ZERO DAY! Huge Microsoft Security Flaw...

Because Microsoft chose to release the patch along with the regularly scheduled updates for January rather than releasing it faster to make it available when it's needed. I still haven't quite figured out the logic behind waiting to release a patch for a problem that is serious NOW until January 10, but here's what Microsoft themselves had to say:



Now, just because I think you should know this, Microsoft has already released a patch, but only if you pay extra for Windows OneCare:



Don't know what conclusions other people will draw, but either Microsoft doesn't consider this to be much of a serious threat or they're simply trying to get new Windows OneCare users, your call.

UO

Edit: added Windows OneCare quote

[edit on 3-1-2006 by UnknownOrigins]

Thanks.



Right, I knew that, my confusion stemmed from the fact that supposedly once the "fix" was installed you no longer needed to disable the .dll manually.

Wasn't sure if the patch did this (thumb blocking/.dll disable) on it's own, or if it fixed the problem through another route to prevent malicious code from running.

[edit on 1/3/06 by redmage]

Some say yes, some say no. But this is what caught my eye.

This morning chief research officer at F-Secure said:



This afternoon:



5 - 10% of users? That's right. And McAffee gives us more numbers to work with.



120,000 is a comparatively small number, but remember, this is just 1 company reporting from their clients.

On a similar note:
One reason that this WMF vulnerability is worrisome is because it is so easy to create an exploit. In fact, Panda Software has found a "kit" being passed around the internet which aids in creating WMF exploits.



This ease of availability is probably the reason for the increase of the WMF exploits. This ease of creation is causing additional worries that it will will bring on innumerable variations of the exploit.

Freely available, point & click exploit creator, for a vulnerability with no cure. Ay, there's the rub!

I will leave you with one more thing to think about.





[edit on 1/3/06 by makeitso]

Apparently, hardware-DEP (Data Execution Prevention) helps with the situation somewhat as it has been found to prevent some instances of the exploit. I found this searching on google for more information. So, if you have a computer capable of enabling DEP, you might want to check this out (I dont use XP so I can't try it out):
Link

A previous post above me had a link mentioning something about a third-party ad service potentially carrying the infection, I found more information on that as well (apparently it's a network known as Exfol): More info on that here

There is also a possibility that it's only the newer operating systems that are affected (XP, Server 2003) and that Windows 2000, 98, and older may not be as vulnerable:


There is also evidence of a user-friendly application that is basically a "Make Your Own Exploit!" available, so by now their could be hundreds, if not thousands of variants.

Remember folks, that just viewing an infected website will set off the exploit. And Firefox is NOT immune to this particular exploit.

Edit (Forgot to add this): Running as a user without administrator access privileges could possibly lessen the severity if you are infected. Apparently, the virus only has as much power as the user viewing the image.
Source:


UO

2nd Edit: Spelling

[edit on 3-1-2006 by UnknownOrigins]

[edit on 3-1-2006 by UnknownOrigins]

Forgot to mention you have to reboot for it to take effect.

The only thing I have done is disable shimgvw.dll, and the WMF vulnerability checker says I'm invulnerable to the exploit.

Here's a solution though:
Switch to Loonix (Linux) or Mac. A Mac is more expensive than a PC. Loonix is free but harder to use than Windows and Mac ... but I'm sure you people are smart enough to figure it out
You can even use Windows on a Loonix computer, and vice versa, with VMWare, or then run some Windows applications on Loonix with Wine.

[edit on 4/1/2006 by SwearBear]

OMG do you people still use M$ Windows
I never have to worry about virusses or spyware on my debian linux machine

Anyway, Ive heard all these patches disable far too much things on your PC, and dont protect you very good from this major flaw. I'd say use a good anti-virus program, most of them already got updates which detect and prevent this bug.

Its best to have a good up-to-date virus scanner, *and* wait for the jan 10th patch (dont just wait for jan 10th, if you use Windows, you should ALWAYS have an up-to-date virus scanner).

Microsoft is still testing the hotfix apparently. And isn't OneCare still in Beta mode??

Yes, Windows OneCare is still in beta as far as I know, but the point is that they have already made the patch available if you're a subscriber to it. I'm not sure as to the cost of OneCare when it comes out of beta, but I see no reason why the patch should only be released to those using OneCare until January 10th. Perhaps they're being honest and really testing it and putting it in the OneCare beta is just one of their methods of testing, I'm not sure.

UO

Folks, if you're going to download and install any "unofficial" patches, be very careful about where these patches are coming from. Go only to the most well-known and respectable Internet Security sites.

The single most important thing you can do to protect your system until a widely-accepted official patch comes out, is watch the links you click when you are opening email. If it doesn't come from someone you know, or if it DOES come from someone you know but it looks "funny" in any way, just delete it. If you need to find little visual jokes and funny animations, go to a place like ebaum's world.

I have installed one of the unofficial patches, but I got it from an internet security site that I've used and trusted for several years. I'd give their address, but I don't think they'd appreciate it if their servers went down because I gave out their address. It's a private site, you see.

Just like with terrorism, we can't live our lives or use our computers in fear of something bad happening. Common sense, reasonable care, and keep your zipper up are the watchwords of the day.

Microsoft has the patch up early.
Upgrade today .

Yeah it is out

www.microsoft.com...

Thanks for the link, Dulcimer!

Now, I can uninstall the Windows One Care beta.

Dont forget to uninstall the Windows WMF Metafile Vulnerability HotFix 1.2 first. It requires a reboot to finish the uninstall.

Dont forget to re-register the shimgvw.dll with “regsvr32 %windir%\system32\shimgvw.dll” (without the quotation) if you unregistered it manually.

Looks like the update is named:
Security Update for Windows 2000 (KB912919) Date last published: 1/5/2006

The technical details and FAQ are located here

It appears that Windows 98, Windows NT, and Windows 2000 sp2, and sp3 clients are left out in the cold as usual.

It may seem that way, but apparently while pre-XP operating systems are still vulnerable, there aren't as vulnerable as XP is. This is mostly due to the fact that although pre-XP operating systems have the .dll that is exploited, they have no default handler for wmf files, so unless you have a third-party WMF viewer installed on these operating systems, WMF files shouldn't open automatically.

However, Microsoft will release a patch for these operating systems if this exploit is ever declared worthy of a critical security update as per their extended support phase:


Edit: fixed quote

UO

I did just notice that on the page I linked to, it does list the exploit as having a critical severity rating, yet they have not released a patch for older operating systems despite their claim to do so in the event of a critical security issue. Try and figure that one out.

[edit on 5-1-2006 by UnknownOrigins]

The FAQ may help us understand their reasoning on that. It says:



Thanks for the good info.