Topic: Huge virus threat rocks Microsoft

[Reno]

NEW YORK (CNNMoney.com) - The new year is off to a rocky start at Microsoft, where security experts are scrambling to confront a potentially massive virus threat to Windows PCs.

According to a report Tuesday in the Financial Times, the latest vulnerability involves a flaw which allows hackers to infect computers using programs inserted into image files. The threat was discovered last week. But it mushroomed over the weekend, when a group of hackers published the source code they used to exploit the flaw.

What makes this threat particularly vicious, according to the Times, is that unwitting victims can infect their computers simply by viewing a web page, e-mail, or instant message that includes a contaminated image. That differs from most virus attacks, which require a user to actually download an infected file.

"The potential [security threat] is huge," Mikko Hypponen, chief research officer at F-Secure, an antivirus company, told the Times. "It's probably bigger than for any other vulnerability we've seen.

"Any version of Windows is vulnerable right now," said Mr. Hypponen, including every Windows system shipped since 1990.

Microsoft said a security patch would be available for the problem on Tuesday, January 10 after it has passed rigorous testing procedures.

Because of the severity of the threat, the SANS Institute, a computer security group, has released a patch for the vulnerability until Microsoft's fix is available next week. It is available here.

http://isc.sans.org/diary.php?storyid=1010

Shares in Microsoft (up $0.78 to $26.93, Research) rose nearly 3 percent in mid-day trade on Nasdaq.

http://money.cnn.com/2006/01/03/technology/windows_virusthreat/index.htm?cnn=yes

[Clive]

Thanks for that fix Bob.  I understand that this is the most serious Windows vulnerability ever and that anyone with common sense should turn their computers off and wait for MS to sort it out!

[sam]

yeah but no one is going to... you could also just get Fedora and be done with it :-)

[Clive]

Massive demand for unauthorised Windows patch

Tom Espiner
ZDNet UK
January 04, 2006, 17:15 GMT
 
A site hosting unauthorised protection against the Microsoft WMF flaw has been forced offline, as users try to protect themselves from a growing list of threats

Ilfak Guilfanov's personal Web site has been taken offline by his hosting provider after hordes of Microsoft users scrambled to download his unofficial patch against the Windows Metafile vulnerability.

According to antivirus firm F-Secure, demand for the unauthorised Windows Meta File (WMF) patch developed by Guilfanov was so high his hosting provider temporarily shut his Web site on Wednesday morning.

The site was temporarily closed as "half the planet tried to download WMFFIX_HEXBLOG.EXE." reported F-Secure in its blog. "The resulting traffic amounts were so huge that his hosting provider actually shut his site down."

At the time of writing, the unofficial patch is again available from Guilfanov's site. It is also available from the Sunbelt Blog.

Microsoft has advised businesses not to use the patch, as the company cannot guarantee it will work. But with no official patch is due to be released until next week, security experts are urging businesses to use the unofficial patch because of the serious nature of the WMF vulnerability.

The WMF flaw can be used by malicious software to surreptiously install spyware on a user's PC or allow a hacker to control the machine remotely.

Several attacks have been detected since late December, and on Wednesday experts detected another Trojan horse that exploits the WMF vulnerability. F-Secure also " target="_new">warned this malware was spreading in spam emails that claimed to come from Yale University.

To minimise risk from these Trojans, systems administrators have been advised by F-Secure to block user access to the following:

HTTP access to playtimepiano[dot]home[dot]comcast[dot]net
TFTP (ie. UDP) access to 86.135.149.130
IRC access to 140.198.35.85:8080
IRC access to 24.116.12.59:8080
IRC access to 140.198.165.185:8080
IRC access to 129.93.51.80:8080
IRC access to 70.136.88.76:8080


F-Secure warned businesses and systems administrators not to visit the HTTP address.

[Simon]

If someone can issue an unofficial patch for this, how come it's taking Micro$oft so bloody long to get one out?

[Clive]

Microsoft sticks to its patching guns

Joris Evers
CNET News.com
January 05, 2006, 09:45 GMT
 
Despite accidentally releasing a functional version of its patch for the WMF flaw, Microsoft insists the proper patch won't be available until Tuesday

An early version of a security fix for a Windows flaw that is being used as a conduit for cyberattacks was prematurely posted online by a Microsoft employee.

The fix was briefly posted on a security community Web site, Debby Fry Wilson, a director in Microsoft's Security Response Center, said on Wednesday. Copies of the file have since been posted online elsewhere, but Microsoft recommends that customers wait for the final version in its monthly security release on 10 January, she said.

"It really was an inadvertent thing that happened," Fry Wilson said. "We have the security update on a fast track... [and] somebody accidentally posted a pre-release version on a community site. It has been taken down, and we don't recommend customers use it ? it is not the version that we will be releasing on Tuesday."

The fix is designed to repair a flaw in the way Windows renders WMF images. The bug was discovered last week and is being exploited in attacks that compromise a vulnerable PC if the user visits a Web site with a malicious image file.

Security experts have urged Microsoft to rush the patch because of the onslaught of attacks. More than a million PCs have already been compromised, according to Andreas Marx, an antivirus software specialist at the University of Magdeburg in Germany. There are thousands of malicious Web sites, as well as Trojan horses and at least one instant messaging worm, that use the WMF flaw as a conduit, other experts have said.

Microsoft said it hasn't seen many attacks on its customers. The company plans to issue the final version of its fix on Tuesday, its next official patch release day, Fry Wilson said.

"We have to weigh putting out a partially tested update against the severity of the attack," she said. "If customers are being attacked in large numbers, then we will go ahead and put out the update as we have it, so that customers can be protected, even though it might break things."

A patch may turn out to have side effects, even if it has undergone full testing. Microsoft has had problems in the past, most recently with an Internet Explorer update in December.

Microsoft's fix appears to be nearly done, said Steve Gibson, the president of Gibson Research in Laguna Hills, California "It works great," said Gibson, who downloaded the file and tested it. It even works with a patch developed by European programmer Ilfak Guilfanov, he said.

After examining the software, Gibson believes Microsoft could push out the fix before Patch Tuesday.

"They obviously already have it packaged and ready to go," he said. However, there are reasons for Microsoft to hold off. "Major corporate users very much dislike randomly timed patch releases, since it is deeply disruptive of everything else that's going on," he added.

[Clive]

I've successfully downloaded this fix and I would urge you to do the same as soon as possible!  The following is from an article from the Register:

FULL ARTICLE

Microsoft customers are in big trouble. In my time at SecurityFocus, I have never seen such potential for damage or such a far-reaching vulnerability. The RPC DCOM vulnerability in 2003 saw the creation of the Blaster worm and its variants. Blaster alone infected more than 25 million machines. Today we have an exploit that can elude even anti-virus and IDS sensors and compromise a system very easily. It?s frightening. In some ways, it's also much worse - and much easier to infect machines with strong border security. Even without an email-bourne virus I anticipate the WMF vulnerability is going to create greater waves than Blaster when all is said and done. A single wrong click, even by an experienced security professional, and it?s game over. A simple search in Google and one click is all it takes.


A week after the zero-day vulnerability bites hard one of the world?s most influential software companies, we?re told it will be still another week until there is a fix. Based on the severity of this issue, the time delay is unacceptable. Installing the unofficial patch is highly recommended. But what else can we do?

Microsoft needs help from the security community. The community needs to help Microsoft and Microsoft customers now more than ever. I truly believe that millions of computers - perhaps tens of millions - are being compromised by criminals right now. These include computers inside government, military and scientific installations. And millions of home computers. Pretty much anyone who can reach the web, receive email or instant messages is vulnerable. Actual numbers and damage estimates, if they are ever known, will follow in the weeks and months.



Download WMF vulnerability hotfix
The hotfix for the WMF vulnerability can be downloaded from any of the following URLs:
http://www.grc.com/miscfiles/wmffix_hexblog14.exe
http://handlers.sans.org/tliston/wmffix_hexblog14.exe
http://castlecops.com/modules.php?name=Downloads&d_op=getit&lid=496
http://csc.sunbelt-software.com/wmf/wmffix_hexblog14.exe
http://www.antisource.com/download/wmffix_hexblog14.exe
http://hexblog.axmo12.de/wmffix_hexblog14.exe
http://www.dsinet.org/files/wmffix_hexblog14.exe
http://lab.nsl.it/wmffix_hexblog14.exe
The MD5 checksum of the file is 15f0a36ea33f39c1bcf5a98e51d4f4f6.
MSI repackages can be downloaded here:

http://accentconsulting.com/wmf.shtml by Brian Higgins (MD5: a5108c0fa866101d79bb8006617641ee)
http://handlers.sans.org/tliston/WMFHotfix-1.1.14.msi by Evan Anderson (MD5: 0dd56dac6b932ee7abf2d65ec34c5bec)
http://hexblog.axmo12.de/WMFHotfix-1.1.14.msi by Evan Anderson (MD5: 0dd56dac6b932ee7abf2d65ec34c5bec)
The WMF vulnerability checker can be downloaded from the following URLs:
http://www.grc.com/miscfiles/wmf_checker_hexblog.exe
http://castlecops.com/modules.php?name=Downloads&d_op=getit&lid=495
http://csc.sunbelt-software.com/wmf/wmf_checker_hexblog.exe
http://www.antisource.com/download/wmf_checker_hexblog.exe
http://hexblog.axmo12.de/wmf_checker_hexblog.exe
The MD5 checksum of the file is ba65e1954070074ea634308f2bab0f6a.
A discussion forum is open here. It has courteously been offered by CastleCops.
A FAQ is available here.

Due to incredibly high load, the page has been reduced to the bare minimum.
Thanks for understanding.
Safe computing!
Ilfak Guilfanov

[chorleydave]

If someone can issue an unofficial patch for this, how come it's taking Micro$oft so bloody long to get one out?

Considering Microshaft's record, they've probably got one ready, but are now waiting for the patch to fix the original patch.

[Simon]

Thanks Clive.

[sam]

and thanks from me!

[Simon]

Let's just hope the whole thing isn't a big hoax, and we're not all downloading viruses!  
:ooo:  :mmm:  :grin:

[sam]

well yes, but thats only for the paranoid...what you been eating si? Also I trust the register.

[Rodders]

Please be advised that Microsoft released a patch yesterday (05-Jan-06) which fixes the WMF vulnerablity flaw.

The Windows Auto-update facility should download and install it for you, but if you don't have Auto-updates turned on, you can still obtain it by selecting Tools -> Windows Update from the menu bar of MSIE.

[Clive]

They seem to have been shamed into doing it Rodders!

[Simon]

It's a shame they didn't do it before I e-mailed all my friends and family with the 'leaked' patch!