Exploit Released for Unpatched Windows Flaw

woodchuck writes "Washington Post reports that another Windows hole has been found and exploit code is now running lose that makes swiss cheese of current patches and security measures. From the article: "Security researchers have released instructions for exploiting a previously unknown security hole in Windows XP and Windows 2003 Web Server with all of the latest patches applied. Anti-virus company Symantec warned of the new exploit, which it said uses a vulnerability in the way Windows computers process certain image files (Windows Meta Files, or those ending in .wmf). Symantec said the exploit is designed to download and run a program from the Web that downloads several malicious files, including tools that attackers could use to control vulnerable computers via IRC.""

Re:Virus company

[BushCheney08]

From what I read about this earlier (sorry, don't have the link), this exploit was already in the wild and was being used before any of the security companies learned of it. So no, the AV companies did not "let this one loose".

Re:Amazing

[k00110]

Because we never know what else can be installed and I lost all trust in Security companies since the Sony Root Kit. Removing it my-self implies searching infos over the internet and it's not a good idea to browse the web when your computer is compromised. I had nothing important installed so it did'nt matter. I had a new OS installed in a few minutes after that with ZoneAlarm and AVG(both free) and all the latest patches. I also just did the "REGSVR32 /U SHIMGVW.DLL" to not be infected again.

Re:Other platforms?

[ninja_assault_kitten]

No, it's a buffer overload in Windows Picture and Fax Viewer.

No kernel problem, but Winows only

[Sycraft-fu]

It's a Windows only format, or at least seems to be. I don't find any references of ports to other platforms. It's an old format for doing vector graphics in Windows 3.1.

How/Why does thi skeep happening

[Anonymous Coward]

Can someone explain to me exactly how an image viewer
program running on my client computer can be
made to execute code? Honestly, I don't really understand
these exploits that supposedly take advantage of
a client buffer overflow (or some such thing) to execute
code on my local machine. What makes the instruction pointer in
the code that is reading (in this case) the wmf file suddenly
jump to code that is in the data segment? (Presumably embedded in
the wmf file itself).

Re:They call hackers researchers now?

[hugzz]

They're not hackers, they are crackers. Or intruders. Or black hats. Or fucking idiots. But not hackers. Linus Torvalds is a hacker. Alan Cox is one, and RMS definitely. Maybe even ESR.

Crackers are hackers*. You cant crack someone's system without being very skilled in toying with technology (ie a hacker).

However, hackers aren't nessearily (or usually) crackers.

*This excludes script kiddies et al, since they dont crack someone's system really. they just run someone elses' crack

I remember the days...

[Anonymous Coward]

I remember the days when only exe and com files were what you had to guard. The day word files became dangerous I thought - why did they put all the functionality in them? Idiots. At least image files and plain text files were safe.

I was eating crow shortly thereafter.
I miss the old days.

Breaks thumbnails and Windows Picture Viewer

[bogie]

So I'm kind of curious why he states "though I have used the hack on my machine and haven't had any problems yet. " since it breaks basic XP functionaliry.

Anyway, losing thumbnails and that program is IMHO a very minor price to pay for not having your machine rooted. So just make sure and warn others before you tell them to use this temporary workaround.

I wonder how long we will have to wait for MS to fix this one? Oh well, more money for me if they don't.

Re:Broadband Reports' Security Forum Thread...

[TubeSteak]

I got tagged by a trojan using the same exploit on IRC.

I downloaded the wmf file to my desktop, but accidentally double clicked it when I was trying to submit it to trendmicro

I closed the connection with TCP View [sysinternals.com], but it took out explorer.exe with it.

This is much worse than potential spyware, this exploit is silent and can easily be used to drop keyloggers, or in my case, it opened up a shell back to the guy i was chatting with.

(btw - I knew it was a trojan when i downloaded it)

Re:No kernel problem, but Winows only

[AEton]

It may be unfashionable, but I still rely on a clip art CD set that comes in WMF.

(Illustrator CS2 on OS X opens the things just fine.)

Post to Broadband Reports' Thread...

[TubeSteak]

http://www.dslreports.com/speak/print/default;1512 1004 [dslreports.com]

There's an excerpt of our chat in that post too.

Re:Why does /. report so much on Windows flaws?

[The Ape With No Name]

Please indicate a recent worm on an FOSS operating system.

Does it affect LUAs?

[QCompson]

Anyone know if you can get hit with this if you are running a limited user account?

Re:Genius Idiots.

[Anonymous Coward]

I thought this way until I read up this week on World of Warcraft gold mining businesses located in China and India where the entire business model is based off of exploiting in-game exploits and exploiting people to make a quick buck. After reading the many blogs I found from Google, I have an entirely different perspective of how people in less economically blessed countries choose to work to make a living.

It's still wrong though.....

Re:Why does /. report so much on Windows flaws?

[HermanAB]

Well actually, there are many times more Linux machines in the world than Windows machines. Windows only dominates the desktops. Linux dominates servers, routers, cell phones and so on. Last I saw, IBM Marketing estimated that there are more than 2 billion Linux systems in the world (mostly cell phones).

Re:Genius Idiots.

[Anonymous Coward]

There are a lot of countries out there where people are really smart and hard-working, but there are just no kobs out there. What do you do if you have a family to feed, and you can't get a job that pays enough...no one will hire you. You can get pretty desperate. I can see why people in a desperate situation like that would turn to crime.

Yes, if you have a posh tech job it may seem easy for someone that smart to just get a job. But you (or, should I say, your company) wouldn't hire him. Your company probably wouldn't care how smart he is--you wouldn't hire him because he's not a US citizen, or because he doesn't have five years of PHP or whatever is the latest buzzword the idiots in HR decided you must have.

People are desperate in those eastern-bloc nations and I can see why they end up making these kinds of tough decisions.

AH, I miss the 90's

[SmallFurryCreature]

Those wild days when the sky was the limit and the internet was called the information superhighway and you could run an succesfull company with half the workers playing on the consoles drinking beer.

Oh and those wonderfull windows exploits, works, spyware, wild tangent, trojan horses, worms and blue screens. And then, linux. What I never thought I could afford happened. I had a unix at home. It looked just like the real thing. Root easily accesible from your user account to make it workable to split your accounts. Didn't you hate it when in windows if you wanted to install any software no matter how trivial you had to logout and login as admin to do it and the only way to get some work done was to always get admin privileges on every machine?

Nowadays when someone gives me the root password on a unix like machine I always demand a pay raise. It probably means they expect me to fix it in the weekend.

Thank you MS for making me stick with linux. The energy bill had me y contemplating scrapping my dual P3 linux desktop and only keep my P4 gaming rig. Windows 2003 is actually pretty stable, now all they got to do is clear the goddamn fucking security holes.

Geez, just a few articles ago people were actually talking about how MS was changing and bam we get the mother of all exploits. The only thing worse would be a worm. This is so easily exploitable. Just make an account on forum that allows those awfull avatar images and bam.

I can't believe the slashdot reader reaction either, first bunch of posts are some insane ramblings about hackers/crackers and the rest have some insane fix that even the most moronic idiot can see is a total failure.

Yes fucktards who suggest that whole unregister crap, because of the way MS has setup its OS many a windows program comes with its own copy of the dll it uses EVEN if it is a copy of a Windows OS dll. To avoid versioning problems it is easier to include it then hope the user OS has the right version.

Do a dupe check your dll's in the main windows directories and where you install your programs some times. What do you think the chances are they will all be patched? It is a well known problem and in fact one of the reasons the whole dynamic linking idea was so attractive.