" probably affects more computers than any other security vulnerability, ever.

When Windows Metafiles were designed in late 1980s, a feature was included that allowed the image files to contain actual code. This code would be executed via a callback in special situations. This was not a bug; this was something which was needed at the time.

The feature now in the limelight is known as the Escape() function and especially the SetAbortProc subfunction. This function was designed to be called by Windows if a print job needed to be canceled during spooling.

This really means two things:
1) There are probably other vulnerable functions in WMF files in addition to SetAbortProc
2) This bug seems to affect all versions of Windows, starting from Windows 3.0 - shipped in 1990!

! Blocking files with the WMF extension doesn't help as exploited files can be rename as .JPG or .GIF etc and windows will automatically spot that they are WMF files and so render and execute the malicious code anyway!

Hackers take advantage of Windows WMF flaw

Tom Espiner
ZDNet UK
January 03, 2006, 18:20 GMT

Exploits for the Windows Metafile vulnerability are coming 'fast and furious', say experts, as businesses are warned to educate their users

Hackers are stepping up their attempts to exploit the WMF vulnerability that was discovered within Microsoft Windows last year, experts warned on Tuesday.

Security experts say the vulnerability is potentially very dangerous as conventional antivirus software and IDS signatures do not recognise malicious code that exploits it.

Exploit code is hidden within seemingly normal JPEG, GIF, or Bitmap files which can be spread through emails or instant messages. These files can also be embedded within a Web page, and security vendor Websense has warned that users need only visit a compromised or fake website to be attacked.

"The sites number in the hundreds, and they're still coming out fast and furious," said Dan Hubbard, senior director of security and research at Websense. "The potential for a major outbreak is there. There's no patch from Microsoft, and there are a number of kits online that allow easy exploit building."

Businesses should be aware that employees need educating about the danger from WMF exploits, said Hubbard, advising IT professionals to block picture files and restrict administrative access.

"Pictures are not seen as being dangerous by general users, and systems administrators don't normally block WMF files in email. You need to create very restrictive filters at your email gateway, and err on the side of caution," Hubbard explained.

The Internet Storm Center has advised businesses to use an unofficial patch developed by security software developer Ilfak Guilfanov, because the official Microsoft patch will not be available until next Tuesday.

"The Microsoft WMF vulnerability is bad. It is very, very bad." said Tom Liston of the Internet Storm Center. "This is a bad situation that will only get worse."

"On December 31st, we received word that a "new and improved" version of the WMF exploit had been published. This new exploit code generated WMF files that were sufficiently different that they bypassed nearly all AV and IDS signatures. Publishing exploit code such as this for an unpatched vulnerability on a holiday weekend is, without any doubt, a totally irresponsible act."

A Microsoft spokesperson recommended that businesses wait for a week for the official patch, as it could not guarantee third party updates would be effective.

"Microsoft recommends that customers download and deploy the security update for the WMF vulnerability that we are targeting for release on January 10, 2006. Microsoft cannot provide assurance for independent third party security updates," Microsoft said.

The Internet Storm Center felt that businesses could not afford to wait for the official patch.

"You cannot wait for the official MS patch, you cannot block this one at the border, and you cannot leave your systems unprotected," said Liston.

Instruct all your windows users to leave their email uncollected and avoid visiting websites that allow any users to upload images for public viewing until a microsoft patch has been released .

Virus Warning!

Additions

More info

04.01.2006 15:54

The threat is real, but as yet we are not aware of any image being uploaded to indymedia sites. Any that we hear of will be deleted. To let us know email imc-uk-tech [AT] lists.indymedia.org

In the meantime there are unofficial fixes available

 http://isc1.sans.org/diary.php?storyid=1010

 http://support.f-secure.com/enu/home/wmf_download.shtml

Another one is

START
From the Fsecure website here is the workaround to disable the
vulnerable poretion of Windows, should be done on all windows boxes
until a patched viewer is released:

Un-register the Windows Picture and Fax Viewer (Shimgvw.dll)

1. Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK.

2. A dialog box appears to confirm that the un-registration process
has succeeded. Click OK to close the dialog box.

Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.

To undo this change, re-register Shimgvw.dll by following the above steps.

Replace the text in Step 1 with “regsvr32 %windir%\system32\shimgvw.dll” (without the quotation marks).
END

Another option is to turn off images. This is definitely possible in firefox, though we're not sure about Internet Explorer.

More info

 http://news.zdnet.com/2100-1009_22-6016747.html?tag=st.num

 http://www.f-secure.com/zero-day/

dmish (an IMC admin)


Official Microsoft Patch now available

13.01.2006 12:51

The patch, MS06-001, is available here.

 http://www.microsoft.com/technet/security/Bulletin/MS06-001.mspx

dmish


Comments

Upcoming Coverage
View and post events
Upcoming Events UK
24th October, London: 2015 London Anarchist Bookfair
2nd - 8th November: Wrexham, Wales, UK & Everywhere: Week of Action Against the North Wales Prison & the Prison Industrial Complex. Cymraeg: Wythnos o Weithredu yn Erbyn Carchar Gogledd Cymru

Ongoing UK
Every Tuesday 6pm-8pm, Yorkshire: Demo/vigil at NSA/NRO Menwith Hill US Spy Base More info: CAAB.

Every Tuesday, UK & worldwide: Counter Terror Tuesdays. Call the US Embassy nearest to you to protest Obama's Terror Tuesdays. More info here

Every day, London: Vigil for Julian Assange outside Ecuadorian Embassy

Parliament Sq Protest: see topic page
Ongoing Global
Rossport, Ireland: see topic page
Israel-Palestine: Israel Indymedia | Palestine Indymedia
Oaxaca: Chiapas Indymedia
Regions
All Regions
Birmingham
Cambridge
Liverpool
London
Oxford
Sheffield
South Coast
Wales
World
Other Local IMCs
Bristol/South West
Nottingham
Scotland
Social Media
You can follow @ukindymedia on indy.im and Twitter. We are working on a Twitter policy. We do not use Facebook, and advise you not to either.
Support Us
We need help paying the bills for hosting this site, please consider supporting us financially.
Other Media Projects
Schnews
Dissident Island Radio
Corporate Watch
Media Lens
VisionOnTV
Earth First! Action Update
Earth First! Action Reports
Topics
All Topics
Afghanistan
Analysis
Animal Liberation
Anti-Nuclear
Anti-militarism
Anti-racism
Bio-technology
Climate Chaos
Culture
Ecology
Education
Energy Crisis
Fracking
Free Spaces
Gender
Globalisation
Health
History
Indymedia
Iraq
Migration
Ocean Defence
Other Press
Palestine
Policing
Public sector cuts
Repression
Social Struggles
Technology
Terror War
Workers' Movements
Zapatista
Major Reports
NATO 2014
G8 2013
Workfare
2011 Census Resistance
Occupy Everywhere
August Riots
Dale Farm
J30 Strike
Flotilla to Gaza
Mayday 2010
Tar Sands
G20 London Summit
University Occupations for Gaza
Guantanamo
Indymedia Server Seizure
COP15 Climate Summit 2009
Carmel Agrexco
G8 Japan 2008
SHAC
Stop Sequani
Stop RWB
Climate Camp 2008
Oaxaca Uprising
Rossport Solidarity
Smash EDO
SOCPA
Past Major Reports
Encrypted Page
You are viewing this page using an encrypted connection. If you bookmark this page or send its address in an email you might want to use the un-encrypted address of this page.
If you recieved a warning about an untrusted root certificate please install the CAcert root certificate, for more information see the security page.

Global IMC Network


www.indymedia.org

Projects
print
radio
satellite tv
video

Africa

Europe
antwerpen
armenia
athens
austria
barcelona
belarus
belgium
belgrade
brussels
bulgaria
calabria
croatia
cyprus
emilia-romagna
estrecho / madiaq
galiza
germany
grenoble
hungary
ireland
istanbul
italy
la plana
liege
liguria
lille
linksunten
lombardia
madrid
malta
marseille
nantes
napoli
netherlands
northern england
nottingham imc
paris/île-de-france
patras
piemonte
poland
portugal
roma
romania
russia
sardegna
scotland
sverige
switzerland
torun
toscana
ukraine
united kingdom
valencia

Latin America
argentina
bolivia
chiapas
chile
chile sur
cmi brasil
cmi sucre
colombia
ecuador
mexico
peru
puerto rico
qollasuyu
rosario
santiago
tijuana
uruguay
valparaiso
venezuela

Oceania
aotearoa
brisbane
burma
darwin
jakarta
manila
melbourne
perth
qc
sydney

South Asia
india


United States
arizona
arkansas
asheville
atlanta
Austin
binghamton
boston
buffalo
chicago
cleveland
colorado
columbus
dc
hawaii
houston
hudson mohawk
kansas city
la
madison
maine
miami
michigan
milwaukee
minneapolis/st. paul
new hampshire
new jersey
new mexico
new orleans
north carolina
north texas
nyc
oklahoma
philadelphia
pittsburgh
portland
richmond
rochester
rogue valley
saint louis
san diego
san francisco
san francisco bay area
santa barbara
santa cruz, ca
sarasota
seattle
tampa bay
united states
urbana-champaign
vermont
western mass
worcester

West Asia
Armenia
Beirut
Israel
Palestine

Topics
biotech

Process
fbi/legal updates
mailing lists
process & imc docs
tech