Re: Warning. New Windows vulnerabilty.

Does Outlook Express use this preview function?

Julian

On Mon, 02 Jan 2006 14:27:33 GMT, Abyssmal <rshawve2@xxxxxxxxxxxxxxx>
wrote:

>
>Open outlook,Go to the view menu-then click layout.Uncheck Show
>preview pane and click apply, then click ok.That will turn off the
>email preview pane.
>
>Working for a major ISP, we have seen many new threats over the last
>few weeks.Spyaxe being the main infection.It emulates the windows
>security center warning by putting a popup in systray that says your
>computer is infected,click here to download a removal program.The
>problem is, it usually takes AV, and multiple spyware applications to
>remove these infections totally.There have already been 30 variants
>reported on spyaxe, and this is delivered by an unwary person
>believing the threat and clicking the link.It will be interesting to
>see how this new vulnerability will affect users, especially when they
>will not have to click on anything to initiate an infection.The best
>thing to do is check your task manager regularly.You can use
>processlibrary.com to check unfamiliar processes, or google search
>the process if processlibrary.com has no reference.Some files that
>appear normal can also be an infection.Iexplore,exe, svchosts.dll and
>a few others can be infected.When normal files such as these are
>infected, they will be located in different places than they should be
>at. For example, iexplore.exe, which is in the program filies/internet
>explorer folder- will appear in windows/system32.
>I have seen that example at work, where it is the killav trojan, and
>when running a virus scan,the process kills the AV process and usually
>reboots the computer.
>If you do get infections that affect your system and may render your
>existing protection inoperable, I recommend going to
>housecall.trendmicro.com.You can do a complete AV/spyware scan there
>for free, and it removes everything it finds without asking you to buy
>it.
>
>Randall
>.
>
>On Mon, 2 Jan 2006 11:32:24 +0000 (UTC), "Gareth Magennis"
><sound.service@xxxxxxxxxxxxx> wrote:
>
>>
>>"Pooh Bear" <rabbitsfriendsandrelations@xxxxxxxxxxx> wrote in message
>>news:43B89D8F.B8A71267@xxxxxxxxxxxxxx
>>> Found this elsewhere.
>>>
>>> In short - wmf files can carry viruses. Because they can be renamed as
>>> other media types you are actually equally vulnerable from jpgs, gifs
>>> or whatever.
>>>
>>> Infection will occur if your email application allows a *preview* of a
>>> infected file. Turn off the preview function.
>>>
>>
>>
>>Where is this in IE? I can't find it.
>>
>>Cheers,
>>
>>Gareth.
>>
>>
>>
>>> Even browsing the net with Internet Explorer is now considered unsafe.
>>> The safest browser to use is Opera.
>>>
>>> Existing anti-virus applications are poorly equipped to detect this
>>> style of virus.
>>>
>>> Google ( and possibly other ) toolbars index all files on your hard
>>> dirve. If any one is infected this way - then you will get the
>>> infection. Remove all toolbar applications.
>>>
>>> Microsoft has at this time no fix.
>>>
>>> The information below is already out of date but may be helpful
>>>
>>> ------------------------------------------------------------------------------------------------------------------------------------------------
>>>
>>>
>>>
>>> To All,
>>>
>>> Last night, a very dangerous computer worm was released on the
>>>
>>> internet. It is carried on Windows Metafile images and automatically
>>>
>>> executes with no user interaction. With Microsoft Explorer or
>>>
>>> Outlook, you are automatically infected if you recieve infected
>>>
>>> email or view a site with the worm. The problem is Windows WMF files
>>>
>>> have the capability to execute external code. This is a virus
>>>
>>> writer's dream. He can do anything he wants.
>>>
>>> The structure of the worm means it will be difficult or impossible
>>>
>>> to detect by antivirus programs, and it may be extremely difficult
>>>
>>> or impossible to remove from your computer.
>>>
>>> Microsoft has no patch at the moment, and the procedure they
>>>
>>> currently recommend to reduce the hazard of infection may not work.
>>>
>>> Here's more info:
>>>
>>> ------------------------------------------------------------------
>>>
>>> Going back to the wmf vulnerability itself, we see number of sites
>>>
>>> mention that shimgvw.dll is the vulnerable file.
>>>
>>> This doesn't seem correct as it's possible to exploit a system on
>>>
>>> which shimgvw.dll has been unregistered and deleted. The
>>>
>>> vulnerability seems to be in gdi32.dll.
>>>
>>> So while unregistering shimgvw.dll may make you less vulnerable,
>>>
>>> several attack scenarios come to mind where the system can still
>>>
>>> be compromised.
>>>
>>> http://isc.sans.org/diary.php?storyid=992
>>>
>>> ------------------------------------------------------------------
>>>
>>> This may be the worst worm that anyone could possibly invent. Here's
>>>
>>> a portion of a summary by a Slashdot reader:
>>>
>>> ------------------------------------------------------------------
>>>
>>> It's worse than that(Score:1, Insightful)
>>> by Anonymous Coward on Sunday January 01, @01:11PM (#14374914)
>>>
>>> [...]
>>>
>>> This is looking truly horrible. On Tuesday morning zillions of
>>>
>>> Windows desktops will be fired up for the first time in a week or
>>>
>>> two. This thing's already in widespread use by a number of malware
>>>
>>> distribution networks for the usual reasons. As such it's a
>>>
>>> nightmare for network and system admins with Windows machines to
>>>
>>> look after (and us security people trying to provide advice &
>>>
>>> assistance for them...)
>>>
>>> [...]
>>>
>>> I will stick my neck out here and make a prediction. Virtually all
>>>
>>> organisations with Windows machines are effectively wide open to
>>>
>>> total compromise by a reasonably informed person. That means much
>>>
>>> of the IT dept as well as significant numbers of the 'interested
>>>
>>> poweruser' types, developers with a casual interest in security,
>>>
>>> and anyone who's heard of this and is capable of running the
>>>
>>> findingm, running and using the new exploit, basically. Of course
>>>
>>> we're all tweaking our IDSes and antivirus, locking things down as
>>>
>>> tight as possible in the 48 hours remaining, but... *shudder*.
>>>
>>> For ten years I've been waiting for Microsoft's luck to run out.
>>>
>>> This is about #3 on my list of catastrophic MS incidents. There
>>>
>>> aren't many ways things could be worse.
>>>
>>> url: http://it.slashdot.org/it/06/01/01/1550258.shtml
>>>
>>> ------------------------------------------------------------------
>>>
>>> Other sites confirm the serious nature of the problem:
>>>
>>> ------------------------------------------------------------------
>>>
>>> Re: WMF Vulnerability leads to compromised computers
>>>
>>> *** ALL USES OF WINDOWS, PLEASE READ BELOW. ***
>>>
>>> There is a very major security problem with Windows, all variants
>>>
>>> back to Windows 98.
>>>
>>> All systems are at risk. Many are already infected. There are few
>>>
>>> options for an effective defense.
>>>
>>> See our web page on this issue:
>>>
>>> http://www.softprose.com/information/antivirus/wmf.shtml
>>>
>>> Greetings,
>>>
>>> This is an urgent advisory of a real-life threat to all Windows
>>>
>>> computers.
>>>
>>> The Windows Metafile Format (*.WMF) image format, developed by
>>>
>>> Microsoft, has been shown to have a critical flaw that allows ALL
>>>
>>> VARIANTS of Windows computers after and including Windows 98 to be
>>>
>>> taken over by criminals SIMPLY BY VIEWING images on a web page or
>>>
>>> images contained in Email- Including preview.
>>>
>>> The WMF vulnerability is not a virus in itself- it is, instead,
>>>
>>> known as an "Exploit", or a pathway that a Virus (or spyware, or
>>>
>>> any number of malware variants) can use to be inserted into a
>>>
>>> computer. Unfortunately, the bad guys found this hole before the
>>>
>>> "white hats" got involved, so this problem is already showing up
>>>
>>> on user's computers.
>>>
>>> This is a SEVERE problem, that is already being exploited for
>>>
>>> commercial and criminal gain. The spyware program "Winhound" is
>>>
>>> the most common, and prominent, example using this security hole,
>>>
>>> but many other programs have been found that are taking advantage
>>>
>>> of it. Many of these programs use stealth techniques to hide on
>>>
>>> your PC, and record keystrokes, logins, credit card, and all sorts
>>>
>>> of other information of interest to criminal enterprises.
>>>
>>> Other commercial programs using this security hole include
>>>
>>> Winfixer and AVGold. There will probably be many more
>>>
>>> Although Winhound is a very busy, obvious, and obnoxious
>>>
>>> infestation, it is not the worst- the worst infestation is that
>>>
>>> which you do not know about. There is no defense currently
>>>
>>> available for this problem, and fully-patched systems are being
>>>
>>> infected. No current antivirus software is defending against this
>>>
>>> threat. As there is a direct financial incentive, the number and
>>>
>>> variety of softwares using this security flaw are expanding
>>>
>>> exponentially in number.
>>>
>>> This has the capacity of being the single greatest security threat
>>>
>>> ever discovered. The number of machines that are vulnerable
>>>
>>> include every single Windows computer in the world. There is
>>>
>>> currently no organized defense. The number and variety of attacks
>>>
>>> are quite large, and they are not being addressed at this time by
>>>
>>> security products.
>>>
>>> The pictures DO NOT NECESSARILY have a *.WMF extension! WMF files
>>>
>>> will execute just fine if they are called *.gif, *.jpg, *.bmp, and
>>>
>>> other names! ANY GRAPHIC FILE can conceal the infection.
>>>
>>> url: http://www.aota.net/forums/showthread.php?p=143053
>>>
>>> ------------------------------------------------------------------
>>>
>>> Everyone recommends to stop using the Microsoft Explorer browser and
>>>
>>> switch to Firefox. Firefox is still vulnerable, but at least it
>>>
>>> requires you go through a user dialog to execute the worm. Here is
>>>
>>> the Firefox url:
>>>
>>> http://www.mozilla.com/firefox/
>>>
>>> I use Opera 8.51, but I haven't found if it is vulnerable.
>>>
>>> Now's the time to back up all your critical files on a separate
>>>
>>> computer and keep it away from the web.
>>>
>>> Best Wishes and Good Luck to All.
>>>
>>>
>>>
>>

.

Relevant Pages

  • SecurityFocus Microsoft Newsletter #61
    ... Cisco 12000 Series Internet Router Denial Of Service Vulnerability ... Microsoft Windows 2000 RunAs Service Named Pipe Hijacking... ... Reach the LARGEST audience of security professionals with SecurityFocus ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #176
    ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Windows XP HCP URI Handler Arbitrary Command Execu... ... PHPNuke Category Parameter SQL Injection Vulnerability ... Microsoft Baseline Security Analyzer Vulnerability Identific... ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #242
    ... MICROSOFT VULNERABILITY SUMMARY ... PostNuke Blocks Module Directory Traversal Vulnerability ... Groove Networks Groove Virtual Office COM Object Security By... ... The Microsoft Windows IPV6 TCP/IP stack is prone to a "loopback" condition initiated by sending a TCP packet with the "SYN" flag set and the source address and port spoofed to equal the destination source and port. ...
    (Focus-Microsoft)
  • [NT] Korean Input Method Editor Privileges Elevation (MS06-009)
    ... Get your security news from a reliable source. ... vulnerability exists in the Windows and Office Korean Input Method Editor ... Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service ... If Remote Desktop is manually enabled, ...
    (Securiteam)
  • [NT] Cumulative Security Update for Internet Explorer (MS04-025)
    ... Get your security news from a reliable source. ... * Microsoft Windows NT Workstation 4.0 Service Pack 6a ... Navigation Method Cross-Domain Vulnerability ...
    (Securiteam)