Evil Win XP Security problem .. please read

[~photoguy~]

FYI ... there is a real evil windows problem out there right now. I suggest you read about it at:

http://www.grc.com/sn/notes-020.htm

I have installed the recommended patch (from that site) on all my PCs here. As usual Microsoft is late to respond, and wont have a patch until Jan 10th (so they say)

Windows 98 users are out of luck but this patch works on XP.

 

[dr_mabeuse]

I can't make heads or tails of this.

Am I supposed to do something?

 

[yui]

I can't make heads or tails of this.

Am I supposed to do something?

Yes, Doc, you're supposed to hold my hand. I don't understand either and I might be frightened.

 

[dr_mabeuse]

Yes, Doc, you're supposed to hold my hand. I don't understand either and I'm might be frightened.

Okay. Let's close our eyes too and hug. That's what I usually do when my computer acts up.

 

[~photoguy~]

my recommendation would be to download and install the patch on that site (if you have Win XP) .. here's a link to the patch download ...


http://www.grc.com/miscfiles/wmffix_hexblog14.exe

 

[eric shawn listo]

Did you know they are now saying the Titanic went down very quickly, a matter of minutes. So much for 3 hour + movies.

 

[sophia jane]

Ok, so maybe I'm a cynic, but I have to ask: who are these people and why would I download a "patch" from a site I've never heard of?

 

[dr_mabeuse]

Ok, so maybe I'm a cynic, but I have to ask: who are these people and why would I download a "patch" from a site I've never heard of?

Yeah. That's what I wonder about.

Is this guy the widow of the former Oil Minister of Nigeria? Her I trust.

 

[zeb1094]

Ok, so maybe I'm a cynic, but I have to ask: who are these people and why would I download a "patch" from a site I've never heard of?

That's exactly what I was thinking...talk about hype, I bet in 120 days or so you get a popup saying you have to purchase something in order to have you computer work properly or to get the aledged patch removed or it found tons of spyware on your machine.

I wouldn't touch this with a ten foot pole!

 

[~photoguy~]

my brother is an IT professional for a large company .. well over a 1000 computers

he sent me the link to this site last nite and recommended it

patch works fine on my machines

thats all I know

[/end of public service announcement - dont shoot the messenger]

 

[eric shawn listo]

Ok, so maybe I'm a cynic, but I have to ask: who are these people and why would I download a "patch" from a site I've never heard of?

Apparently one of the passengers asked the captian of the Titanic the very same question.

 

[cloudy]

From ZDNet:

Windows flaw spawns dozens of attacks
By Dawn Kawamoto, CNET News.com

A flaw in Microsoft's Windows Meta File has spawned dozens of attacks since its discovery last week, security experts warned Tuesday.

The attacks so far have been wide-ranging, the experts said, citing everything from an MSN Messenger worm to spam that attempts to lure people to click on malicious Web sites.

The vulnerability can be easily exploited in Windows XP with Service Pack 1 and 2, as well as Windows Server 2003, security experts said. Older versions of the operating system, including Windows 2000 and Windows ME, are also at risk, though in those cases the flaw is more difficult to exploit, said Mikko Hypponen, chief research officer at F-Secure.

"Right now, the situation is bad, but it could be much worse. The potential for problems is bigger than we have ever seen," Hypponen said. "We estimate 99 percent of computers worldwide are vulnerable to this attack."

The Windows Meta File flaw uses images to execute arbitrary code, according to a security advisory issued by the Internet Storm Center. It can be exploited just by the user viewing a malicious image.

Microsoft plans to release a fix for the WMF vulnerability as part of its monthly security update cycle on Jan. 10, according to the company's security advisory.

"We have seen dozens of different attacks using this vulnerability since Dec. 27," Hypponen said. "One exploits image files and tries to get users to click on them; another is an MSN Messenger worm that will send the worm to people on your buddy list, and we have seen several spam attacks."

He added that some of the spam attacks have been targeted to select groups, such as one that purports to come from the U.S. Department of State. The malicious e-mail tries to lure the user to open a map attachment and will then download a Trojan horse. The exploit will open a backdoor on the user's system and allow sensitive files to be viewed.

The WMF flaw has already resulted in attacks such as the Exploit-WMF Trojan, which made the rounds last week.

Although Microsoft has not yet released a patch, security vendors such as F-Secure and the Internet Storm Center are noting Ilfak Guilfanov, a Russian security engineer, has released an unofficial fix that has been found to work.

"Ilfak Guilfanov has published a temporary fix which does not remove any functionality from the system," F-Secure noted in its daily security blog. "All pictures and thumbnails continue to work normally."

Security companies also are advising computer users to unregister the related "shimgvw.dll" portion of the Windows platform. Unregistering the dll, however, may also disable certain Windows functions and has not been thoroughly tested, according to a security advisory issued by Secunia.

Despite the potential for a large number of computer users to be affected by exploits related to this vulnerability, Hypponen said the chances of a widespread outbreak from a virus, as people return to work from the long holiday, are unlikely.

"We are still far away from a massive virus," he said. "Most people get attacked by this if they (search for something on the Internet) and get a million results. They may click on a link that goes to a malicious Web site or one that has been hacked, and then get infected."

AND

unofficial patch is available, and highly recommended
"Here's an alternative way to fix the WMF vulnerability."

http://www.f-secure.com/weblog/archives/archive-122005.html#00000756

"Ilfak Guilfanov has published a temporary fix which does not remove any functionality from the system (all pictures and thumbnails continue to work normally).

The fix works by injecting itself to all processes loading USER32.DLL. It patches the Escape() function in GDI32.DLL, revoking WMF's SETABORT escape sequence that is the root of the problem.

Now, we wouldn't normally blog about a security patch that is not coming from the original vendor. But Ilfak Guilfanov isn't just anybody. He's the main author of IDA (Interactive Disassembler Pro) and is arguably one of the best low-level Windows experts in the world."

more details in Ilfak's blog:
http://www.hexblog.com/2005/12/wmf_vuln.html

I would highly recommend you get Ilfak's 0-day patch mentioned above from

http://handlers.sans.org/tliston/wmffix_hexblog13.exe or
http://www.hexblog.com/security/files/wmffix_hexblog13.exe

as a temporary measure from the ulitmate drive-by malware exploit.

 

[Liar]

This thingy seems to be the real deal. There's some kind of security problem with graphic files of the WMF format, used among other things in stuff like toolbars and other embedded browser and desktop apps. No viruses or trojans have been discovered using the glitch yet though. Symantec and McAffee have recommended that ppl install the patch...IF they are tech savvy enough to know what they are doing. The rest should make syre their virus list is updated on a daily basis and that their firewall is on. There's an official MS patch coming next week. I dunno, I think I'll wait, and rejoice in the fact that I don't run attachments and don't install stuff I'm not sure of anyway.

A webpage hack can sneak the thing onto a computer though, so I'd be careful which sites I visit until a confirmed patch is made.

 

[Liar]

I just thought of something.

Scary thing is that all it takes is a website with a picture with the bad code in it to infect a computer. Which means that a place like this, a public forum, is very much in danger, because anyone can link in a picture from anywhere.

So for the time being, I'm going to disable Show Images (IMG tags in posts) here on Lit. That way, all images I see here are those hosted by Literotica.com. It's under Options. I suggest y'all do the same.

 

[sophia jane]

My virus protection co. had a little write-up of this patch and that it seems like a good plan.
Also, you can block *.wmf files thru your virus program, depending what you run.

On another note, if someone didn't have a totally legal copy of Windows, how would that person go about getting a windows update or patch? Hypothetically.

 

[dr_mabeuse]

I appreciate the warning, Photoguy, but I'm just dumb enough and gullible enough to get screwed with this, so I don't dare download anything unless Bill Gates gives me the thumbs up on the official Windows site.

Hope you'e not offended.

 

[sophia jane]

I just thought of something.

Scary thing is that all it takes is a website with a picture with the bad code in it to infect a computer. Which means that a place like this, a public forum, is very much in danger, because anyone can link in a picture from anywhere.

So for the time being, I'm going to disable Show Images (IMG tags in posts) here on Lit. That way, all images I see here are those hosted by Literotica.com. It's under Options. I suggest y'all do the same.

Did you disable avs, too? I just disabled mine (a good idea, btw). Just wondering if avs should be done, too.

 

[Liar]

Did you disable avs, too? I just disabled mine (a good idea, btw). Just wondering if avs should be done, too.

Avs are a part of the site, jpeg or gif data stored in Lit's database, they should be ok. Viewing attached images should be kosher too as long as they're regular jpg. But better safe than sorry, if you're worried.

 

[sophia jane]

Avs are a part of the site, jpeg or gif data stored in Lit's database, they should be ok. Viewing attached images should be kosher too as long as they're regular jpg. But better safe than sorry, if you're worried.

Well, I had already disabled *wmf files thru my virus protection program, so I'm obviously erring on the side of caution.

 

[impressive]

Images off -- for the time being. Thanks for the tip, Liar.

Now ... to look into the WMF thingy

 

[gauchecritic]

I've just spent the last two days ridding myself of a prog that installed itself saying it was a spycatcher: unspypc.

I run Firefox by the way.

When I tried my regular spyware they all hung. Trendmicro online housecall also hung.

Eventually (after searching through loads of sites on how to rid myself and none of them working) I reset the PC to an earlier date and then ran my regular spyware in safe mode. Finally got rid of loads of virii, malware and trackers (unspypc is malware rather than a virus and is just a con. which reports false positives so that you go buy their product).

All the sites I read in the meantime said this was a new breach and as yet unplugged by microsoft.

So now I'm your guinea pig.

I clicked the link and downloaded the test first. It said I was vulnerable. I downloaded the patch (reports say it won't intefere with anything microsft eventually issue) re-booted and the test said I appear to be immune.

So far so good.

P.S Yes I got infected from a re-direct on a free porn site but I was wearing as much protection as was available.

I think Scotty the Watchdog saved me from even worse because he won't let anything that it notices, install itself or change any settings without asking if it's ok.

He's a goood boy. Scotty thte watch dog He even barks when he has something to tell you.

 

[~photoguy~]

G' Day. If you followed my suggestion to install a patch the other day, Microsoft has released an official one that should be installed in the following order:

1. Go to START button (bottom left of screen)
2. Select CONTROL PANEL, select ADD OR REMOVE PROGRAMS
3. Scroll down to find "Windows WMF Metafile Vulnerability Hotfix....."
4. Click on the item to select it
5. Click on the REMOVE button to remove the patch
6. Let your system reboot.

7. Go to:: http://www.microsoft.com/technet/security/Bulletin/MS06-001.mspx

8. Download the item labeled "Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2"

9. Run the update you just downloaded.

----

If you regularly use WINDOWS UPDATE to keep your system patched you don't need to do steps 7,8,9.

this of course assumes you have a legal copy of Windows XP .. if you don't then I would ignore this post and leave the previous patch installed

 

[Guest]

Did I miss the download party?


Dang it.

 

[Huckleman2000]

Microsoft.

Don't get me started.

 

[gauchecritic]

Hey photoguy. So far so good but I saw the auto update before I saw your post so now I have the microsoft patch and the hotfix. Is it ok to leave them?

I noticed a neat side effect after I installed the hotfix (I'm assuming it was the hotfix because this never happened before) when I get re-directs now from the pron sites a lot of them go just to a google page rather than another pron site with popups etc. I don't wanna lose that effect if it's the hotfix that did it.