PC Pals Forum
Technical Help & Discussion => General Tech Discussion, News & Q&A => Topic started by: Reno on January 04, 2006, 05:37
-
NEW YORK (CNNMoney.com) - The new year is off to a rocky start at Microsoft, where security experts are scrambling to confront a potentially massive virus threat to Windows PCs.
According to a report Tuesday in the Financial Times, the latest vulnerability involves a flaw which allows hackers to infect computers using programs inserted into image files. The threat was discovered last week. But it mushroomed over the weekend, when a group of hackers published the source code they used to exploit the flaw.
What makes this threat particularly vicious, according to the Times, is that unwitting victims can infect their computers simply by viewing a web page, e-mail, or instant message that includes a contaminated image. That differs from most virus attacks, which require a user to actually download an infected file.
"The potential [security threat] is huge," Mikko Hypponen, chief research officer at F-Secure, an antivirus company, told the Times. "It's probably bigger than for any other vulnerability we've seen.
"Any version of Windows is vulnerable right now," said Mr. Hypponen, including every Windows system shipped since 1990.
Microsoft said a security patch would be available for the problem on Tuesday, January 10 after it has passed rigorous testing procedures.
Because of the severity of the threat, the SANS Institute, a computer security group, has released a patch for the vulnerability until Microsoft's fix is available next week. It is available here.
http://isc.sans.org/diary.php?storyid=1010
Shares in Microsoft (up $0.78 to $26.93, Research) rose nearly 3 percent in mid-day trade on Nasdaq.
http://money.cnn.com/2006/01/03/technology/windows_virusthreat/index.htm?cnn=yes
-
Thanks for that fix Bob. I understand that this is the most serious Windows vulnerability ever and that anyone with common sense should turn their computers off and wait for MS to sort it out!
-
yeah but no one is going to... you could also just get Fedora and be done with it :-)
-
Massive demand for unauthorised Windows patch
Tom Espiner
ZDNet UK
January 04, 2006, 17:15 GMT
A site hosting unauthorised protection against the Microsoft WMF flaw has been forced offline, as users try to protect themselves from a growing list of threats
Ilfak Guilfanov's personal Web site has been taken offline by his hosting provider after hordes of Microsoft users scrambled to download his unofficial patch against the Windows Metafile vulnerability.
According to antivirus firm F-Secure, demand for the unauthorised Windows Meta File (WMF) patch developed by Guilfanov was so high his hosting provider temporarily shut his Web site on Wednesday morning.
The site was temporarily closed as "half the planet tried to download WMFFIX_HEXBLOG.EXE." reported F-Secure in its blog. "The resulting traffic amounts were so huge that his hosting provider actually shut his site down."
At the time of writing, the unofficial patch is again available from Guilfanov's site. It is also available from the Sunbelt Blog.
Microsoft has advised businesses not to use the patch, as the company cannot guarantee it will work. But with no official patch is due to be released until next week, security experts are urging businesses to use the unofficial patch because of the serious nature of the WMF vulnerability.
The WMF flaw can be used by malicious software to surreptiously install spyware on a user's PC or allow a hacker to control the machine remotely.
Several attacks have been detected since late December, and on Wednesday experts detected another Trojan horse that exploits the WMF vulnerability. F-Secure also " target="_new">warned this malware was spreading in spam emails that claimed to come from Yale University.
To minimise risk from these Trojans, systems administrators have been advised by F-Secure to block user access to the following:
HTTP access to playtimepiano[dot]home[dot]comcast[dot]net
TFTP (ie. UDP) access to 86.135.149.130
IRC access to 140.198.35.85:8080
IRC access to 24.116.12.59:8080
IRC access to 140.198.165.185:8080
IRC access to 129.93.51.80:8080
IRC access to 70.136.88.76:8080
F-Secure warned businesses and systems administrators not to visit the HTTP address.
-
If someone can issue an unofficial patch for this, how come it's taking Micro$oft so bloody long to get one out?
-
Microsoft sticks to its patching guns
Joris Evers
CNET News.com
January 05, 2006, 09:45 GMT
Despite accidentally releasing a functional version of its patch for the WMF flaw, Microsoft insists the proper patch won't be available until Tuesday
An early version of a security fix for a Windows flaw that is being used as a conduit for cyberattacks was prematurely posted online by a Microsoft employee.
The fix was briefly posted on a security community Web site, Debby Fry Wilson, a director in Microsoft's Security Response Center, said on Wednesday. Copies of the file have since been posted online elsewhere, but Microsoft recommends that customers wait for the final version in its monthly security release on 10 January, she said.
"It really was an inadvertent thing that happened," Fry Wilson said. "We have the security update on a fast track... [and] somebody accidentally posted a pre-release version on a community site. It has been taken down, and we don't recommend customers use it ? it is not the version that we will be releasing on Tuesday."
The fix is designed to repair a flaw in the way Windows renders WMF images. The bug was discovered last week and is being exploited in attacks that compromise a vulnerable PC if the user visits a Web site with a malicious image file.
Security experts have urged Microsoft to rush the patch because of the onslaught of attacks. More than a million PCs have already been compromised, according to Andreas Marx, an antivirus software specialist at the University of Magdeburg in Germany. There are thousands of malicious Web sites, as well as Trojan horses and at least one instant messaging worm, that use the WMF flaw as a conduit, other experts have said.
Microsoft said it hasn't seen many attacks on its customers. The company plans to issue the final version of its fix on Tuesday, its next official patch release day, Fry Wilson said.
"We have to weigh putting out a partially tested update against the severity of the attack," she said. "If customers are being attacked in large numbers, then we will go ahead and put out the update as we have it, so that customers can be protected, even though it might break things."
A patch may turn out to have side effects, even if it has undergone full testing. Microsoft has had problems in the past, most recently with an Internet Explorer update in December.
Microsoft's fix appears to be nearly done, said Steve Gibson, the president of Gibson Research in Laguna Hills, California "It works great," said Gibson, who downloaded the file and tested it. It even works with a patch developed by European programmer Ilfak Guilfanov, he said.
After examining the software, Gibson believes Microsoft could push out the fix before Patch Tuesday.
"They obviously already have it packaged and ready to go," he said. However, there are reasons for Microsoft to hold off. "Major corporate users very much dislike randomly timed patch releases, since it is deeply disruptive of everything else that's going on," he added.
-
I've successfully downloaded this fix and I would urge you to do the same as soon as possible! The following is from an article from the Register:
FULL ARTICLE (http://www.theregister.co.uk/2006/01/05/secfocus_zeroday/)
Microsoft customers are in big trouble. In my time at SecurityFocus, I have never seen such potential for damage or such a far-reaching vulnerability. The RPC DCOM vulnerability in 2003 saw the creation of the Blaster worm and its variants. Blaster alone infected more than 25 million machines. Today we have an exploit that can elude even anti-virus and IDS sensors and compromise a system very easily. It?s frightening. In some ways, it's also much worse - and much easier to infect machines with strong border security. Even without an email-bourne virus I anticipate the WMF vulnerability is going to create greater waves than Blaster when all is said and done. A single wrong click, even by an experienced security professional, and it?s game over. A simple search in Google and one click is all it takes.
A week after the zero-day vulnerability bites hard one of the world?s most influential software companies, we?re told it will be still another week until there is a fix. Based on the severity of this issue, the time delay is unacceptable. Installing the unofficial patch is highly recommended. But what else can we do?
Microsoft needs help from the security community. The community needs to help Microsoft and Microsoft customers now more than ever. I truly believe that millions of computers - perhaps tens of millions - are being compromised by criminals right now. These include computers inside government, military and scientific installations. And millions of home computers. Pretty much anyone who can reach the web, receive email or instant messages is vulnerable. Actual numbers and damage estimates, if they are ever known, will follow in the weeks and months.
Download WMF vulnerability hotfix
The hotfix for the WMF vulnerability can be downloaded from any of the following URLs:
http://www.grc.com/miscfiles/wmffix_hexblog14.exe
http://handlers.sans.org/tliston/wmffix_hexblog14.exe
http://castlecops.com/modules.php?name=Downloads&d_op=getit&lid=496
http://csc.sunbelt-software.com/wmf/wmffix_hexblog14.exe
http://www.antisource.com/download/wmffix_hexblog14.exe
http://hexblog.axmo12.de/wmffix_hexblog14.exe
http://www.dsinet.org/files/wmffix_hexblog14.exe
http://lab.nsl.it/wmffix_hexblog14.exe
The MD5 checksum of the file is 15f0a36ea33f39c1bcf5a98e51d4f4f6.
MSI repackages can be downloaded here:
http://accentconsulting.com/wmf.shtml by Brian Higgins (MD5: a5108c0fa866101d79bb8006617641ee)
http://handlers.sans.org/tliston/WMFHotfix-1.1.14.msi by Evan Anderson (MD5: 0dd56dac6b932ee7abf2d65ec34c5bec)
http://hexblog.axmo12.de/WMFHotfix-1.1.14.msi by Evan Anderson (MD5: 0dd56dac6b932ee7abf2d65ec34c5bec)
The WMF vulnerability checker can be downloaded from the following URLs:
http://www.grc.com/miscfiles/wmf_checker_hexblog.exe
http://castlecops.com/modules.php?name=Downloads&d_op=getit&lid=495
http://csc.sunbelt-software.com/wmf/wmf_checker_hexblog.exe
http://www.antisource.com/download/wmf_checker_hexblog.exe
http://hexblog.axmo12.de/wmf_checker_hexblog.exe
The MD5 checksum of the file is ba65e1954070074ea634308f2bab0f6a.
A discussion forum is open here. It has courteously been offered by CastleCops.
A FAQ is available here.
Due to incredibly high load, the page has been reduced to the bare minimum.
Thanks for understanding.
Safe computing!
Ilfak Guilfanov
-
If someone can issue an unofficial patch for this, how come it's taking Micro$oft so bloody long to get one out?
Considering Microshaft's record, they've probably got one ready, but are now waiting for the patch to fix the original patch.
-
Thanks Clive.
-
and thanks from me!
-
Let's just hope the whole thing isn't a big hoax, and we're not all downloading viruses!
:ooo: :mmm: :grin:
-
well yes, but thats only for the paranoid...what you been eating si? Also I trust the register.
-
Please be advised that Microsoft released a patch yesterday (05-Jan-06) which fixes the WMF vulnerablity flaw.
The Windows Auto-update facility should download and install it for you, but if you don't have Auto-updates turned on, you can still obtain it by selecting Tools -> Windows Update from the menu bar of MSIE.
-
They seem to have been shamed into doing it Rodders!
-
It's a shame they didn't do it before I e-mailed all my friends and family with the 'leaked' patch!
-
The severity of a recently discovered bug in Windows has made Microsoft release a patch for the loophole early.
Originally Microsoft was due to release the patch on 10 January as part of its regular monthly security updates.
But the number of malicious hackers preparing to exploit the bug has led the software giant to speed up the release.
Before Microsoft produced its patch, users had been relying on unofficial fixes to protect themselves.
Attack vector
The fix now available closes a loophole found in the way that many versions of Windows handle certain types of images.
By putting exploit code in webpages or e-mail attachments, the loophole could be used to take over a Windows PC or install spyware that could be used to gather confidential information.
Vulnerable versions of Windows include include ME, 2000, XP and Server 2003.
The Windows Meta File vulnerability was first found on 27 December and Microsoft was planning to fix the problem in the scheduled security update that usually takes place on the second Tuesday of every month.
In the interim, expert Windows programmer Ilfak Guilfanov produced an unofficial patch but many found it hard to get hold of this fix as the site hosting it was regularly overwhelmed by users keen to protect themselves.
Initially Microsoft played down the discovery of the bug and said there was little evidence that malicious hackers were moving to exploit it.
However, as tools began circulating online that made it much easier to craft code to exploit the bug many security experts feared that a major incident was imminent.
Security firms reported that attacks mounted via the bug were starting to stack up.
Microsoft said it brought forward the release of the patch because of "strong customer sentiment that the release should be made available as soon as possible".
Users were urged to download and apply the patch and update anti-virus and anti-spyware programs immediately.
Story from BBC NEWS:
http://news.bbc.co.uk/go/pr/fr/-/1/hi/technology/4587434.stm