[CS-FSLUG] Another Major MS Windows Security Flaw

dmc edoc7 at verizon.net
Sun Jan 1 17:11:36 CST 2006 

Yet another reason that serious apps need to be moved off
MS Windows to a more mature and secure OS platform.

It is frightening to know that many national security,
health, and other systems still exist under the "toy"
OS that is MS Windows.

doc

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

'Extremely Critical Flaw' in Windows Discovered, Already Exploited

Friday, December 30, 2005

By Lisa Vaas

Microsoft Corp. has issued a security advisory for what Secunia is 
deeming an "extremely critical flaw" in Windows Metafile Format (.wmf) 
that is now being exploited on fully patched systems by malicious attackers.

Websense Security Labs is tracking thousands of sites distributing the 
exploit code from a site called iFrameCASH BUSINESS.

That site and numerous others are distributing spyware and other 
unwanted software, replacing users' desktop backgrounds with a message 
that warns of spyware infection and which prompts the user to enter 
credit card information to pay for a "spyware cleaning" application to 
remove the detected spyware.

Vulnerable operating systems include a slew of Windows Server 2003 
editions: Datacenter Edition, Enterprise Edition, Standard Edition and 
Web Edition.

Also at risk are Windows XP Home Edition and Windows XP Professional, 
making both home users and businesses open to attack.

In this fluid attack, researchers have kept up a steady stream of new 
details about the extent of the exploit's reach, with Google Desktop 
being the latest reported vector.

F-Secure reported on Wednesday that Google Desktop tries to index image 
files with the exploit, executing it in the process. F-Secure reports 
that this exploitation-via-indexing may wind up occurring with other 
desktop search engines as well.

Google had no immediate comment. To avoid the problem, security experts 
suggest disabling the feature's indexing of media files, or to remove 
Google Desktop altogether.

A workaround called REGSVR32 has been posted and was included in 
Microsoft's advisory. However, it should be noted that as of Thursday 
evening, some security researchers were reporting that the workaround is 
not fully successful.

The workaround is as follows, as quoted from the advisory:

Un-register the Windows Picture and Fax Viewer (Shimgvw.dll)

1. Click Start, click Run, type "regsvr32 -u 
%windir%system32shimgvw.dll" (without the quotation marks), and then 
click OK.

2. A dialog box appears to confirm that the un-registration process has 
succeeded.

— Click OK to close the dialog box.

Impact of Workaround: The Windows Picture and Fax Viewer will no longer 
be started when users click on a link to an image type that is 
associated with the Windows Picture and Fax Viewer.

To undo this change, re-register Shimgvw.dll by following the above 
steps. Replace the text in Step 1 with "regsvr32 
%windir%system32shimgvw.dll" (without the quotation marks).

F-Secure notes that this workaround beats filtering .wmf files, given 
that files with other image extensions — such as BMP, GIF, JPG, JPEG, 
TIFF, etc. — can be used to exploit machines.

F-Secure also recommends filtering domains at corporate firewalls. These 
sites should be listed as off-limits:

toolbarbiz.business

toolbarsite.biz

toolbartraff.biz

toolbarurl.biz

buytoolbar.biz

buytraff.biz

iframebiz.biz

iframecash.biz

iframesite.biz

iframetraff.biz

iframeurl.business

F-Secure notes that it's seen 57 versions of this malicious .wmf file 
exploit as of Thursday, detected as PFV-Exploit.

The security firm is predicting that, even though the exploit has only 
been used to install spyware or fake antispyware/antivirus software thus 
far, it anticipates that real viruses will start to spread soon.

According to the Sunbelt Software blog, "any application that 
automatically displays a WMF image" can be a vector for infection, 
including older versions of Firefox, current versions of Opera, Outlook 
and all current versions of Internet Explorer on all Windows versions.

"This is a zero-day exploit, the kind that give security researchers 
cold chills," according to Sunbelt's blog. "You can get infected by 
simply viewing an infected WMF image."

According to F-Secure, Trojan downloaders are taking advantage of the 
vulnerability to install Trojan-Downloader.Win32.Agent.abs, 
Trojan-Dropper.Win32.Small.zp, Trojan.Win32.Small.ga and 
Trojan.Win32.Small.ev.

F-Secure also reports that some of the Trojans install hoax anti-malware 
programs such as Avgold.

F-Secure traced the exploit to Russian sites, one of which is allegedly 
registered to former Soviet Union President Mikhail Gorbachev.

Sunbelt warns that users are likely to get infected by being directed to 
one of the sites via spam that offer dirty pictures, free software or 
other bait.

The attack works by tricking users into opening malicious ".wmf" files 
in "Windows Picture and Fax Viewer" or by previewing such a file by 
selecting it in Windows Explorer. The attack can also be triggered 
automatically when visiting malicious Web sites via Internet Explorer.

Although Secunia deemed the flaw highly critical, at least one security 
researcher was dismissive of the bug's severity.

Pete Lindstrom, research director for Spire Security LLC, said that at 
this stage in the game, anything that requires user interaction is 
hardly worth notice.

"There's no such thing as 'extremely critical' when user interaction is 
required," Lindstrom said. "That's just silly."

But as far as using IE goes, download of malicious software is 
automatic, happening immediately upon going to the site, pointed out 
Alex Eckelberry, president of Sunbelt Software.

"There is no user interaction required," he wrote in an e-mail exchange. 
"You hit the Web site, you get hit immediately. No prompts, nothing."

John Pescatore, an analyst with Gartner Inc., said that this type of 
attack may be slowed down by requiring users to click on a malicious 
.wmf file or to go to a malicious Web site, but that doesn't mean it 
won't spread fast, given users' willingness to click on bait.

"One of these [attacks] where clicking on a URL [is involved], those can 
spread pretty fast," he said, given users' proclivity to click away.

"We do online consumer studies. Two years ago, 30 percent had fallen for 
phishing [schemes]. They entered their user name, password or credit 
card information. This year, many fewer completely fell for them, but 
they still clicked on the link in the phishing e-mail."

Given the rise of keystroke loggers that can automatically be downloaded 
onto a user's system after the user visits a malicious site, that means 
the Web-surfing population is still ripe for phishing, Pescatore said.

"They're still clicking on links, and whenever malicious software gets 
installed, that's when you get a critical rating, because all sorts of 
bad things can happen."

According to Secunia, the vulnerability is caused by an error in 
handling corrupted .wmf files — a graphics file format used to exchange 
graphics information between Microsoft Windows applications that can 
hold vector and bit-mapped images.

Secunia confirmed the vulnerability on a fully patched system running 
Windows XP SP2. The advisory said that Windows Server 2003 SP0 and SP1 
systems have also reportedly been affected.

A Microsoft spokesman told eWEEK in an e-mail exchange on Wednesday that 
Microsoft "is investigating new public reports of a possible 
vulnerability in Windows," although he didn't give an ETA for a patch.

"Microsoft will continue to investigate the public reports to help 
provide additional guidance for customers," he said. "Upon completion of 
this investigation, Microsoft will take the appropriate action to 
protect our customers, which may include providing a fix through our 
monthly release process or issuing a security advisory, depending on 
customer needs."

The spokesman went on to encourage customers to follow Microsoft's 
Protect Your PC guidelines of enabling a firewall, getting software 
updates and installing anti-virus software.

Customers who think they've been affected can also contact Product 
Support Services, which is at 1-866-PCSAFETY in North America or at 
http://support.microsoft.com/security for outside North America.

Microsoft also advises customers who think they've been attacked to 
contact their local FBI office or to post the incident on 
www.ifccfbi.gov. Customers outside the United States should contact the 
national law enforcement agency in their country, the spokesman said.

The advisory issued by Microsoft later on Wednesday said that Microsoft 
is aware of the code, which allows an attacker "to execute arbitrary 
code in the security context of the logged-on user, when such user is 
visiting a Web site that contains a specially crafted Windows Metafile 
(WMF) image."

Microsoft's advisory echoed Lindstrom's take, however, stating that 
attackers have "no way to force users to visit a malicious Web site."

Instead, the advisory continued, attackers have to persuade users to 
visit the sites, "typically by getting them to click a link that takes 
them to the attacker's Web site."

The advisory said that Microsoft would either be issuing a patch through 
its monthly release process or would provide an out-of-cycle security 
update, "depending on customer needs."

Microsoft's spokesman declined to state how many customers had reported 
that they had been victimized by the attack.

Secunia advised that users avoid opening or previewing untrusted .wmf 
files, as well as set security level to "High" in IE.

Lindstrom noted that the long-term answer to dealing with what he called 
this type of "flotsam and jetsam" of constant security alerts is to 
install host intrusion prevention software to designate what software is 
allowed to run on a system and what it's allowed to do.

As far as the short-term response to this particular vulnerability goes, 
Lindstrom echoed Secunia's advisory when it comes to untrusted files: 
"Don't click on it," he said.

Editor's Note: This story was updated to include Microsoft's statement, 
more on the recommended workaround and more details about the exploit 
from Sunbelt and F-Secure.

Additional reporting by Ben Charny.

Check out eWEEK.com's Security Center for the latest security news, 
reviews and analysis. And for insights on security coverage around the 
Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's Weblog.

Copyright © 2005 Ziff Davis Media Inc. All Rights Reserved. Reproduction 
in whole or in part in any form or medium without express written 
permission of Ziff Davis Media Inc. is prohibited.


-- 
A blessed New Year to all!
David Colburn, D.Min., M.A.Co.
edoc7 at verizon.net

Eden Acres Resources - Books2Inspire
30-70% Off Books, CD's, DVD's, etc.
http://edenacres.bibleseven.com/b2i/b2i-index.html

http://bibleseven.com
Freelance Journalist/Writer,
Crisis, Family, & Individual Counselor,
Minister of Discipleship:
First Baptist Church of Spring Hill.

       /\ /\
?(~~~{ @ @ }  Sent from
  (      *     Puppy Linux
  (        )   http://www.goosee.com/puppy
   ~~~~~~~~~
   / /   / /

More information about the Christiansource mailing list