Bloodhound.Exploit.56
Exploit-WMF
More details:
Windows WMF 0-day exploit in the wild
Microsoft Windows Graphics Rendering Engine WMF Format Unspecified Code Execution Vulnerability
Solution:
1. Update your Antivirus signatures.
2. Wait for a patch.
Full Version: Windows WMF 0-day Exploit
A new 0-day exploit is in the wild.
Bloodhound.Exploit.56
Exploit-WMF
More details:
Windows WMF 0-day exploit in the wild
Microsoft Windows Graphics Rendering Engine WMF Format Unspecified Code Execution Vulnerability
Solution:
1. Update your Antivirus signatures.
2. Wait for a patch.
Bloodhound.Exploit.56
Exploit-WMF
More details:
Windows WMF 0-day exploit in the wild
Microsoft Windows Graphics Rendering Engine WMF Format Unspecified Code Execution Vulnerability
Solution:
1. Update your Antivirus signatures.
2. Wait for a patch.
I just got a newsletter about this from Kaspersky. Here's part of it:
Similar article:
http://www.viruslist.com/en/viruses/alerts?alertid=176701669
Note from the SANS article Daisuke linked to that the conditions to be met for someone to be infected thru using Firefox:
So even tho it may be possible to get infected thru FF, it may be safer than using IE because you can refuse to allow the .wmf file to run. Just say no. As far as is known at this point, you may get infected using IE just from visiting a website and you wouldn't know until it's too late.
http://www.f-secure.com/weblog/archives/ar...5.html#00000752
It's also interesting that this exploit is being used to install "hoax anti-malware programs the likes of Avgold."
Known websites that install thru this exploit are listed in the next entry in the F-Secure blog:
http://www.f-secure.com/weblog/archives/ar...5.html#00000753
I'm sure that list will grow. But I'm not going to post them because of this warning:
QUOTE
Kaspersky Lab...has detected
a range of Trojan programs which exploit the Windows Meta File
vulnerability. This vulnerability is rated highly critical, and so far,
no patch has been issued.
The Trojans are classified as Trojan-Downloader.Win32.Agent.acd, as all
the samples detected by Kaspersky Lab come from the same family. New
modifications of these programs may well appear in the near future.
The WMF vulnerability is present in computers running Microsoft Windows
XP with SP1 and SP2, and Microsoft Windows Server 2003 with Service Pack
0 and Service Pack 1. The vulnerability can be exploited when viewing
infected sites with Internet Explorer, Firefox (if certain other
conditions are met), or when previewing *.wmf format files with Windows
Explorer.
a range of Trojan programs which exploit the Windows Meta File
vulnerability. This vulnerability is rated highly critical, and so far,
no patch has been issued.
The Trojans are classified as Trojan-Downloader.Win32.Agent.acd, as all
the samples detected by Kaspersky Lab come from the same family. New
modifications of these programs may well appear in the near future.
The WMF vulnerability is present in computers running Microsoft Windows
XP with SP1 and SP2, and Microsoft Windows Server 2003 with Service Pack
0 and Service Pack 1. The vulnerability can be exploited when viewing
infected sites with Internet Explorer, Firefox (if certain other
conditions are met), or when previewing *.wmf format files with Windows
Explorer.
Similar article:
http://www.viruslist.com/en/viruses/alerts?alertid=176701669
Note from the SANS article Daisuke linked to that the conditions to be met for someone to be infected thru using Firefox:
QUOTE
a dialog box will ask me if I would like to load the image in "Windows Picture and Fax Viewer". If I allow this to happen ("pictures are safe after all" NOT!), the exploit will execute.
So even tho it may be possible to get infected thru FF, it may be safer than using IE because you can refuse to allow the .wmf file to run. Just say no.
As far as is known at this point, you may get infected using IE just from visiting a website and you wouldn't know until it's too late.http://www.f-secure.com/weblog/archives/ar...5.html#00000752
QUOTE
Note that you can get infected if you visit a web site that has an image file containing the exploit. Internet Explorer users might automatically get infected. Firefox users can get infected if they decide to run or download the image file.
QUOTE
...all versions of Firefox and Opera prompt the user first.
It's also interesting that this exploit is being used to install "hoax anti-malware programs the likes of Avgold."
Known websites that install thru this exploit are listed in the next entry in the F-Secure blog:
http://www.f-secure.com/weblog/archives/ar...5.html#00000753
I'm sure that list will grow. But I'm not going to post them because of this warning:
QUOTE
Do note that it's really easy to get burned by this exploit if you're analysing it under Windows.
Kaspersky about the WMF Vulnerability
http://www.viruslist.com/en/weblog?weblogid=176771047
http://www.viruslist.com/en/weblog?weblogid=176771047
QUOTE(Kaspersky)
At first glance it seems that hardware-based Data Execution Protection, which is available only with XP/SP2 on NX-bit (AMD) and XD-bit (Intel) enabled CPUs, prevents successful exploitation of the vulnerability.
We've tested on AMD and Intel platforms and HW DEP seemed initially to prevent successful exploitation in Internet Explorer and Windows Explorer. However, when testing the latest builds of third party image viewers like Irfanview and XnView HW DEP didn't prevent exploitation, even with HW DEP enabled for all programs. This is because both Irfanview and XnView are packed with ASPack and Windows disables HW DEP for ASPack packed files.
This shows that although HW DEP can help, it's by no means a solution.
We've tested on AMD and Intel platforms and HW DEP seemed initially to prevent successful exploitation in Internet Explorer and Windows Explorer. However, when testing the latest builds of third party image viewers like Irfanview and XnView HW DEP didn't prevent exploitation, even with HW DEP enabled for all programs. This is because both Irfanview and XnView are packed with ASPack and Windows disables HW DEP for ASPack packed files.
This shows that although HW DEP can help, it's by no means a solution.
QUOTE(Kaspersky)
Perhaps the most worrying thing about this whole issue is that NTFS rights have no effect on whether or not the vulnerability will be exploited.
Some people run under a limited user account (which among other things restricts NTFS rights). This may make people feel that they are protected from malware. In this case, nothing could be much further from the truth.
The attackers seem very well aware of this fact and have already released malware which will be downloaded and executed in a directory where a limited user has execution rights.
Some people run under a limited user account (which among other things restricts NTFS rights). This may make people feel that they are protected from malware. In this case, nothing could be much further from the truth.
The attackers seem very well aware of this fact and have already released malware which will be downloaded and executed in a directory where a limited user has execution rights.
QUOTE(Kaspersky)
Our testing has also revealed that although Windows 2000 is not vulnerable by default, it is potentially vulnerable. If the Windows 2000 system has an image viewer which supports .wmf files installed, there's a high chance that the system will be vulnerable.
I think this might ba the same thing. My first thought whan I read the article was to post here: http://www.updatexp.com/wmf-exploit.html
Yellow alert, second time this week - New exploit released
New exploit released for the WMF vulnerability - YELLOW
Take care !
New exploit released for the WMF vulnerability - YELLOW
QUOTE(SANS Internet Storm Center)
We have been able to confirm that this exploit works. We are in the process of getting information to AV vendors ASAP. We can also confirm that having the file and simply opening the directory can be enough to get the exploit running.
The exploit generates files:
* with a random size;
* no .wmf extension, (.jpg), but could be any other image extension actually;
* a random piece of junk in front of the bad call; carefully crafted to be larger than the MTU on an ethernet network;
* a number of possible calls to run the exploit are listed in the source;
* a random trailer
From a number of scans we did through virustotal, we can safely conclude there is currently no anti-virus signature working for it. Similarly it is very unlikely any of the IDS signatures for the previous versions of the WMF exploits work for this next generation.
Judging from the source code, it will likely be difficult to develop very effective signatures due to the structure of the WMF files.
The exploit generates files:
* with a random size;
* no .wmf extension, (.jpg), but could be any other image extension actually;
* a random piece of junk in front of the bad call; carefully crafted to be larger than the MTU on an ethernet network;
* a number of possible calls to run the exploit are listed in the source;
* a random trailer
From a number of scans we did through virustotal, we can safely conclude there is currently no anti-virus signature working for it. Similarly it is very unlikely any of the IDS signatures for the previous versions of the WMF exploits work for this next generation.
Judging from the source code, it will likely be difficult to develop very effective signatures due to the structure of the WMF files.
QUOTE(F-Secure Blog)
We are aware that a new exploit for the WMF vulnerability has been published. This one is much more advanced than the old one, and much more dangerous.
It enables clueless newcomers to easily craft highly variable and hard-to-detect variations of image files. Images that take over computers when viewed. And do this on all common Windows platforms. With no vendor patch for the vulnerability available. Meaning that there are hundreds of millions of vulnerable computers in the net right now.
Making such tools publicly available when there's no vendor patch available is irresponsible. Plain and simply irresponsible. Everybody associated in making and publishing the exploit knows this. And they should know better. Moore, A.S, San and FrSIRT: you should know better.
http://www.f-secure.com/weblog/archives/ar...6.html#00000758It enables clueless newcomers to easily craft highly variable and hard-to-detect variations of image files. Images that take over computers when viewed. And do this on all common Windows platforms. With no vendor patch for the vulnerability available. Meaning that there are hundreds of millions of vulnerable computers in the net right now.
Making such tools publicly available when there's no vendor patch available is irresponsible. Plain and simply irresponsible. Everybody associated in making and publishing the exploit knows this. And they should know better. Moore, A.S, San and FrSIRT: you should know better.
Take care !
Grinler has made a script to make it easy to work around part of this exploit but as related here, there is not much you can do to cover all bases til MS gets off their duffs.
Windows Metafile exploit mitigation by unregistering shimgvw.dll
2nd generation WMF 0day Exploit Spammed
WMF FAQ - SANS Internet Storm Center
New WMF exploit attacks via email
Read the FAQ ! Unregister the DLL (see above) and apply the unofficial patch (SANS & Ilfak Guilfanov). Keep your AV up-to-date. Stay tuned !
WMF FAQ - SANS Internet Storm Center
New WMF exploit attacks via email
Read the FAQ ! Unregister the DLL (see above) and apply the unofficial patch (SANS & Ilfak Guilfanov). Keep your AV up-to-date. Stay tuned !
That FAQ should be required reading for everybody. I'd like to point out a few things, but it shouldn't be a substitute for reading the entire FAQ and keeping up with the latest developments.
First, I don't like the sound of this:
Altho it is still up in the air whether or not pre-Win2K operating systems are even subject to this vulnerability, I hope MS will be respnsible enough to provide a patch if they are. They've been trying to phase out older non-NT-based OS's in an effort to force folks to upgrade for a while and they shouldn't let the cyber-criminal element accomplish that for them--in my opinion.
Second, note that the patch is only known to work on 2K and XP at this time. And the workaround by unregistering the shimgvw.dll is only available to operating systems WinME and upward--so that would imply ME is vulnerable.
For the moment, to be on the safer side, those running older operating systems should also do the following along with keeping your resident andti-virus up to date:
1. Use Firefox and Opera only--don't use Internet Explorer. If you are asked to download any image file, regardless of it's extension, refuse permission.
Firefox
Opera for Windows
2. Follow standard best practices for your PC's security. It used to be that image files were safe to open if received as an email attachment. This is no longer the case and they should now be included in the list of executable files that you should avoid opening. Also be aware that the same best practices should be applied to Instant Messaging and P2P file-sharing. The same tricks that have been used to fool the unsuspecting into opening email attachments are also used by IM and P2P and there has been a monumental increase in being infected thru IM recently.
3. Disable or uninstall any software that indexes files on your computer. The Google Toolbar has been mentioned, but it unclear if it was being confused with the Google Desktop. Nevertheless, any toolbar with enhanced search features are suspect if you have managed to get an infected file on your system. Other popular free desktop search clients:
MSN Search Toolbar
Windows Desktop Search – enabled for the enterprise
Yahoo! Desktop Search
Ask Jeeves also has a Desktop client in beta and some others are out there.
First, I don't like the sound of this:
QUOTE
Note: If you're still running on Win98/ME, this is a watershed moment: we believe (untested) that your system is vulnerable and there will be no patch from MS. Your mitigation options are very limited. You really need to upgrade.
Altho it is still up in the air whether or not pre-Win2K operating systems are even subject to this vulnerability, I hope MS will be respnsible enough to provide a patch if they are. They've been trying to phase out older non-NT-based OS's in an effort to force folks to upgrade for a while and they shouldn't let the cyber-criminal element accomplish that for them--in my opinion.
Second, note that the patch is only known to work on 2K and XP at this time. And the workaround by unregistering the shimgvw.dll is only available to operating systems WinME and upward--so that would imply ME is vulnerable.
For the moment, to be on the safer side, those running older operating systems should also do the following along with keeping your resident andti-virus up to date:
1. Use Firefox and Opera only--don't use Internet Explorer. If you are asked to download any image file, regardless of it's extension, refuse permission.
Firefox
Opera for Windows
2. Follow standard best practices for your PC's security. It used to be that image files were safe to open if received as an email attachment. This is no longer the case and they should now be included in the list of executable files that you should avoid opening. Also be aware that the same best practices should be applied to Instant Messaging and P2P file-sharing. The same tricks that have been used to fool the unsuspecting into opening email attachments are also used by IM and P2P and there has been a monumental increase in being infected thru IM recently.
3. Disable or uninstall any software that indexes files on your computer. The Google Toolbar has been mentioned, but it unclear if it was being confused with the Google Desktop. Nevertheless, any toolbar with enhanced search features are suspect if you have managed to get an infected file on your system. Other popular free desktop search clients:
MSN Search Toolbar
Windows Desktop Search – enabled for the enterprise
Yahoo! Desktop Search
Ask Jeeves also has a Desktop client in beta and some others are out there.
QUOTE
http://www.f-secure.com/weblog/
Monday, January 2, 2006
Posted by Mikko @ 12:17 GMT
Our colleagues and business partners at Messagelabs have stopped a very interesting WMF attack today.
A new WMF exploit file was spammed from South Korea to a targeted list of a few dozen high-profile email addresses.
The email urged recipients to open the enclosed MAP.WMF file - which exploited the computer and downloaded a backdoor from www.jerrynews[dot]com.
What makes the case really interesting was the cloak-and-dagger language used in the email which was spoofed to originate from US State Department's security unit.
E-Mail Content:
Attached is the digital map for you. You should meet that man at those points seperately.
Delete the map thereafter. Good luck.
Tommy" title="From: tommy@security.state.gov
Confidential
Attached is the digital map for you. You should meet that man at those points seperately.
Delete the map thereafter. Good luck.
Tommy">
Monday, January 2, 2006
Posted by Mikko @ 12:17 GMT
Our colleagues and business partners at Messagelabs have stopped a very interesting WMF attack today.
A new WMF exploit file was spammed from South Korea to a targeted list of a few dozen high-profile email addresses.
The email urged recipients to open the enclosed MAP.WMF file - which exploited the computer and downloaded a backdoor from www.jerrynews[dot]com.
What makes the case really interesting was the cloak-and-dagger language used in the email which was spoofed to originate from US State Department's security unit.
E-Mail Content:
Attached is the digital map for you. You should meet that man at those points seperately.
Delete the map thereafter. Good luck.
Tommy" title="From: tommy@security.state.gov
Confidential
Attached is the digital map for you. You should meet that man at those points seperately.
Delete the map thereafter. Good luck.
Tommy">
QUOTE
http://isc.sans.org/diary.php?storyid=975
Published: 2005-12-29,
Last Updated: 2005-12-29 11:23:53 UTC by Chris Carboni (Version: 1)
Update 23:19 UTC: Not that we didn't have enough "good" news already, but if you are relying on perimeter filters to block files with WMF extension from reaching your browser, you might have a surprise waiting for you. Windows XP will detect and process a WMF file based on its content ("magic bytes") and not rely on the extension alone, which means that a WMF sailing in disguise with a different extension might still be able to get you.
Published: 2005-12-29,
Last Updated: 2005-12-29 11:23:53 UTC by Chris Carboni (Version: 1)
Update 23:19 UTC: Not that we didn't have enough "good" news already, but if you are relying on perimeter filters to block files with WMF extension from reaching your browser, you might have a surprise waiting for you. Windows XP will detect and process a WMF file based on its content ("magic bytes") and not rely on the extension alone, which means that a WMF sailing in disguise with a different extension might still be able to get you.
QUOTE
http://www.f-secure.com/weblog/
Friday, December 30, 2005
WMF, day 3 Posted by Stefan @ 12:29 GMT
And like always, renaming the file to any other image extension will not make a difference to MSPAINT. So our suggestion is to not open any pictures right now with MSPAINT whatsoever. Perhaps leaving image editors out completely for the rest of the year might be a good idea.
Friday, December 30, 2005
WMF, day 3 Posted by Stefan @ 12:29 GMT
And like always, renaming the file to any other image extension will not make a difference to MSPAINT. So our suggestion is to not open any pictures right now with MSPAINT whatsoever. Perhaps leaving image editors out completely for the rest of the year might be a good idea.
Microsoft will release a security update next Tuesday
Microsoft Security Advisory (912840)
Microsoft Security Advisory (912840)
QUOTE(Microsoft)
Microsoft has completed development of the security update for the vulnerability. The security update is now being localized and tested to ensure quality and application compatibility. Microsoft’s goal is to release the update on Tuesday, January 10, 2006, as part of its monthly release of security bulletins. This release is predicated on successful completion of quality testing.
The update will be released worldwide simultaneously in 23 languages for all affected versions of Windows once it passes a series of rigorous testing procedures. It will be available on Microsoft’s Download Center, as well as through Microsoft Update and Windows Update. Customers who use Windows’ Automatic Updates feature will be delivered the fix automatically.
The update will be released worldwide simultaneously in 23 languages for all affected versions of Windows once it passes a series of rigorous testing procedures. It will be available on Microsoft’s Download Center, as well as through Microsoft Update and Windows Update. Customers who use Windows’ Automatic Updates feature will be delivered the fix automatically.
New WMF exploits on the horizon
WMF vulnerability – no official patch yet
QUOTE(Kaspersky Analyst's Diary)
At the moment, the number of different WMF exploits we've seen has gotten well past a hundred and more are coming every hour.
But that's not the worst. The most recent exploits show that the bad guys have been very very busy finding and implementing new ways to get their exploits past various AV products. So much for the dark side taking a break over the winter holidays and New Year.
Not surprisingly, we haven't taken a break either. We released an update to our heuristics which deals not only with the most recent exploits but also with a few tricky ways to exploit the vulnerability which haven't been used in attacks - yet. Just as a precaution, you know.
At the same time, some people, Microsoft included, are busy develping fixes. Our friends from F-Secure have blogged about Ilfak Guilfanov's patch, which is currently the most popular one.
A beta version of the Microsoft patch, scheduled to be released on January 10, was leaked on the Internet. Microsoft has recommended customers to "disregard" it, warning that threats could be hidden in any patches coming from dubious sources.
Of course, you should never use a patch from an untrusted source, no matter how promising it looks. Ilfak's patch is the only one we can recommend. Make sure you do some testing beforehand, especially if you are going to deploy it on a large number of production machines though. Ilfak, who is the author of the popular IDA disassembler, knows what he's doing, and the work he's put into developing the patch is admirable.
And finally, you should always be very wary of any third party patch from an untrusted source, whether it's claiming to fix an old vulnerability or the latest WMF vulnerability. This is a method which has successfully been used in the past to distribute malware.
But that's not the worst. The most recent exploits show that the bad guys have been very very busy finding and implementing new ways to get their exploits past various AV products. So much for the dark side taking a break over the winter holidays and New Year.
Not surprisingly, we haven't taken a break either. We released an update to our heuristics which deals not only with the most recent exploits but also with a few tricky ways to exploit the vulnerability which haven't been used in attacks - yet. Just as a precaution, you know.
At the same time, some people, Microsoft included, are busy develping fixes. Our friends from F-Secure have blogged about Ilfak Guilfanov's patch, which is currently the most popular one.
A beta version of the Microsoft patch, scheduled to be released on January 10, was leaked on the Internet. Microsoft has recommended customers to "disregard" it, warning that threats could be hidden in any patches coming from dubious sources.
Of course, you should never use a patch from an untrusted source, no matter how promising it looks. Ilfak's patch is the only one we can recommend. Make sure you do some testing beforehand, especially if you are going to deploy it on a large number of production machines though. Ilfak, who is the author of the popular IDA disassembler, knows what he's doing, and the work he's put into developing the patch is admirable.
And finally, you should always be very wary of any third party patch from an untrusted source, whether it's claiming to fix an old vulnerability or the latest WMF vulnerability. This is a method which has successfully been used in the past to distribute malware.
WMF vulnerability – no official patch yet
QUOTE(Kaspersky News)
Microsoft has responded to the identification of the WMF vulnerability by promising to release a patch on January 10th The patch will be released as part of the scheduled monthly release of security bulletins. At the moment it is being localised and quality tested.
Microsoft itself claims that monitoring of the vulnerability shows that attacks are not widespread and limited in scope. At the same time, the lack of an official patch has opened a window of opportunity for malicious users to exploit. It has been reported that there are now dozens of attacks being carried out, ranging from an MSN worm to spam containing links to malicious websites. One suggestion is that at least a million PCs worldwide have already been affected. It has also been claimed that up to 99% of computers worldwide could be vulnerable to this security flaw.
One indication of the seriousness of the situation is the advice given by some security professionals to install an unofficial Windows patch created by computer expert Ilfak Guilfanov. This is unusual, and those who recommend installing Guilfanov's patch stress that installing third party patches from untrusted sources is highly unwise. Microsoft itself advises against installing third-party add-ons as the company cannot guarantee functionality. However, the only alternative advice Microsoft can offer is to keep antivirus signature files updated, and to sit tight until the official patch is released next week.
Microsoft itself claims that monitoring of the vulnerability shows that attacks are not widespread and limited in scope. At the same time, the lack of an official patch has opened a window of opportunity for malicious users to exploit. It has been reported that there are now dozens of attacks being carried out, ranging from an MSN worm to spam containing links to malicious websites. One suggestion is that at least a million PCs worldwide have already been affected. It has also been claimed that up to 99% of computers worldwide could be vulnerable to this security flaw.
One indication of the seriousness of the situation is the advice given by some security professionals to install an unofficial Windows patch created by computer expert Ilfak Guilfanov. This is unusual, and those who recommend installing Guilfanov's patch stress that installing third party patches from untrusted sources is highly unwise. Microsoft itself advises against installing third-party add-ons as the company cannot guarantee functionality. However, the only alternative advice Microsoft can offer is to keep antivirus signature files updated, and to sit tight until the official patch is released next week.
No patch for Windows 98, Windows 98 SE, and Windows Me
http://www.microsoft.com/technet/security/...ory/912840.mspx
QUOTE(Microsoft)
Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) were previously listed as affected, but are no longer listed. Why is that?
Although Windows 98, Windows 98 Second Edition, and Windows Millennium Edition do contain the affected component, at this point in the investigation, an exploitable attack vector has not been identified that would yield a Critical severity rating for these versions. Per the support life cycle of these versions, only vulnerabilities of Critical severity would receive security updates.
Although Windows 98, Windows 98 Second Edition, and Windows Millennium Edition do contain the affected component, at this point in the investigation, an exploitable attack vector has not been identified that would yield a Critical severity rating for these versions. Per the support life cycle of these versions, only vulnerabilities of Critical severity would receive security updates.
http://www.microsoft.com/technet/security/...ory/912840.mspx
M$
Microsoft Security Bulletin Advance Notification
QUOTE
Important Information for Thursday 5 January 2006
Microsoft announced that it would release a security update to help protect customers from exploitations of a vulnerability in the Windows Meta File (WMF) area of code in the Windows operating system on Tuesday, January 2, 2006, in response to malicious and criminal attacks on computer users that were discovered last week.
Microsoft will release the update today on Thursday, January 5, 2006, earlier than planned.
Microsoft originally planned to release the update on Tuesday, January 10, 2006 as part of its regular monthly release of security bulletins, once testing for quality and application compatibility was complete. However, testing has been completed earlier than anticipated and the update is ready for release.
Microsoft announced that it would release a security update to help protect customers from exploitations of a vulnerability in the Windows Meta File (WMF) area of code in the Windows operating system on Tuesday, January 2, 2006, in response to malicious and criminal attacks on computer users that were discovered last week.
Microsoft will release the update today on Thursday, January 5, 2006, earlier than planned.
Microsoft originally planned to release the update on Tuesday, January 10, 2006 as part of its regular monthly release of security bulletins, once testing for quality and application compatibility was complete. However, testing has been completed earlier than anticipated and the update is ready for release.
QUOTE(Microsoft)
The security update will be available at 2:00 pm PT as MS06-001.
You can download the patch right now
.
Yes, I patched my PC's ten minutes ago. 
QUOTE
Published: 2006-01-05,
Last Updated: 2006-01-05 22:49:16 UTC by Marcus Sachs
Many of you already know this if you receive advance notification from Microsoft. For everybody else, see their announcement about an early release of the WMF patch. The patch and details about it are available here. If you have installed any of the earlier patches or workarounds, here is our recommendation for updating:
1. Reboot your system to clear any vulnerable files from memory
2. Download and apply the new patch
3. Reboot
4. Uninstall the unofficial patch, by using Add/Remove Programs on single systems. If you used msi to install the patch on multiple machines you can uninstall it with this:
msiexec.exe /X{E1CDC5B0-7AFB-11DA-8CD6-0800200C9A66} /qn
5. Re-register the .dll if you previously unregistered it (use the same command but without the "-u"):
regsvr32 %windir%\system32\shimgvw.dll
6. Reboot one more time just for good measure
We tested the patch, and it does block the attack just like the unofficial patch does.
If you experience any problems with the official patch, check support.microsoft.com and call the toll-free number listed for free assistance. Microsoft will not support the unofficial patch. As an alternative to the sequence shown above, you may want to uninstall the unofficial patch first. But make sure you keep shimgvw.dll unregistered until the official patch is applied. Either sequence works in our testing. Removing the unofficial patch later provides an extra layer of protection.
You can use our test image at http://sipr . net/test . wmf as a test to make sure you are not vulnerable. The test image will start the calculator if you are vulnerable.
I'd like to take this opportunity to thank all of our incident handlers for the endless hours of analysis over the past week. Also, many thanks to the hundreds of readers who sent in analysis and observations. Finally, thanks to the response team at Microsoft for issuing the patch today. We all appreciate the extra internal effort it took to do this out of cycle.
Marcus H. Sachs
Director, SANS Internet Storm Center
Last Updated: 2006-01-05 22:49:16 UTC by Marcus Sachs
Many of you already know this if you receive advance notification from Microsoft. For everybody else, see their announcement about an early release of the WMF patch. The patch and details about it are available here. If you have installed any of the earlier patches or workarounds, here is our recommendation for updating:
1. Reboot your system to clear any vulnerable files from memory
2. Download and apply the new patch
3. Reboot
4. Uninstall the unofficial patch, by using Add/Remove Programs on single systems. If you used msi to install the patch on multiple machines you can uninstall it with this:
msiexec.exe /X{E1CDC5B0-7AFB-11DA-8CD6-0800200C9A66} /qn
5. Re-register the .dll if you previously unregistered it (use the same command but without the "-u"):
regsvr32 %windir%\system32\shimgvw.dll
6. Reboot one more time just for good measure
We tested the patch, and it does block the attack just like the unofficial patch does.
If you experience any problems with the official patch, check support.microsoft.com and call the toll-free number listed for free assistance. Microsoft will not support the unofficial patch. As an alternative to the sequence shown above, you may want to uninstall the unofficial patch first. But make sure you keep shimgvw.dll unregistered until the official patch is applied. Either sequence works in our testing. Removing the unofficial patch later provides an extra layer of protection.
You can use our test image at http://sipr . net/test . wmf as a test to make sure you are not vulnerable. The test image will start the calculator if you are vulnerable.
I'd like to take this opportunity to thank all of our incident handlers for the endless hours of analysis over the past week. Also, many thanks to the hundreds of readers who sent in analysis and observations. Finally, thanks to the response team at Microsoft for issuing the patch today. We all appreciate the extra internal effort it took to do this out of cycle.
Marcus H. Sachs
Director, SANS Internet Storm Center
http://isc.sans.org/diary.php?storyid=1019
I'd bet it's already posted, but I'm sick as a dog with a cold and scatter-shooting this as I can:
http://www.microsoft.com/athome/security/u...200601_WMF.mspx
Cheers!
http://www.microsoft.com/athome/security/u...200601_WMF.mspx
Cheers!
I can't download the patch, all I see in the updates is Service Pack 2, anyone know why?
*edit* nevermind found it.
*edit* nevermind found it.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.