[CS-FSLUG] Another Major MS Windows Security Flaw
dmc
edoc7 at verizon.net
Sun Jan 1 17:11:36 CST 2006
Yet another reason that serious apps need to be moved off
MS Windows to a more mature and secure OS platform.
It is frightening to know that many national security,
health, and other systems still exist under the "toy"
OS that is MS Windows.
doc
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Extremely Critical Flaw' in Windows Discovered, Already Exploited
Friday, December 30, 2005
By Lisa Vaas
Microsoft Corp. has issued a security advisory for what Secunia is
deeming an "extremely critical flaw" in Windows Metafile Format (.wmf)
that is now being exploited on fully patched systems by malicious attackers.
Websense Security Labs is tracking thousands of sites distributing the
exploit code from a site called iFrameCASH BUSINESS.
That site and numerous others are distributing spyware and other
unwanted software, replacing users' desktop backgrounds with a message
that warns of spyware infection and which prompts the user to enter
credit card information to pay for a "spyware cleaning" application to
remove the detected spyware.
Vulnerable operating systems include a slew of Windows Server 2003
editions: Datacenter Edition, Enterprise Edition, Standard Edition and
Web Edition.
Also at risk are Windows XP Home Edition and Windows XP Professional,
making both home users and businesses open to attack.
In this fluid attack, researchers have kept up a steady stream of new
details about the extent of the exploit's reach, with Google Desktop
being the latest reported vector.
F-Secure reported on Wednesday that Google Desktop tries to index image
files with the exploit, executing it in the process. F-Secure reports
that this exploitation-via-indexing may wind up occurring with other
desktop search engines as well.
Google had no immediate comment. To avoid the problem, security experts
suggest disabling the feature's indexing of media files, or to remove
Google Desktop altogether.
A workaround called REGSVR32 has been posted and was included in
Microsoft's advisory. However, it should be noted that as of Thursday
evening, some security researchers were reporting that the workaround is
not fully successful.
The workaround is as follows, as quoted from the advisory:
Un-register the Windows Picture and Fax Viewer (Shimgvw.dll)
1. Click Start, click Run, type "regsvr32 -u
%windir%system32shimgvw.dll" (without the quotation marks), and then
click OK.
2. A dialog box appears to confirm that the un-registration process has
succeeded.
— Click OK to close the dialog box.
Impact of Workaround: The Windows Picture and Fax Viewer will no longer
be started when users click on a link to an image type that is
associated with the Windows Picture and Fax Viewer.
To undo this change, re-register Shimgvw.dll by following the above
steps. Replace the text in Step 1 with "regsvr32
%windir%system32shimgvw.dll" (without the quotation marks).
F-Secure notes that this workaround beats filtering .wmf files, given
that files with other image extensions — such as BMP, GIF, JPG, JPEG,
TIFF, etc. — can be used to exploit machines.
F-Secure also recommends filtering domains at corporate firewalls. These
sites should be listed as off-limits:
toolbarbiz.business
toolbarsite.biz
toolbartraff.biz
toolbarurl.biz
buytoolbar.biz
buytraff.biz
iframebiz.biz
iframecash.biz
iframesite.biz
iframetraff.biz
iframeurl.business
F-Secure notes that it's seen 57 versions of this malicious .wmf file
exploit as of Thursday, detected as PFV-Exploit.
The security firm is predicting that, even though the exploit has only
been used to install spyware or fake antispyware/antivirus software thus
far, it anticipates that real viruses will start to spread soon.
According to the Sunbelt Software blog, "any application that
automatically displays a WMF image" can be a vector for infection,
including older versions of Firefox, current versions of Opera, Outlook
and all current versions of Internet Explorer on all Windows versions.
"This is a zero-day exploit, the kind that give security researchers
cold chills," according to Sunbelt's blog. "You can get infected by
simply viewing an infected WMF image."
According to F-Secure, Trojan downloaders are taking advantage of the
vulnerability to install Trojan-Downloader.Win32.Agent.abs,
Trojan-Dropper.Win32.Small.zp, Trojan.Win32.Small.ga and
Trojan.Win32.Small.ev.
F-Secure also reports that some of the Trojans install hoax anti-malware
programs such as Avgold.
F-Secure traced the exploit to Russian sites, one of which is allegedly
registered to former Soviet Union President Mikhail Gorbachev.
Sunbelt warns that users are likely to get infected by being directed to
one of the sites via spam that offer dirty pictures, free software or
other bait.
The attack works by tricking users into opening malicious ".wmf" files
in "Windows Picture and Fax Viewer" or by previewing such a file by
selecting it in Windows Explorer. The attack can also be triggered
automatically when visiting malicious Web sites via Internet Explorer.
Although Secunia deemed the flaw highly critical, at least one security
researcher was dismissive of the bug's severity.
Pete Lindstrom, research director for Spire Security LLC, said that at
this stage in the game, anything that requires user interaction is
hardly worth notice.
"There's no such thing as 'extremely critical' when user interaction is
required," Lindstrom said. "That's just silly."
But as far as using IE goes, download of malicious software is
automatic, happening immediately upon going to the site, pointed out
Alex Eckelberry, president of Sunbelt Software.
"There is no user interaction required," he wrote in an e-mail exchange.
"You hit the Web site, you get hit immediately. No prompts, nothing."
John Pescatore, an analyst with Gartner Inc., said that this type of
attack may be slowed down by requiring users to click on a malicious
.wmf file or to go to a malicious Web site, but that doesn't mean it
won't spread fast, given users' willingness to click on bait.
"One of these [attacks] where clicking on a URL [is involved], those can
spread pretty fast," he said, given users' proclivity to click away.
"We do online consumer studies. Two years ago, 30 percent had fallen for
phishing [schemes]. They entered their user name, password or credit
card information. This year, many fewer completely fell for them, but
they still clicked on the link in the phishing e-mail."
Given the rise of keystroke loggers that can automatically be downloaded
onto a user's system after the user visits a malicious site, that means
the Web-surfing population is still ripe for phishing, Pescatore said.
"They're still clicking on links, and whenever malicious software gets
installed, that's when you get a critical rating, because all sorts of
bad things can happen."
According to Secunia, the vulnerability is caused by an error in
handling corrupted .wmf files — a graphics file format used to exchange
graphics information between Microsoft Windows applications that can
hold vector and bit-mapped images.
Secunia confirmed the vulnerability on a fully patched system running
Windows XP SP2. The advisory said that Windows Server 2003 SP0 and SP1
systems have also reportedly been affected.
A Microsoft spokesman told eWEEK in an e-mail exchange on Wednesday that
Microsoft "is investigating new public reports of a possible
vulnerability in Windows," although he didn't give an ETA for a patch.
"Microsoft will continue to investigate the public reports to help
provide additional guidance for customers," he said. "Upon completion of
this investigation, Microsoft will take the appropriate action to
protect our customers, which may include providing a fix through our
monthly release process or issuing a security advisory, depending on
customer needs."
The spokesman went on to encourage customers to follow Microsoft's
Protect Your PC guidelines of enabling a firewall, getting software
updates and installing anti-virus software.
Customers who think they've been affected can also contact Product
Support Services, which is at 1-866-PCSAFETY in North America or at
http://support.microsoft.com/security for outside North America.
Microsoft also advises customers who think they've been attacked to
contact their local FBI office or to post the incident on
www.ifccfbi.gov. Customers outside the United States should contact the
national law enforcement agency in their country, the spokesman said.
The advisory issued by Microsoft later on Wednesday said that Microsoft
is aware of the code, which allows an attacker "to execute arbitrary
code in the security context of the logged-on user, when such user is
visiting a Web site that contains a specially crafted Windows Metafile
(WMF) image."
Microsoft's advisory echoed Lindstrom's take, however, stating that
attackers have "no way to force users to visit a malicious Web site."
Instead, the advisory continued, attackers have to persuade users to
visit the sites, "typically by getting them to click a link that takes
them to the attacker's Web site."
The advisory said that Microsoft would either be issuing a patch through
its monthly release process or would provide an out-of-cycle security
update, "depending on customer needs."
Microsoft's spokesman declined to state how many customers had reported
that they had been victimized by the attack.
Secunia advised that users avoid opening or previewing untrusted .wmf
files, as well as set security level to "High" in IE.
Lindstrom noted that the long-term answer to dealing with what he called
this type of "flotsam and jetsam" of constant security alerts is to
install host intrusion prevention software to designate what software is
allowed to run on a system and what it's allowed to do.
As far as the short-term response to this particular vulnerability goes,
Lindstrom echoed Secunia's advisory when it comes to untrusted files:
"Don't click on it," he said.
Editor's Note: This story was updated to include Microsoft's statement,
more on the recommended workaround and more details about the exploit
from Sunbelt and F-Secure.
Additional reporting by Ben Charny.
Check out eWEEK.com's Security Center for the latest security news,
reviews and analysis. And for insights on security coverage around the
Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's Weblog.
Copyright © 2005 Ziff Davis Media Inc. All Rights Reserved. Reproduction
in whole or in part in any form or medium without express written
permission of Ziff Davis Media Inc. is prohibited.
--
A blessed New Year to all!
David Colburn, D.Min., M.A.Co.
edoc7 at verizon.net
Eden Acres Resources - Books2Inspire
30-70% Off Books, CD's, DVD's, etc.
http://edenacres.bibleseven.com/b2i/b2i-index.html
http://bibleseven.com
Freelance Journalist/Writer,
Crisis, Family, & Individual Counselor,
Minister of Discipleship:
First Baptist Church of Spring Hill.
/\ /\
?(~~~{ @ @ } Sent from
( * Puppy Linux
( ) http://www.goosee.com/puppy
~~~~~~~~~
/ / / /
More information about the Christiansource
mailing list