WINDOWS META FILE EXPLOIT!!!!! WINDOWS 98 - XP VUNERABILITY

[Mementh]

http://www.grc.com/sn/notes-020.htm

 

 

 

 

 

 

 

EVERYONE NEEDS TO GO HERE AND UPDATE THERE COMPUTER FROM WINDOWS 98 to WINDOWS XP!!!!

 

 

 

 

 

 

 

THIS IS A MAJOR THREAT..

 

 

 

 

 

 

 

AT LAST COUNT THERE WERE 57 THREATS/VIRUSES/MALWARE WORMS AND MAJOR VIRUSES ARE ON TEHRE WAY

 

 

 

 

 

 

 

THIS DOES NOT REQUIRE USER'S TO DO ANYTHING!!!!!!!! IT CAN HAPPEN WITHOUT YOUR KNOWLAGE!!!

 

 

 

 

 

 

 

PROTECT YOURSELF!!!!

[Chris]

Meh, might do it next month. Can't be bothered ruining over a weeks uptime for a silly vulnerability.

[Mementh]

Meh, might do it next month. Can't be bothered ruining over a weeks uptime for a silly vulnerability.

 

 

 

 

 

 

 

umm... when your computer spontantiously reboots.... and comes up no os installed... please don't come to me...

 

 

 

 

 

 

 

this is a 0 day exploit!!!!! meaning viruses and worms will use this to kill your computer

 

 

 

 

 

 

 

install spyware and trojens

[Chris]

 

Meh, might do it next month. Can't be bothered ruining over a weeks uptime for a silly vulnerability.

 

 

 

 

 

 

 

umm... when your computer spontantiously reboots.... and comes up no os installed... please don't come to me...

 

 

 

 

 

 

 

this is a 0 day exploit!!!!! meaning viruses and worms will use this to kill your computer

 

 

 

 

 

 

 

install spyware and trojens

 

 

 

 

 

 

 

Saves me formatting? :lol:

[Vape]

Updating your pc to windows XP doesn't help - it affects windows XP, and SP2.

 

 

 

 

 

 

 

Diabling the dll is the best way to go currently.

 

 

 

 

 

 

 

Firefox users have more chance of avoiding it because Firefox users must actually save the file to their computer (although it will appear as a friendly file extension) - IE users, however, will download the file automatically without seeing a prompt.

[Mementh]

Updating your pc to windows XP doesn't help - it affects windows XP, and SP2.

 

 

 

 

 

 

 

Diabling the dll is the best way to go currently.

 

 

 

 

 

 

 

Firefox users have more chance of avoiding it because Firefox users must actually save the file to their computer (although it will appear as a friendly file extension) - IE users, however, will download the file automatically without seeing a prompt.

 

 

 

 

 

 

 

actually its not... the file on the page allows you to disable this vunerability completely.. :(

 

 

 

 

 

 

 

sigh.. anotehr microsoft product virus exploit.... if only game developers would switch to linux we would be better off (and if linux people got there heads outta there but and made a semi user friendly easy to get your feet wet os)

[____]

It is easy to use. It's just that it doesn't do everything for you.

[Vape]

 

Diabling the dll is the best way to go currently.

actually its not... the file on the page allows you to disable this vunerability completely.. :(

Ah yes, my bad, I heard about this yesterday and didn't much bother reading that page.

[Mementh]

 

 

Diabling the dll is the best way to go currently.

actually its not... the file on the page allows you to disable this vunerability completely.. :(

Ah yes, my bad, I heard about this yesterday and didn't much bother reading that page.

 

 

 

 

 

 

 

sigh.. everyone should also check there computers firewall and such with that site

[Hannibal]

It is easy to use. It's just that it doesn't do everything for you.

 

 

 

 

 

 

 

Alright.

 

 

 

I want an editor that:

 

 

 

-- does syntax coloring

 

 

 

-- runs on X and has a decent GUI (so nano's out)

 

 

 

-- doesn't require all the K libraries while I'm running Gnome (bye Kate / KEdit)

 

 

 

-- doesn't use a modal interface (vi is out)

 

 

 

-- uses [bleep]ing NORMAL shortcuts (Ctrl+C, Ctrl+V, Ctrl+S, Ctrl+O... it's not that hard...) (this means xemacs is out, fwiw)

 

 

 

-- isn't a full-blown IDE, so it actually runs normally on older computers (Eclipse out)

 

 

 

-- doesn't run on Java, so it actually runs normally on older computers (JEdit out)

 

 

 

-- Allows me to specify indenting (tab = fixed 4 space-indent, damnit!)

 

 

 

-- Does Regular Expression searching.

 

 

 

 

 

 

 

I have apt-get, but if I can't find an editor that has all that, then I'm still screwed. Which is why I'm ordering a win2k cd, as at least I'll have some usability on my laptop when I want to work. As an added bonus, I can do something else than work, ie, play some games when I feel like it.

 

 

 

 

 

 

 

On windows, there's EmEditor and Editplus and prolly Bob knows what else, but for some reason, however many editors linux has, I haven't found one that actually suits the above simple requirements.

[Mercifull]

I'm suprised noone posted about this earlier to be honest

 

 

 

http://www.hexblog.com/2005/12/wmf_vuln.html

 

 

 

This site includes a small program to temporerily fix the bug without disabling picture and fax viewer so i suggest people do this instead of unregistering the dll.

 

 

 

 

 

 

 

Also add these sites to your HOSTS file (DO NOT VISIT THEM)

 

 

 

 

 

 

 

127.0.0.1 toolbarbiz.biz

 

 

 

127.0.0.1 toolbarsite.biz

 

 

 

127.0.0.1 toolbartraff.biz

 

 

 

127.0.0.1 toolbarurl.biz

 

 

 

127.0.0.1 buytoolbar.biz

 

 

 

127.0.0.1 buytraff.biz

 

 

 

127.0.0.1 iframebiz.biz

 

 

 

127.0.0.1 iframecash.biz

 

 

 

127.0.0.1 iframesite.biz

 

 

 

127.0.0.1 iframetraff.biz

 

 

 

127.0.0.1 iframeurl.biz

 

 

 

127.0.0.1 unionseek.com

 

 

 

127.0.0.1 tfcco.com

 

 

 

127.0.0.1 Iframeurl.biz

 

 

 

127.0.0.1 beehappyy.biz

[____]

I installed that patch (i believe GRC recommends it) earlier today just in case.

 

 

 

Now to add those sites to my hosts file :)

[Mementh]

I'm suprised noone posted about this earlier to be honest

 

 

 

http://www.hexblog.com/2005/12/wmf_vuln.html

 

 

 

This site includes a small program to temporerily fix the bug without disabling picture and fax viewer so i suggest people do this instead of unregistering the dll.

 

 

 

 

 

 

 

Also add these sites to your HOSTS file (DO NOT VISIT THEM)

 

 

 

 

 

 

 

 

 

 

thanks man.. honestly this scares me... because steve was a bit worried in the security now podcast.. .

 

 

 

 

 

 

 

THATS WORRY!!!!!!

 

 

 

 

 

 

 

i hope everyones had some good help with it now :) this needs ot be a copied topic to all threads :) *shameless plug*

[____]

Also, for people who don't know where the HOSTS file is located:

 

 

 

 

 

 

 

C:\WINDOWS\system32\drivers\etc

 

 

 

 

 

 

 

It might be C:\WINNT for those running on 2000 and NT (I haven't used NT) but every other OS should be ok with that path.

 

 

 

 

 

 

 

Open up your HOSTS file (there is no extension so it's just 'hosts') in notepad and paste the list of uri and ip's into the file, save and close.

 

 

 

 

 

 

 

And you're done.

[coltm4carbine]

lol this was on the 27th and i have already got over idk like 3/5 emails about it.

 

 

 

 

 

 

 

the first one (from a friend):-

 

 

 

 

 

 

 

Dear Derek (my real name),

 

 

 

 

 

 

 

I just wanted to make you aware of a NEW security

 

 

 

threat that currently has NO PATCH available...

 

 

 

 

 

 

 

This is serious so when you have a few moments please

 

 

 

visit this article I have now posted to my website.

 

 

 

 

 

 

 

If you have a friend using Windows XP/ME/98 then send them

 

 

 

a copy of this email....

 

 

 

 

 

 

 

 

 

 

 

 

 

 

2nd email (from sophos, antivirus company):-

 

 

 

 

 

 

Windows Graphics Rendering Engine vulnerability and Exp/WMF-A

 

 

 

 

 

 

 

Sophos has issued a virus identity (IDE) file for the Windows

 

 

 

Metafile (WMF) exploit file, Exp/WMF-A, which makes use of a

 

 

 

vulnerability in the Windows Graphics Rendering Engine.

 

 

 

 

 

 

 

For details see

 

 

 

http://www.sophos.com/support/knowledge ... /4242.html

 

 

 

 

 

 

 

3rd, microsoft newletter kinda thing:-

 

 

 

 

 

 

 

 

 

 

********************************************************************

 

 

 

Title: Microsoft Security Advisory Notification

 

 

 

Issued: December 28, 2005

 

 

 

********************************************************************

 

 

 

 

 

 

 

Security Advisories Updated or Released Today

 

 

 

==============================================

 

 

 

 

 

 

 

* Security Advisory (912840)

 

 

 

 

 

 

 

- Title: Vulnerability in Graphics Rendering Engine Could

 

 

 

Allow Remote Code Execution.

 

 

 

 

 

 

 

- Web site: http://go.microsoft.com/fwlink/?LinkId=58452

 

 

 

 

 

 

 

4th basically telling me m$ has revised the advisory.

 

 

 

 

 

 

 

5th McAfee AVERT breaking virus news thing.

 

 

 

 

 

 

 

Advisory

 

 

 

AVERT is releasing this advisory to make our customers aware of new Exploit-WMF

 

 

 

code having been released today and currently being used in spam attacks

 

 

 

resulting in the installation of a new Backdoor-CEP variant.

 

 

 

 

 

 

 

Justification

 

 

 

Updated DAT files to detect new Exploit-WMF and Backdoor-CEP variants are being

 

 

 

prepared now and will be released shortly.

 

 

 

 

 

 

 

Read About It

 

 

 

Information about Exploit-WMF is located on VIL at:

 

 

 

vil.nai.com/vil/content/v_125294.htm

 

 

 

 

 

 

 

Detection

 

 

 

New Exploit-WMF and Backdoor-CEP variants have been discovered on 1/1/2006 (GMT)

 

 

 

and detection will be added to the 4664 dat files (Release Date: 1/1/2006). The

 

 

 

EXTRA.DAT is available at https://www.webimmune.net/extra/getextra.aspx.

 

 

 

 

 

 

 

If you suspect you have Exploit-WMF or Backdoor-CEP, please submit samples to

 

 

 

http://www.webimmune.net.

 

 

 

 

 

 

 

Risk Assessment Definition

 

 

 

For further information on the Risk Assessment and AVERT Recommended Actions

 

 

 

please see:

 

 

 

http://www.mcafeesecurity.com/us/securi ... ssment.htm

 

 

 

 

 

 

 

Best Regards,

 

 

 

 

 

 

 

McAfee AVERT - Anti Virus and Vulnerability Research, Analysis, and

 

 

 

Solutions visit us at http://www.avertlabs.com

 

 

 

 

 

 

 

You are currently subscribed to avertalert as:

 

 

 

(proper email address removed to protect myself from spambots)

 

 

 

 

 

 

 

here's some quotes from an article i read:

 

 

 

 

 

 

 

Internet Explorer will view the image and trigger the exploit without warning. New versions of Firefox will prompt you before opening the image. However, in most environments this offers little protection given that these are images and are thus considered 'safe'.

 

 

 

 

 

 

 

If you're still running on Win98/ME, this is a watershed moment: we believe (untested) that your system is vulnerable and there will be no patch from MS. Your mitigation options are very limited. You really need to upgrade.

 

 

 

 

 

 

 

Whole article can be found here: http://isc.sans.org//diary.php?storyid=994

[Vape]

In addition to coltm4's quotes, I believe this one to be of great importance:

 

 

 

Microsoft[/url]":227in84l]Does this vulnerability affect image formats other than Windows Metafile (WMF)?

 

 

 

At this point, the only image format affected is the Windows Metafile (WMF) format. It is possible however than an attacker could rename the file extension of a WMF file to that of a different image format. In this situation, it is likely that the Graphic Rendering engine would detect and render the file as a WMF image which could allow exploitation.

[Pinman]

also relating to the hosts file, when opening use notepad, or a texteditor similar to it, and if you try to save it, and are prompted to make a new file, right-click the hosts file, and click properties, disable read-only and you'll be able to save it.

[Mementh]

also just thinking.. admins might want to disable or think about disableing sigs and avatars for the time being

 

 

 

 

 

 

 

i mean this is a huge bug

 

 

 

 

 

 

 

 

 

 

 

luckinly according to steve gibson windows 9x systems seem to not be infectable but.. there is again no fix so keep them offline as much as possable

[coltm4carbine]

ok got some good news people :)

 

 

 

 

 

 

 

Microsoft will release a security update next Tuesday

 

 

 

 

 

 

 

Microsoft Security Advisory (912840)

 

 

 

 

 

 

 

QUOTE(Microsoft)

 

 

 

Microsoft has completed development of the security update for the vulnerability. The security update is now being localized and tested to ensure quality and application compatibility. MicrosoftÃÆââââ¬Å¡Ã¬Ã¢ââ¬Å¾Ã¢s goal is to release the update on Tuesday, January 10, 2006, as part of its monthly release of security bulletins. This release is predicated on successful completion of quality testing.

 

 

 

 

 

 

 

The update will be released worldwide simultaneously in 23 languages for all affected versions of Windows once it passes a series of rigorous testing procedures. It will be available on MicrosoftÃÆââââ¬Å¡Ã¬Ã¢ââ¬Å¾Ã¢s Download Center, as well as through Microsoft Update and Windows Update. Customers who use WindowsÃÆââââ¬Å¡Ã¬Ã¢ââ¬Å¾Ã¢ Automatic Updates feature will be delivered the fix automatically.

 

 

 

 

 

 

 

Make sure you update your computer...

[Lews_Therin]

This is actually a feature, from back when WMFs were first invented. They are allowed to run any code they want. Every windows system that can view WMFs is vulnerable.

[stevepole]

whats the chances of geting this virus or what ever it is?

[Vape]

whats the chances of geting this virus or what ever it is?

Fairly low, if you stick to websites that you know are run by "good" people. Don't open email attatchments that are images which are from people you don't know, and if you're not already - use Firefox - it makes the process less automatic.

[Mercifull]

 

whats the chances of geting this virus or what ever it is?

Fairly low, if you stick to websites that you know are run by "good" people. Don't open email attatchments that are images which are from people you don't know, and if you're not already - use Firefox - it makes the process less automatic.

 

 

 

Actually Cam its pretty high in the wild. Even sticking to "good" sites isnt going to keep you immune to this. Ive seen it increasingly being used on forums which allow guest posting, posted by robots And ive had 2 spams with a wmf attached.

[Vape]

 

 

whats the chances of geting this virus or what ever it is?

Fairly low, if you stick to websites that you know are run by "good" people. Don't open email attatchments that are images which are from people you don't know, and if you're not already - use Firefox - it makes the process less automatic.

 

 

 

Actually Cam its pretty high in the wild. Even sticking to "good" sites isnt going to keep you immune to this. Ive seen it increasingly being used on forums which allow guest posting, posted by robots And ive had 2 spams with a wmf attached.

Ah, righto. *pats spam filter*

[Mercifull]

Edit: http://forum.tip.it/viewtopic.php?p=2517571#2517571