Jump to content



Recommended Posts



Exploit Released for Unpatched Windows Flaw


Security researchers have released instructions for exploiting a previously unknown security hole in Windows XP and Windows 2003 Web Server with all of the latest patches applied.


Anti-virus company Symantec warned of the new exploit, which it said uses a vulnerability in the way Windows computers process certain image files (Windows Meta Files, or those ending in .wmf).



Symantec said the exploit is designed to download and run a program from the Web that downloads several malicious files, including tools that attackers could use to control vulnerable computers via Internet relay chat (IRC) channels.


The exploit code, first posted on security mailing list Bugtraq, states that the included Internet address can successfully exploit a fully patched Windows XP system with a freshly updated [symantec] Norton Anti-Virus. Symantec said it has verified that the exploit works on fully-patched Windows XP systems, and that updates that would allow its anti-virus program to detect threats trying to exploit the new flaw would be released as soon as possible, though it noted that "some of the components of this attack, including the exploit itself, are NOT detected by Symantec products."


According to an overnight post at the SANS Internet Storm Center, the link provided at Bugtraq when clicked on successfully drops a Trojan horse program onto fully patched Windows XP SP2 machines (other Windows versions may also be affected.) The Trojan will then download a fake anti-spyware/virus program which asks user to purchase a registered version of software in order to remove threats it claims are resident on the user's machine.


Security Fix has not be able to reach Microsoft about this reported problem, though I can only imagine the consternation this is causing in Redmond right now, and I'd guess that Microsoft will be working on a patch to fix the problem as soon as possible. Security Fix will update this post as soon as more information is available. In the meantime, the same advice we've given still stands: be extremely cautious about clicking on links that arrive in e-mail or instant message: in this case, it could mean very nasty results for your PC.


Update, 12:30 p.m. ET: Several security groups are reporting that it is extremely easy to get whacked by this vulnerability/exploit just by visiting one of a growing number of malicious Web sites that are now employing this attack. F-Secure's blog post on this indicates that -- because the vulnerability lies in the way Windows parses WMF image files -- Firefox and Opera users also can get infected -- although they at least have to agree to download and run a file first. The Sunbelt Blog also has some good information on this exploit, including some nice screenshots of what it looks like when your machine gets hit with this.


What's more, the exploit itself has just been rolled into Metasploit, an open-source vulernability assessment tool that the bad guys also can use to help automate attacks.



A Microsoft spokesperson said the company is investigating, though no official word from them yet. A couple of security firms, including Verisign's iDefense, have published workarounds that appear to mitigate the threat. According to iDefense, Windows users can disable the rendering of WMF files using the following hack:


1. Click on the Start button on the taskbar.

2. Click on Run...

3. Type "regsvr32 /u shimgvw.dll" to disable.

4. Click ok when the change dialog appears.


iDefense notes that this workaround may interfere with certain thumbnail images loading correctly, though I have used the hack on my machine and haven't had any problems yet. The company notes that once Microsoft issues a patch, the WMF feature may be enabled again by entering the command "regsvr32 shimgvw.dll" in step three above.


Update, 2:31 p.m. ET:According to information posted at Internet security company Websense, the exploit is now being used by thousands of Web sites to install a bogus anti-spyware application that is fairly tedious to remove from infected machines. Also, Websense says the program "prompts the user to enter credit card information in order to remove the detected spyware. The background image used and the "spyware cleaning" application vary between instances. In addition, a mail relay is installed on the infected computer and it will begin sending thousands of SPAM messages." The above image is from Websense's alert.


It's also worth noting that the SANS Internet Storm Center has increased their threat level to "yellow" over this exploit, noting that a lot of people are on holidays and might overlook this problem.


By Brian Krebs | December 28, 2005; 02:47 AM ET

Link to comment
Share on other sites

For those interested in patching this rather nasty bug (which can be exploited just surfing sites on the net), an unofficial hotfix has been released which can be downloaded from the GRC Security Site until Microsoft stop fucking around and release an official patch on Jan 10th. The patch has been endorsed by many anti-virus and security companies worldwide (almost unbelievable in itself), and can be easily uninstalled when the official patch arrives this coming Tuesday.



Link to comment
Share on other sites


  • Create New...

Important Information

By using this site, you agree to our Terms of Use.