PDA

View Full Version : OT: Windows warning.



Evan
01-04-2006, 03:40 PM
Use Firefox.

http://www.theregister.co.uk/2006/01/03/wmf_workaround/

That however is only a partial solution. Don't open e-mails unless you trust them to be safe. Even then you aren't really safe. This is a bad bug. Linux is safe.


<font face="Verdana, Arial" size="2">
•In an e-mail based attack involving the current exploit, customers would have to click on a link in a malicious e-mail or open an attachment that exploits the vulnerability. It is important to remember that this malicious attachment may not be a .wmf. It could also be a .jpg, .gif, or other format.
</font>

http://www.microsoft.com/technet/security/advisory/912840.mspx


<font face="Verdana, Arial" size="2">
* Why is this issue so important?

The WMF vulnerability uses images (WMF images) to execute arbitrary code. It will execute just by viewing the image. In most cases, you don't have click anything. Even images stored on your system may cause the exploit to be triggered if it is indexed by some indexing software. Viewing a directory in Explorer with 'Icon size' images will cause the exploit to be triggered as well. Microsoft announced that an official patch will not be available before January 10th 2006 (next regular update cycle).

* Is it better to use Firefox or Internet Explorer?

Internet Explorer will view the image and trigger the exploit without warning. New versions of Firefox will prompt you before opening the image. However, in most environments this offers little protection given that these are images and are thus considered 'safe'.

* What versions of Windows are affected?

Windows XP, (SP1 and SP2), Windows 2003 are affected by the currently circulating exploits. Other versions may be affected to some extent. Mac OS-X, Unix or BSD is not affected.

Note: If you're still running on Win98/ME, this is a watershed moment: we believe (untested) that your system is vulnerable and there will be no patch from MS. Your mitigation options are very limited. You really need to upgrade.
</font>

http://handlers.dshield.org/jullrich/wmffaq.html

Note: If you have an AMD 64 bit CPU and XP SP2 you aren't vulnerable.

[This message has been edited by Evan (edited 01-04-2006).]

Dawai
01-04-2006, 04:13 PM
http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=8745589169&rd=1&sspagename=STRK%3AMEWN%3AIT&rd=1

This Linux looks to be a improvement. I bought a copy, what do you make of it?

I tried downloading two new versions last night, Yeah cheaper just to pay the $10.. plus shipping.

Evan
01-04-2006, 04:15 PM
Try this David. http://bbs.homeshopmachinist.net//biggrin.gif

http://www.nsa.gov/selinux/

Don't visit the Knoppix site for now. it was compromised.

Leigh
01-04-2006, 04:28 PM
"Mac OS-X, Unix or BSD is not affected.

Note: If you're still running on Win98/ME, this is a watershed moment: we believe (untested) that your system is vulnerable and there will be no patch from MS. Your mitigation options are very limited. You really need to upgrade."

Typical MS BS.

Linux is not affected either, but they don't mention that.

And note the scare tactics in an attempt to get Win'98 users to upgrade.

------------------
Leigh W3NLB

Evan
01-04-2006, 04:35 PM
"Typical MS BS."

That wasn't from MS. It was from SANS.

Allan Waterfall
01-04-2006, 04:38 PM
Looks interesting tha Linux.

If you boot off the CD rather than installing it,can you still use all the software running under XP ?

Allan

Evan
01-04-2006, 04:39 PM
Unfortunately no. Linux won't run most XP software. If you boot from the CD it won't touch your XP install though.

[This message has been edited by Evan (edited 01-04-2006).]

wierdscience
01-04-2006, 06:17 PM
IMHO until the people who dream this stuff up are caught and publicly executed the problem will continue.I also think the punishments are light because viruses and malware sell security and scanner software.

What was the punishment that German kid got for Saser?8 months community service?It only cost the world how many million to fix?

Leigh
01-04-2006, 06:40 PM
<font face="Verdana, Arial" size="2">Originally posted by Evan:
That wasn't from MS. It was from SANS.</font>

SANS was just quoting what they got from M$. They have no other basis for evalating vulnerabities, nor of determining whether or not a fix will be released.

------------------
Leigh W3NLB

Michael Az
01-04-2006, 06:43 PM
Evan, would you be willing to help me through email to fix my Firefox? I wasn't compressing the folders {didn't know I needed too} and it crashed. I found the fix but they didn't tell how to get into Win 98 to do it. I had to go back to Explorer and Outlook Express, how I hate it!
Michael

Evan
01-04-2006, 06:50 PM
"SANS was just quoting what they got from M$. "

Not likely. They get thier information from white hat hackers, usually before MS does.

From SANS

<font face="Verdana, Arial" size="2">
The ISC relies on an all-volunteer effort to detect problems, analyze the threat, and disseminate both technical as well as procedural information to the general public. Thousands of sensors that work with most firewalls, intrusion detection systems, home broadband devices, and nearly all operating systems are constantly collecting information about unwanted traffic arriving from the Internet. These devices feed the DShield database where human volunteers as well as machines pour through the data looking for abnormal trends and behavior. The resulting analysis is posted to the ISC’s main web page where it can be automatically retrieved by simple scripts or can be viewed in near real time by any Internet user.
</font>

nheng
01-04-2006, 06:52 PM
We, as consumers, have to accept half the responsibility for the monstrous, bloated, crap that MS has created. Their marketeers are responsible for the other half, shoving it down our throats.

We have way too many gimmicks and gadgets now, all bound together by a delicate (I'll use the appropriate word) "framework".

We can take photos from our vacuum cleaner, vacuum with our toothbrush (which, BTW, shows which tooth to brush next), play MP3s on our cell phones and make calls from our palm sized computers.

Those of you involved in Windows/Mobile/ Embedded/Whatever.Net or other programming know what a convoluted mess it is. Oh yeah, if you're not doing .net, you're pretty much obsolete http://bbs.homeshopmachinist.net//wink.gif

It might be hard to tell from the glowing, positive MS comments I've made here but I just spent half the day fixing this stuff instead of designing product.

Evan
01-04-2006, 06:52 PM
Michael,

Do you mean Thunderbird?

CCWKen
01-04-2006, 08:38 PM
<font face="Verdana, Arial" size="2">Don't open e-mails unless you trust them to be safe.</font>

I'm corn-fused.

I read this: "The security flaw might be exploited by inducing victims to view maliciously constructed sites, particularly where IE is used as a browser, or when previewing *.wmf format files with Windows Explorer."

It has nothing to do with e-mail viewing except that the e-mail MAY entice the reader to a malicious web page. It sounds to me that the weak link is IE and WE. Quite possibly, you may have to add Window's Fax Viewer to the list too.

What if you don't use the windows viewer for .wmf files?

[This message has been edited by CCWKen (edited 01-04-2006).]

Leigh
01-04-2006, 08:55 PM
<font face="Verdana, Arial" size="2">Originally posted by Evan:
They get thier information from white hat hackers, usually before MS does.</font>

Evan,

The statements which I quoted were obviously from M$. If you disagree, kindly identify a hacker who could speak authoritatively about M$'s intent regarding a fix for W'98.

------------------
Leigh W3NLB

Evan
01-04-2006, 09:17 PM
That's simple. Win 98 is no longer supported. MS isn't going to fix it, it's an end of life product.


<font face="Verdana, Arial" size="2">
Paid incident support is now available through June 30, 2006. Extended hotfix support for Windows 98 and Windows 98 Second Edition ended on June 30, 2003.
</font>

http://support.microsoft.com/lifecycle/?LN=en-us&p1=6513&x=12&y=9

[This message has been edited by Evan (edited 01-04-2006).]

Leigh
01-04-2006, 09:25 PM
<font face="Verdana, Arial" size="2">Originally posted by CCWKen:
...What if you don't use the windows viewer for .wmf files?</font>

I use Irfanview for all my graphics viewing. Free download at http://www.irfanview.com or tucows. Excellent graphics program.

I have it registered as the handler for WMF files. I don't know if this really provides protection, but I haven't had any indications of a problem.

------------------
Leigh W3NLB

Evan
01-04-2006, 09:30 PM
It gives a degree of protection but not much. You have to stop Windows from ever showing or even indexing image files using the shimgvw.dll

This can be done by unregistering the dll but that will break some functions native to Windows, mainly the Windows fax and image viewer and possibly the ability to view thumbnails in Explorer.

CCWKen
01-04-2006, 10:27 PM
Yea, I use Irfanview also.

Tucows? Man, I wouldn't download anything from that site. Major hack site! I went there once and it tried to open a local net. BS on that. They don't need that kind of access for downloads.

[This message has been edited by CCWKen (edited 01-04-2006).]

Leigh
01-04-2006, 11:22 PM
<font face="Verdana, Arial" size="2">Originally posted by Evan:
It gives a degree of protection but not much. You have to stop Windows from ever showing or even indexing image files using the shimgvw.dll
This can be done by unregistering the dll but that will break some functions native to Windows, mainly the Windows fax and image viewer and possibly the ability to view thumbnails in Explorer.</font>

Hi Evan,

That file is not present on the machine, and I can find no registry references to it. No registry references to WMF other than the image/ tag and an SDK reference.

I don't use any of the apps you mentioned. I don't have any programs that have WMF icons that I know of, but everything I have on the machine has been double-checked for virii, so I doubt there's anything lurking.

Thanks for the info.

------------------
Leigh W3NLB

Evan
01-04-2006, 11:55 PM
The problem isn't restricted to files with a .wmf extension. Windows Meta Files are used on all versions of Windows and they identify themselves to the system by means of a special header, not the extension. The file can be any image file type including .jpg or .gif

If it has a wmf header (even if it doesn't belong there) it will be treated as such. The dll I noted is on XP. I don't know what dll handles the type on 98 but there is one and possibly even '95. This is a broad based vulnerability and will likely work on all 98 and later OSes. It is a core system vulnerability and can't be patched at the application level.

If a malicious image file is placed on the system in any manner with a wmf header then it will invoke the vulnerability when handled by Windows. This probably includes merely viewing thumbnails in Explorer in ME and up.

A search for the shimgvw.dll won't turn up anything unless hidden files are shown and on XP superhidden files are shown. You can't delete it or rename it on XP as the system file protection will replace it automatically.



[This message has been edited by Evan (edited 01-04-2006).]

Michael Az
01-04-2006, 11:56 PM
Evan, sorry about that, yes I ment Thunderbird.
Michael

Evan
01-05-2006, 12:01 AM
Michael,

I don't know a lot about Thunderbird as I don't use it myself. Since I run my own mail server all my security tasks are perfomed at the server level and I just use Outlook Express.

.RC.
01-05-2006, 03:02 AM
<font face="Verdana, Arial" size="2">Originally posted by Evan:
Note: If you have an AMD 64 bit CPU and XP SP2 you aren't vulnerable.

</font>

Wonder why that is...Do you have to have a 64 bit XP also or is the old 32 bit XP invulnerable....

Hope to get a AMD x2 4400+ system this year...AMD pisses over anything intel can build ATM..*fingers crossed...

Evan
01-05-2006, 07:15 AM
The reason the AMD64 isn't vulnerable is because it implements DEP (Data Execution Prevention) in hardware. This was enabled in XP Service Pack 2 and prevents such exploits that depend on buffer overflows from working. It segregates the ram into two areas, one for data and one for executable code. Many exploits depend on using what is supposed to be an area for storing data to run the initial hack that takes over the system. The AMD64 won't allow that.

You don't have to have 64 bit XP for it to work. (it doesn't run on AMD anyway)



[This message has been edited by Evan (edited 01-05-2006).]

.RC.
01-05-2006, 03:04 PM
<font face="Verdana, Arial" size="2">Originally posted by Evan:

You don't have to have 64 bit XP for it to work. (it doesn't run on AMD anyway)
</font>

http://www.amd.com/us-en/Processors/ProductInformation/0,,30_118_9484,00.html I take it you possibly don't like AMD chips????????

cuemaker
01-05-2006, 03:44 PM
I love AMD chips. I build my own puters and I havent any reliability issues in about 8yrs and maybe 5 chips in that time. Only time I have had issues is when I try to overclock. So I stopped trying.

I am currently running a AMD 64bit 3200 with XP service pack 2.

I use firefox for most everything except for some work stuff and Thunderbird for email.

Evan
01-05-2006, 03:51 PM
Up until recently X64 RTM was only certified for Intel processors. The recent RTM edition is now compatible with AMD (been out for about 3 months). Microsoft was about a year late coming out with a compatible version. AMD was very pissed.

I like AMD, it is almost the only processor make I sell.

aboard_epsilon
01-05-2006, 04:08 PM
is this the update
its avalable now from the update site ..

Security Update for Windows XP (KB912919)
Date last published: 1/5/2006
Typical download size: 196 KB
A remote code execution security issue has been identified in the Graphics Rendering Engine that could allow an attacker to remotely compromise your Windows-based system and gain control over it. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer.


all the best.mark

.RC.
01-05-2006, 04:09 PM
<font face="Verdana, Arial" size="2">Originally posted by Evan:

I like AMD, it is almost the only processor make I sell.</font>

Well that is good news...If you had have said Intel is better I would have had to flame you and point you to benchmarks like these..
http://www.tomshardware.com/2005/11/21/the_mother_of_all_cpu_charts_2005/page29.html
http://www.tomshardware.com/2005/11/21/the_mother_of_all_cpu_charts_2005/page33.html
http://www.tomshardware.com/2005/11/21/the_mother_of_all_cpu_charts_2005/page41.html

Evan
01-05-2006, 04:15 PM
Mark,

Maybe that is the update. It sounds like it. MS said they weren't releasing it until the 10th.

aboard_epsilon
01-05-2006, 04:17 PM
when they say that they probably mean not releasing as an auto update.
all the best.mark

dvideo
01-05-2006, 04:19 PM
It's time to rebuild my systems... I have 3 P4-2.8G, a 2.8G HP Notebook, P120 (won't die!), and a P4-1.6G (lame drives, too). Storage is about 2-3T over 6 machines. 100 Base-T linked - with SMC Barricade Firewall/switch.

I was thinking to add 3 machines - 3.2G+ with DVR capability on two.. Perhaps a 1G ethernet link.

Intel or Pentium?... I like the Pentium IO sustem of PCIe for video....

Any "stong advice?".... I always feel the need for speed.... but am really considering because of Maya and Vegas crunch times...

thanks for opinions.......

--jerry

.RC.
01-05-2006, 04:27 PM
Get an AMD Athlon 62 X2 cpu...dual core walks over anything Intel for video rendering...

http://www.tomshardware.com/2005/11/21/the_mother_of_all_cpu_charts_2005/page34.html

http://www.tomshardware.com/2005/11/21/the_mother_of_all_cpu_charts_2005/page36.html

I think the AMD 64 X2 3800+ is the best bang for buck ATM...

PCI express is not an Intel thing it is a replacement for the AGP slot...

[This message has been edited by Ringer (edited 01-05-2006).]

Wayne02
01-05-2006, 11:59 PM
Dang, I don't know about you guys, but my head hurts after reading this thread... I'm sure glad there are people like Evan and others out there that understand this stuff.

I think I'll have another drink now...

Wayne

J Tiers
01-06-2006, 12:20 AM
I would not put it past M$ to leave something like this in, with teh expectation that it can be used to flush away the remaining users of Win98.... Users that they can't get rid of any other way.

There are a lot of businesses still using 98 for a host of reasons. Want to bet this flushes them out relatively soon?

HTRN
01-06-2006, 05:31 AM
Microsoft has released a fix - go check their software updates...


HTRN

------------------
This Old Shed (http://thisoldshed.tripod.com)

Your Old Dog
01-06-2006, 05:37 AM
Burning question here. I have AMD Athlon 2200 and just bought a 2400 off eBay yesterday to build for my daughter. Are these 64bit systems?

Dawai
01-06-2006, 08:14 AM
I have 98 on two computers.

I love Linux, but have windows because of the software. If WINE ever starts working for my visual basic, and mill programs.. well then..

If I had sold anything with as many problems as windows to the world, I'd be in jail for fraud.

How did he do it? WIndows lets stupid people use computers by pointing at icons. Kinda like a apple used to be, not sure not seen a apple in years.

Evan
01-06-2006, 08:41 AM
Apples run UNIX these days.

cuemaker
01-06-2006, 08:58 AM
YOD, maybe, maybe not. It would say if it was 64 bit i would think

Evan
01-06-2006, 09:59 AM
At this time the only CPUs from AMD that support hardware DEP are the Athlon 64 line of CPUs.

Evan
01-06-2006, 07:00 PM
I've been working on a machine today that picked up a virus. Watch out. This one logged every single username and password for every site the customer visited that requires same. I found the keystroke logger file and was able to read it in plain english. It must be assumed that this file has been uploaded to parties unknown who now have access to banking, online travel reservations, stock trades and more.

The owner of the machine is out of town for the weekend so I can't even reach her to warn her.