Security news and information

The second tuesday of every month is Microsoft’s patch tuesday.  It is on this day that they release any security updates that may have been discovered the previous month.  This month’s patch Tuesday is a doozy though.  It contains 2 Windows security patches, 1 IE update that contains fixes for multiple problems, an Outlook Express update, and an update to the Microsoft Frontpage Extensions.

It is advised that everyone who runs Windows immediately install these patches.  These patches can be installed via Autmatic Updates, if it’s configured on your computer, or by going to Windows Update.

Tags: No Tags

There is currently an unpatched vulnerability in Internet Explorer that can allow a web site to install software on your computer.  This vulnerability can only affect you if you visit a site that is running one of these exploits.  Spam, though, has been found that is acting as lure to have you visit one of these sites.

Websense has a released an alert stating:
“Attackers have begun spamming e-mail lures in an attempt to attract users to infected websites. These e-mail messages contain excerpts from actual BBC news stories and offer a link to “Read More”. Users who follow this link are taken to a website that is a spoofed copy of the BBC news story from the e-mail. This website exploits the unpatched createTextRange vulnerability and is currently being used to download and install a keylogger. This keylogger monitors activity on various financial websites and uploads captured information back to the attacker.”

So if you receive an email about stories found on the BBC’s website, do not visit these links.  Instead discard these emails and instead go to the BBC’s website manually by typing its address in your web browser.  That way at least you know you are going to the correct site rather than a forged one.

Tags: No Tags

Not only has Ilfak Guilfanov released a patch for this vulnerability, but he also created a program that will let you know if your computer is vulnerable. You can find information about this vulnerability checker here:

http://www.hexblog.com/2006/01/wmf_vulnera…ty_checker.html

For a concise guide on installing the patch, disabling the Shimgvw.dll, and checking your system you should read our WMF vulnerability guide here:

How to protect yourself from the Windows Metafile Vulnerability

Tags: No Tags

An unofficial patch for the WMF vulnerability patch has been released. This program will patch in memory the Escape() routine of GDI32.dll so that it will not accept the SETABORT escape sequence that is being used to exploit this vulnerability.

You can get the patch here:

http://www.hexblog.com/security/files/wmffix_hexblog13.exe

This patch has been tested and works as advertised and is supported under Windows 2000, XP 32-bit, XP 64-bit, and Windows Server 2003. This patch should be installed by every Windows users until Microsoft releases an official patch.

Tags: No Tags

Well the WMF Exploit is definitely the hot topic right now. For the most part we are seeing only rogue sites (tend to be .info or .biz sites) using WMF files to install fake antispyware apps and other spyware/adware software. Today, though, there have been reports of a MSN Messenger worm in the Netherlands utilizing this exploit. Be on the lookout for any MSN Messenger messages telling you to visit a link to any image file.

Why do I say any? Because it’s possible to create a malformed WMF file to exploit your computer, and simply change the extension to JPG or GIF. Now you think it’s a safe file, but in reality the OS will read the headers of the file, see that it is really a WMF file, and exploit you all the same.

I spent a good chunk of yesterday, in between feeding the twins, playing around with various sites that have WMF exploits. I tested these sites when having the shimgvw.dll registered and unregistered. I also test while enabling Software DEP as I do not have the hardware necessary to use Hardware DEP.

What I found was:

Tests done while shimgvw.dll is registered

Visit a site that launches a WMF via a iframe or other method - The WMF file will load in picture viewer, close picture viewer, and IE and you are now infected or being infected.

Download the WMF and launch it - If you download the wmf, and run it from a command prompt, it will infect you as well.

Open a folder that the WMF resides in - If you open the folder you get infected as the OS tries to generate thumbnails and thus triggers the WMF headers that infect you.

Tests done while shimgvw.dll is unregistered

Visit a site that launches a WMF - Not infected..didnt open image viewr.

Download the WMF and launch it - Nothing happens

Open a folder that the WMF resides in - Nothing happens

3rd party software

Irfanview - Infects with or without the shimgvw.dll being registered. Still
need to test this with DEP.

When I tested with Software DEP on, my test computer was protected, but there have been too many people stating that they were still being infected. Due to this conflicting information going around I still suggest that people unregister the DLL to help prevent getting infected with these files. It’s not a perfect solution, but it’s better than nothing.

Because for some people unregistering/registering a DLL can be difficult I put together a script and guide on how to unregister the shimgvw.dll.

The guide on using the script and unregistering the DLL can be found here:

Windows Metafile Exploit Mitigation By Unregistering Shimgvw.dll

The script to unregister the DLL can be found here:

shimgvw.zip

Tags: No Tags