Forgot your password?
typodupeerror
Windows Operating Systems Software Security IT

Exploit Released for Unpatched Windows Flaw 386

Posted by samzenpus
from the patch-it dept.
woodchuck writes "Washington Post reports that another Windows hole has been found and exploit code is now running lose that makes swiss cheese of current patches and security measures. From the article: "Security researchers have released instructions for exploiting a previously unknown security hole in Windows XP and Windows 2003 Web Server with all of the latest patches applied. Anti-virus company Symantec warned of the new exploit, which it said uses a vulnerability in the way Windows computers process certain image files (Windows Meta Files, or those ending in .wmf). Symantec said the exploit is designed to download and run a program from the Web that downloads several malicious files, including tools that attackers could use to control vulnerable computers via IRC.""
This discussion has been archived. No new comments can be posted.

Exploit Released for Unpatched Windows Flaw

Comments Filter:
  • by kawika (87069) on Wednesday December 28, 2005 @08:05PM (#14355190)
    Unregister the dll that provides WMF viewing. Click Start, Run, and enter this:

        REGSVR32 /U SHIMGVW.DLL

    Sunbelt has more detail here [blogspot.com].
  • how long? (Score:2, Insightful)

    by Anonymous Coward
    before MS starts using less-quick security patches as the reason to move from XP to vista?
  • Upside. (Score:5, Funny)

    by grub (11606) <slashdot@grub.net> on Wednesday December 28, 2005 @08:09PM (#14355208) Homepage Journal

    With Vista you'll be able to get this from the comfort of an RSS feed!
  • Fix from article (Score:5, Informative)

    by Rangsk (681047) on Wednesday December 28, 2005 @08:10PM (#14355211)
    Here is the fix, from the linked article in case you DNRTFA:

    ----
    According to iDefense, Windows users can disable the rendering of WMF files using the following hack:

    1. Click on the Start button on the taskbar.
    2. Click on Run...
    3. Type "regsvr32 /u shimgvw.dll" to disable.
    4. Click ok when the change dialog appears.

    iDefense notes that this workaround may interfere with certain thumbnail images loading correctly, though I have used the hack on my machine and haven't had any problems yet. The company notes that once Microsoft issues a patch, the WMF feature may be enabled again by entering the command "regsvr32 shimgvw.dll" in step three above.
    ----

    I'm not sure if you need to type this every reboot, or just once. Since it requires re-enabling, I'm hoping it's just once.
    • Re:Fix from article (Score:4, Informative)

      by CargoCultCoder (228910) on Wednesday December 28, 2005 @08:52PM (#14355406) Homepage

      I'm not sure if you need to type this every reboot, or just once. Since it requires re-enabling, I'm hoping it's just once.

      regsvr32 registers a COM/ActiveX "server" by modifying Windows registry entries. So, in theory, you need only run it once.

      It is possible, however, that if you later install other software, the installer may re-register the DLL in question, in which case you'd want to manually unregister it again.

      (Hmm. I suppose it's only coincidence that this novel approach [thedailywtf.com] to registering appeared on thedailywtf yesterday...)

    • I'm pretty sure that disabling shimgvw.dll will disable more than WMF rendering.
    • This workaround broke thumnail view for me in explorer, but it's no big deal, thumbnail view looks pretty but it slows down explorer. At least you have a choice -- being r00ted by some new worm or lose one little eyecandy feature.
  • by antdude (79039) on Wednesday December 28, 2005 @08:11PM (#14355219) Homepage Journal
    Also, read Broadband Reports' security forum thread [broadbandreports.com] for discussions and what people observed.
  • by guruevi (827432) <evi AT smokingcube DOT be> on Wednesday December 28, 2005 @08:18PM (#14355245) Homepage
    Microsoft said in it's late night response on new years day that a patch is being made, the flaw is not critical since no-one actually uses WMF and the rest who do use them never should surf to porn and warez sites anyway. A patch will be available in Windows Shoehorn.
  • Scary. (Score:5, Funny)

    by Anonymous Coward on Wednesday December 28, 2005 @08:20PM (#14355254)
    Surfing for porn with IE on Windows is like having unprotected anal sex with everybody on the internet.
    • Linux just isn't ready for the desktop yet, since these programs are obviously an essential part of the Windows experience and they just won't run on Linux.
  • by Anonymous Coward on Wednesday December 28, 2005 @08:31PM (#14355313)
    Can someone explain to me exactly how an image viewer
    program running on my client computer can be
    made to execute code? Honestly, I don't really understand
    these exploits that supposedly take advantage of
    a client buffer overflow (or some such thing) to execute
    code on my local machine. What makes the instruction pointer in
    the code that is reading (in this case) the wmf file suddenly
    jump to code that is in the data segment? (Presumably embedded in
    the wmf file itself).

    • by HermanAB (661181) on Wednesday December 28, 2005 @09:16PM (#14355526)
      It is a carefully crafted buffer overflow in the stack causing a return address to be overwritten. A subroutine return instruction then jumps to the exploit code, instead of the parent routine. This an old trick to implement dynamic jump tables, exploited for malicious purposes.
    • by dtfinch (661405) * on Wednesday December 28, 2005 @09:40PM (#14355660) Journal
      On x86 processors (and probably most others), the stack pushes backward in memory. Each function call pushes the return address onto the stack. Because the stack pushes backwards, a buffer overflow will overwrite the previously pushed values that follow it in memory. So when the overflowed function returns, it'll return to the new address that has been written by the overflowed buffer.

      Good stack overflow exploit code is pretty reusable for exploiting newly discovered stack overflows with little modification, which makes these exploits appear so quickly after a new vulnerability is discovered. There's also something called a heap overflow, but using it to run executable code is quite a bit harder and must be tailered to each specific vulnerability.
    • There were, in some older file formats, methods for running programs so that images could be overlaid with other images (as in schematics). If I remember correctly AutoCAD and some of the other CAD type files used to use this to link various files in to a give file (like layers on diagrams). Some file formats (one of the GE file formats - can't remember the name right now) actually had such things as the capability to send e-mail built in to the specs. Many of these "gotcha" things have been removed from
  • Genius Idiots. (Score:5, Insightful)

    by mumblestheclown (569987) on Wednesday December 28, 2005 @08:57PM (#14355431)
    The people who took advantage of this loophole did so with a clear economic motive. This is because the loophole is used basically to a) install spysherriff, a bogus anti-spyware program and try to get the user to pay for it with a credit card b) install surfsidekick and other idiot spyware programs c) install a spam sender, in order to make a few more billionths of a cent.

    In other words, whatever asshat took advantage of this loophole did so because he thought he could make a buck. If his goal was simply to bring Windows to its knees, cause havoc, or make a political/economic statement of some sort, he would have chosen something else. Wiping out My Documents of all the infected machines, for example.

    Whoever did this is obviously deluded. While some money will of course ultimately flow from this nonsense to the "see no evil" people who are the beneficiaries of spamvertisements, spyvertisements and so forth, the actual exploiter basically has little to know chance of getting it (even if he is in Russia, as I'd suspect is a good bet) as his affiliate commission links will be tracked, as will wherever the hell that credit card box for SpySherriff was pointing to and so forth.

    So we have somebody smart enough (and make no mistake, it takes some smarts) to either discover or be in a small clique of people discovering a quite obscure loophole (it must be obscure, given just how old the affected .dll is), but have ABSOLUTELY NO FUCKING CLUE how to go about exploiting it other than in the most juvenile and unlikely way to fail imaginable. Furthermore, even though it is likely to fail, the guy has shown himself to basically be a psychopath, with little to no concern about the hundreds of thousands of hours (read: PEOPLE-LIFE-EQUIVALENTS) that will be spent agonizing over and fixing this.

    Whoever that person is, they are human filth. But, there's a lot of human filth out there. The sad thing is that this person obviously has potential to do so much more but simply pisses it away intead. Pathetic.

  • Isn't this just another incarnation of the Smitfraud extortion by the nice New Zealand company SpyAxe?

    The tool to remove that crapware is called smitrem, available here: http://noahdfear.geekstogo.com/ [geekstogo.com]
  • by Repton (60818) on Wednesday December 28, 2005 @09:07PM (#14355480) Homepage

    From F-secure's blog [f-secure.com]:

    Do note that it's really easy to get burned by this exploit if you're analysing it under Windows. All you need to do is to access an infected web site with IE or view a folder with infected files with the Windows Explorer.

    You can get burned even while working in a DOS box! This happened on one of our test machines where we simply used the WGET command-line tool to download a malicious WMF file. That's it, it was enough to download the file. So how on earth did it have a chance to execute?

    The test machine had Google Desktop installed. It seems that Google Desktop creates an index of the metadata of all images too, and it issues an API call to the vulnerable Windows component SHIMGVW.DLL to extract this info. This is enough to invoke the exploit and infect the machine. This all happens in realtime as Google Desktop contains a file system filter and will index new files in realtime.

  • by fihzy (214410) on Wednesday December 28, 2005 @09:17PM (#14355531)
    Once again, as noted previously here [slashdot.org] and here [slashdot.org]:

    10) find big remote vulnerability in product
    20) perfect the exploit
    30) have fun with it for months
    40) find another big hole in same product
    50) perfect exploit for hole
    60) alert vendor about original hole
    70) have fun with new hole
    80) goto 40
  • Coincidentally I was browsing an ad-heavy lyrics site in another tab (Firefox, of course) and was prompted for an action to handle "track5.wmf" ... Geez, they don't waste any time, do they?
  • Additional Resources (Score:3, Informative)

    by Heembo (916647) on Wednesday December 28, 2005 @09:52PM (#14355714) Journal
    Internet Storm Center Coverage - Alert moved to yellow as of this morning. http://isc.sans.org/diary.php?rss&storyid=975 [sans.org]
    Also, take a look at this movie from websense: http://www.websensesecuritylabs.com/images/alerts/ wmf-movie.wmv [websensesecuritylabs.com] it shows step-by-step what happens to a clean machine as it gets exploited by this new menace.
  • Nasty! (Score:5, Informative)

    by sdh968251 (844137) on Wednesday December 28, 2005 @10:45PM (#14355964)
    This thing is nasty! I was browsing the internet this afternoon and got it. I have a fully patched copy of Windows XP SP2 with Symantec Antivirus Corporate 9.0. Neither stopped it. I spent about 6 hours running virus scans, Ad-Aware, and Spy-Bot in safe mode. This didn't even come close to detecting everything. I had to manually remove files based on searches by creation date. Interestingly, none of the three tools picked up any of the DLLs mentioned in the next paragraph.

    I traced it to an ad within an ad within an ad that sources a WMF file in an iframe. If you want to see this thing in action then use VMWare to load the following link: h**p://iframeurl.biz/dl/xpladv470.wmf. After all is said and done, you'll have trojan.byteverify, trojan.dropper, trojan.bookmarker, download.trojan, w32.conycspa.G@mm, backdoor.shellbot, backdoor.trojan, w32.looksky.A@mm, among others. I also had some new DLLs that were particularly hard to get rid of - msupdate32.dll, msctl32.dll, uytpu.dll, qrlmq.dll - all in the system32 directory.

    This has actually never happened to me. I am religious about keeping Windows and my antivirus software up-to-date. It was a good learning experience to see it all in action.

    And, by the way, I was not browsing for porn. I was doing a google search for a old Macintosh program named Cache Killer. One of the links listed was "Download Cache Killer Pro v5.0 crack / keygen / serial / patch ...". I clicked on this and ... WHAM! Here's the Google search - http://www.google.com/search?q=cache+killer&hl=en& lr=&start=0&sa=N [google.com]. It's the last link on the page - h**p://www.crackz.ws/down/25335/Cache.Killer.Pro.v 5.0_crack_serial_keygen.html. This is the page that contains the ad within an ad within an ad. Beware!!!
    • Out of curiousity, were you browsing in Internet Explorer or some other browser? I'm half tempted to click on those links in Opera to see what happens, but I don't particularly feel like rebuilding my Windows install at the moment.
    • Re:Nasty! (Score:3, Informative)

      Good news: Google seem to have pulled that link, but
      Bad news: the file offered for download is dsi_ckp5.exe which is not likely to run on your Mac.

      The site is infested with the usual warez crop of pr0n & gambling camp followers. I went there using Safari on a Mac, and collected a cookie from fuck-access.com, and exhibitionist.ws, which will both be valid for 15 years ;-) I had my access counted by ads.clicksor.com, banner.paypopup.com, counter.yadro.ru, gfx.passwordbyphone.com, popunder.paypopup.com,
  • by whitehatlurker (867714) on Wednesday December 28, 2005 @11:13PM (#14356098) Journal
    I want to point out that the file extension is not used exclusively for file type detection, and the magic string at the beginning of the file will trigger the use of the WMF processing. A ".tiff" extension will also work in a similar manner. (Likely there are several good candidates.)

    A few people on this thread don't seem to be familiar with the WMF format [wikipedia.org] or GDI [wikipedia.org]. This format provides for a set of commands which are supposed to be graphics only. (I guess they got carried away in this case.) As the viewer is basically a scripting engine, the exploiters would certainly try to target it for vulnerabilities. I don't have a copy of the dangerous file, so I don't know whether this particular exploit is a buffer overflow or something else.

  • by Revek (133289) on Wednesday December 28, 2005 @11:29PM (#14356157) Homepage
    Hell bring it on. I opened my own shop about 4 months ago and can clean most anything off a machine. Its 95% of my buisness so far and im tired of being poor. This week alone Ive cleaned 8 xp home boxes all still sp1 with no antispy or antivirus still running. Only one of the machines needed parts. It had a winlogon popup running that killed windows update and automatic update (senslogn key was missing). I think the real proplem with the current state of affairs is not that the exploits are produced and released but that microsoft builds to fast and to often. They need to can vista and put more R&D into fast fixes. If they want discreet disclosure of exploits they should offer $$ for it. Just tell them and get a check :)..... nah never happen they will just build the new big security hole called a OS.
  • I hear Windows Vista is going to fix all of these previously unknown problems...stay tuned for the exciting conclusion in 2006.
  • From the summary: "...and exploit code is now running lose..."

    For a second - just for a second - I thought this might be an extremely clever play on words, making fun both of Windows ("Win") by referring to it as "Lose" (as the exploit code would be running on Windows and controlling it, so you could (in a slightly ungrammatical way, but whatever) say the code is running Win, or indeed Lose) and combining this with a witty rejoinder at all the individuals who write "lose" instead of "loose" (and vice vers

  • Does it affect LUAs? (Score:2, Interesting)

    by QCompson (675963)
    Anyone know if you can get hit with this if you are running a limited user account?
  • AH, I miss the 90's (Score:4, Interesting)

    by SmallFurryCreature (593017) on Thursday December 29, 2005 @09:04AM (#14357789) Journal
    Those wild days when the sky was the limit and the internet was called the information superhighway and you could run an succesfull company with half the workers playing on the consoles drinking beer.

    Oh and those wonderfull windows exploits, works, spyware, wild tangent, trojan horses, worms and blue screens. And then, linux. What I never thought I could afford happened. I had a unix at home. It looked just like the real thing. Root easily accesible from your user account to make it workable to split your accounts. Didn't you hate it when in windows if you wanted to install any software no matter how trivial you had to logout and login as admin to do it and the only way to get some work done was to always get admin privileges on every machine?

    Nowadays when someone gives me the root password on a unix like machine I always demand a pay raise. It probably means they expect me to fix it in the weekend.

    Thank you MS for making me stick with linux. The energy bill had me y contemplating scrapping my dual P3 linux desktop and only keep my P4 gaming rig. Windows 2003 is actually pretty stable, now all they got to do is clear the goddamn fucking security holes.

    Geez, just a few articles ago people were actually talking about how MS was changing and bam we get the mother of all exploits. The only thing worse would be a worm. This is so easily exploitable. Just make an account on forum that allows those awfull avatar images and bam.

    I can't believe the slashdot reader reaction either, first bunch of posts are some insane ramblings about hackers/crackers and the rest have some insane fix that even the most moronic idiot can see is a total failure.

    Yes fucktards who suggest that whole unregister crap, because of the way MS has setup its OS many a windows program comes with its own copy of the dll it uses EVEN if it is a copy of a Windows OS dll. To avoid versioning problems it is easier to include it then hope the user OS has the right version.

    Do a dupe check your dll's in the main windows directories and where you install your programs some times. What do you think the chances are they will all be patched? It is a well known problem and in fact one of the reasons the whole dynamic linking idea was so attractive.

  • by spellraiser (764337) on Friday December 30, 2005 @09:17AM (#14364316) Journal
    Larry Seltzer has a concise column [eweek.com] about this exploit, where he doesn't exactly pull the punches on Microsoft. The most interesting piece of information there is this:

    The problem with the WMF (Windows Metafile) file format turns out to be one of those careless things Microsoft did years ago with little or no consideration for the security consequences.

    Almost all exploits you read about are buffer overflows of some kind, but not this one. WMF files are allowed to register a callback function, meaning that they are allowed to execute code, and this is what is being exploited in the WMF bug.

    I find this mind-boggling to the point of absurdity. Regardless of any supposed benefit gained by this, allowing a data file to execute arbitrary code upon it being viewed is simply begging for an exploit like this. No matter whan spin Microsoft will try to put on this one, it makes them look bad. Extremely bad.

A committee is a life form with six or more legs and no brain. -- Lazarus Long, "Time Enough For Love"

Working...