Patch to fix the latest Windows XP WMG meta file vulnerability.
- From: Andy <andy@xxxxxxxx>
- Date: Tue, 03 Jan 2006 14:42:59 -0600
On Steve Gibson's site at:
http://www.grc.com/sn/notes-020.htm
Windows WMF Vulnerability News & Updates
Quick Background:
The active exploitation of a very serious vulnerability in all
versions of Windows was discovered in late December.
Word of this spread rapidly through the hacker community ? many of
whom where presumably on holiday vacation from school, bored, and
looking for something to do.
So several days later nearly one hundred different instances of
exploitation of this newly discovered vulnerability had been found.
Note that this is not a "new vulnerability" ? it (and perhaps other
similar bugs) have been lying unknown in Windows since 1991. What's
"new" is the discovery of this long-present vulnerability in Windows'
metafile processing.
Almost immediately there were reports of an MSN Messenger worm, and
now F-Secure is reporting that "Happy New Year" SPAM eMail is carrying
an exploit.
Anti-Virus vendors quickly updated and began pushing out their A-V
signature files. These have been effective, but a new very flexible
exploit generation tool has appeared that's able to create so many
different variations of the exploit that A-V signatures are having
trouble keeping up.
Microsoft responded with an acknowledgement of the problem which
included a very weak workaround (the shimgvw.dll unregistration) that
provides very little protection. There's is not a cure, and it is not
known how long the Windows user community will now be waiting for a
true patch from Microsoft.
Ilfak Guilfanov (see GREEN box below) produced a highly-effective
true patch which successfully suppresses all known exploitable
vulnerabilities for anyone using Windows 2000, XP, server 2003, or
64-bit XP. No patch is available for Windows 95, 98, ME or NT, and
none is expected to be forthcoming. But anyone using Windows 2000, XP,
server 2003, or 64-bit XP should IMMEDIATELY install Ilfak's exploit
suppressor into all of their systems.
Other Updates
A special (short) edition of "Security Now!" ? On Sunday, January
1st, I phoned into Leo Laporte's KFI "Tech Guy" radio program to
inform him and his radio audience of the availability of Ilfak's new
patch and real solution. Leo produced a special edition of our weekly
"Security Now!" audio podcast. Since this was by telephone the audio
quality is not great, but the high-quality and lower-quality MP3 audio
files are available here:
Higher-quality (larger) KFI Radio program update (64 kbps, MP3,
5.4 MB)
Lower-quality (smaller) KFI Radio program update. (16 kbps, MP3,
1.4 MB)
Ilfak has produced a WMF Vulnerability Checker ? Many users want to
verify that their "exploit suppressed" systems are now safe to use.
And others want to see whether their anti-virus A-V systems are now
detecting some WMF exploit code. So Ilfak has produced a simple WMF
Vulnerability tester:
Download Ilfak's WMF Vulnerability Checker (3.6 kb)
You can read more about his checker, and users' experiences, on his
Vulnerability Checker blog page.
An important Note about A-V signatures: As useful as anti-virus
protection is as a first line of defense, new WMF exploits are
succeeding at bypassing them. So A-V cannot be relied upon. The only
safe measure is to install Ilfak's vulnerability suppression solution
until Microsoft has updated the GDI32.DLL file and permanently
resolved this problem.
Windows 98/SE/ME users: Microsoft's original advice to "unregister
the shimgvw.dll" (shell image viewer) was never correct or useful on
those platforms. The good news is that all current WMF exploits appear
to be non-functional on the older Win9x vintage platforms . . . so you
will likely be okay until Microsoft has updated your system with the
next security patches. There is no short-term workaround for Windows
9x users.
.
- Follow-Ups:
- Re: Patch to fix the latest Windows XP WMG meta file vulnerability.
- From: Reg
- Re: Patch to fix the latest Windows XP WMG meta file vulnerability.
- From: Lawrence Glickman
- Re: Patch to fix the latest Windows XP WMG meta file vulnerability.
- Prev by Date: Re: Why I will never shop at Wal Mart again
- Next by Date: Re: 'Huge' virus threat for Windows XP
- Previous by thread: New information on Avian Flu Outbreak
- Next by thread: Re: Patch to fix the latest Windows XP WMG meta file vulnerability.
- Index(es):
Relevant Pages
|
Loading
