Results 1 to 18 of 18
  1. #1
    ABW Adviser Panel Dynamoo's Avatar
    Join Date
    January 18th, 2005
    Location
    Opposite the Slough of Despond
    Posts
    5,465
    Warning: Nasty Windows Exploit
    This is *nasty* - a flaw in the WMF graphics file format that can lead to code being executed on your PC.. there's no patch and it's quite likely that your anti-virus vendor doesn't have a fix for it.

    The evil thing is that WMF files can be embedded in most types of email message, i.e. it does NOT have to be an attachment. You can get infected just by viewing the graphic in a preview pane.

    Web browsers are vulnerable too, and most likely Firefox and Mozilla.

    http://www.f-secure.com/weblog/ (this tells you some sites to block)
    http://isc.sans.org/ has the latest news (Infocon is set to Yellow which means this is a serious threat)
    Innovative advertising with Slimeware Corporation and Telephore. Mail-order fuel with Petrol Direct.

  2. #2
    Affiliate Manager DavidVanHook's Avatar
    Join Date
    August 2nd, 2005
    Location
    Medford, OR
    Posts
    184
    Dynamoo, Thanks for the info. This is not good. I have some network computers to check.

  3. #3
    ABW Ambassador Snib's Avatar
    Join Date
    January 18th, 2005
    Location
    Virginia
    Posts
    5,303
    Good thing I'm an Apple user.

    - Scott
    Hatred stirs up strife, But love covers all transgressions.

  4. #4
    ABW Adviser Panel Dynamoo's Avatar
    Join Date
    January 18th, 2005
    Location
    Opposite the Slough of Despond
    Posts
    5,465
    Quote Originally Posted by Snib
    Good thing I'm an Apple user.

    - Scott
    It's a good day to use a Mac I think Or that Lunix thingie.
    Innovative advertising with Slimeware Corporation and Telephore. Mail-order fuel with Petrol Direct.

  5. #5
    ABW Adviser Panel Dynamoo's Avatar
    Join Date
    January 18th, 2005
    Location
    Opposite the Slough of Despond
    Posts
    5,465
    It's possible that this could spread via email, or even potentially sneak onto Windows-based web servers. Microsoft have published a workaround here: http://www.microsoft.com/technet/sec...ry/912840.mspx

    Un-register the Windows Picture and Fax Viewer (Shimgvw.dll) on Windows XP Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and Windows Server 2003 Service Pack 1

    To un-register Shimgvw.dll, follow these steps:

    1. Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK.

    2. A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

    Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.

    To undo this change, re-register Shimgvw.dll by following the above steps. Replace the text in Step 1 with “regsvr32 %windir%\system32\shimgvw.dll” (without the quotation marks).
    Innovative advertising with Slimeware Corporation and Telephore. Mail-order fuel with Petrol Direct.

  6. #6
    ABW Ambassador
    Join Date
    November 26th, 2005
    Posts
    560
    Thanks for the heads up Dynamoo
    The Best Forums
    Nothing in the world can take the place of persistance
    . Talent will not; nothing is more common than unsuccessful men with talent. Genius will not; unrewarded genius is almost a proverb. Education will not; the world is full of educated derelicts. Persistance and determination are omnipotent.
    Abestweb Store

  7. #7
    Moderator MichaelColey's Avatar
    Join Date
    January 18th, 2005
    Location
    Mansfield, TX
    Posts
    16,232
    Microsoft still hasn't released a fix, but here's a workaround that disables the exploit:

    http://www.grc.com/sn/notes-020.htm
    Michael Coley
    Amazing-Bargains.com
     Affiliate Tips | Merchant Best Practices | Affiliate Friendly? | Couponing | CPA Networks? | ABW Tips | Activating Affiliates
    "Education is the most powerful weapon which you can use to change the world." Nelson Mandela

  8. #8
    Analytics Dude Kevin's Avatar
    Join Date
    January 18th, 2005
    Location
    Rochester, NY
    Posts
    5,904
    I hope you've all put up Google Firefox referrals on your popular pages.... It's a GREAT time for it...

  9. #9
    Moderator MichaelColey's Avatar
    Join Date
    January 18th, 2005
    Location
    Mansfield, TX
    Posts
    16,232
    FYI, I don't think Firefox is immune. This is a Windows bug, not an IE bug.
    Michael Coley
    Amazing-Bargains.com
     Affiliate Tips | Merchant Best Practices | Affiliate Friendly? | Couponing | CPA Networks? | ABW Tips | Activating Affiliates
    "Education is the most powerful weapon which you can use to change the world." Nelson Mandela

  10. #10
    Analytics Dude Kevin's Avatar
    Join Date
    January 18th, 2005
    Location
    Rochester, NY
    Posts
    5,904
    The reports I've seen indicate that since it involves code in the Windows Fax and Picture viewer, Firefox handled it differently... But I'm no expert... I and they could be wrong.

    The local IT reporters here in Rochester have been pushing both Thunderbird and Firefox as fixes. Hope they are right.
    Last edited by Noth; January 3rd, 2006 at 09:44 AM. Reason: spelling

  11. #11
    ABW Adviser Panel Dynamoo's Avatar
    Join Date
    January 18th, 2005
    Location
    Opposite the Slough of Despond
    Posts
    5,465
    Firefox doesn't disp;ay WMF files automatically, it'll prompt for a download. But you can rename the WMF to JPG and it's still potentially dangerous because Windows checks the content of the file, rather than the extension.

    There's an unofficial patch here:
    http://www.hexblog.com/2005/12/wmf_vuln.html
    and here:
    http://handlers.sans.org/tliston/wmffix_hexblog14.exe
    which seems to be OK.

    Microsoft are going to have a patch for next week they hope, so it's just a question of surviving until then (assuming their patch actually works)
    Innovative advertising with Slimeware Corporation and Telephore. Mail-order fuel with Petrol Direct.

  12. #12
    Analytics Dude Kevin's Avatar
    Join Date
    January 18th, 2005
    Location
    Rochester, NY
    Posts
    5,904
    I see, I see. So we got part of the story here. Thanks for clearing that up.

  13. #13
    Moderator MichaelColey's Avatar
    Join Date
    January 18th, 2005
    Location
    Mansfield, TX
    Posts
    16,232
    It looks like you might be right, at least for newer versions of Firefox. Still, you can get infected through email, messenger programs, and even Google Desktop. Using Firefox won't protect in those areas.

    Here's the wikipedia entry for the exploit:

    http://en.wikipedia.org/wiki/Windows..._vulnerability

    (There's some discussion about Firebox there.)
    Michael Coley
    Amazing-Bargains.com
     Affiliate Tips | Merchant Best Practices | Affiliate Friendly? | Couponing | CPA Networks? | ABW Tips | Activating Affiliates
    "Education is the most powerful weapon which you can use to change the world." Nelson Mandela

  14. #14
    Analytics Dude Kevin's Avatar
    Join Date
    January 18th, 2005
    Location
    Rochester, NY
    Posts
    5,904
    How long before the NY Times blames this on cookies?

  15. #15
    ABW Adviser Panel Dynamoo's Avatar
    Join Date
    January 18th, 2005
    Location
    Opposite the Slough of Despond
    Posts
    5,465
    Quote Originally Posted by Noth
    How long before the NY Times blames this on cookies?
    Cookies are about the only way it doesn't spread.. as far as I know! Of course the malware could steal your cookies I guess.. hmmm.

    I personally blame the New York Times. Hey.. don't they use cookies??
    Innovative advertising with Slimeware Corporation and Telephore. Mail-order fuel with Petrol Direct.

  16. #16
    ABW Ambassador buy_online's Avatar
    Join Date
    January 18th, 2005
    Location
    Richmond, VA
    Posts
    3,234
    VLC Media Player

    http://www.videolan.org/

    Fred

  17. #17
    2005 Linkshare Golden Link Award Winner  ecomcity's Avatar
    Join Date
    January 18th, 2005
    Location
    St Clair Shores MI.
    Posts
    17,328
    Lets put the blame right where it belongs..... right on the backsides of the S/W droiven affiliates seeking infestation routes to sucker punch merchants. You heard me right! Every network and AM salvating on newly discovered exploit routines by affiliates shoving Adware/Spyware/Info scraping applications up the consumers butts should get hung up by their thumbs. I sure hope the CPA networks, major networks and every BHO and phoney anti-??? program gets huge fines over this one.

    Don't expect this one to go away soon as the exploiters and the money trail is getting the full Federal, Security firm and Microsoft attention.

    __________________________


    F-Secure first reported the zero-day vulnerability on Dec. 27. Microsoft does not plan to issue a patch until Jan. 10. In the meantime, virus writers could have a field day with the vulnerability, according to security experts. The vulnerability is related to Windows' WMF files. Windows metafiles are image files used by popular applications, such as Microsoft Word. So far WMF exploits typically have been used to install spyware and adware, although the threat of virus and worm exploits remains.

    "So far, we've only seen this exploit being used to install spyware -- or fake antispyware and antivirus software -- on the affected machines," F-Secure Chief Research Officer Mikko Hypponen said. "I'm afraid we'll see real viruses using this soon. We've seen 70 different versions of malicious WMF files so far."

    The WMF exploit has been used with a clear criminal motivation ( all affiliate based) to install spyware and to dupe ordinary consumers into purchasing fake security products for their computers, Hypponen pointed out.

    Users can be infected simply by visiting a Web site with an image file containing the WMF exploit. Internet Explorer users are at the greatest risk of automatic infection, while Firefox and Opera browser users are prompted with a question whether they'd like to open the WMF image or not. They get infected too if they answer "Yes."

    Anyone monitizing these Adwhore cyber terrorists need to go back to their old day jobs of funding the child sex slavery business.
    Webmaster's... Mike and Charlie

    "What have you done today to put real value into a referral click...from a shoppers viewpoint!"

  18. #18
    MasterMike HardwareGeek's Avatar
    Join Date
    January 18th, 2005
    Posts
    3,810
    wow see what a week of boring to no news does it makes a minor exploit like this seem like the end of the world.

    If any of you are worried that this will ruin your systems. Stay off the internet until the 10th when MS will place the patch on Windows Update.

    Or just keep your anti virus, anti-spyware defs up to date and be happy.

  19. Newsletter Signup

+ Reply to Thread

Similar Threads

  1. The Nasty Gals Only Sale at Nasty Gal - 25% OFF
    By JCrooks - AffiliateWindow in forum Promotions, Sales, and Coupons on Affiliate Window
    Replies: 0
    Last Post: October 25th, 2013, 03:10 PM
  2. Trojan Warning Exploit-ms04-028
    By superCool in forum Midnight Cafe'
    Replies: 5
    Last Post: March 23rd, 2012, 02:24 PM
  3. RoundCube Exploit
    By John Powell in forum Midnight Cafe'
    Replies: 0
    Last Post: January 8th, 2009, 10:36 AM
  4. DNS exploit in the news
    By MnemonicGuy in forum Midnight Cafe'
    Replies: 1
    Last Post: July 25th, 2008, 12:03 PM
  5. SQL Injection Exploit
    By John Powell in forum Programming / Datafeeds / Tools
    Replies: 6
    Last Post: April 20th, 2007, 01:49 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •