New Windows Vulnerability discovered

[Richy Rich]

Don't know if anyone has mentioned it here -discovered in Microsoft Windows' image processing code. Seems like a real serious one. Don't have to open any file to get this tojan...[img]i/expressions/face-icon-small-shocked.gif[/img]

If you have XP here is a temp patch. OP 98, also a temp fix solution: (Very trustworthy site)
http://www.grc.com/sn/notes-020.htm

My next computer, think I'm going to buy a MAC[img]i/expressions/face-icon-small-disgusted.gif[/img]

[Minnow]

I just went to the microsoft windows update site and got the message "this page contains both secure and non-secure items, do you want to dispaly the non-secure items?" What the hell is that message about anyway? And why in the world do I get it at an official MS Windows update page. They are asking me if I want to take a chance with non-secure items at their very own site? [img]i/expressions/face-icon-small-confused.gif[/img]

[Total Square]

be careful with the link above folks...lots of stuff for sale there [img]i/expressions/face-icon-small-wink.gif[/img]

[Minnow]

http://www.microsoft.com/technet/sec.../MS05-053.mspx

You can read about it and get the patches from MS right on site.

[Richy Rich]

TotalSquare, this is a Steve Gibson site. But you don't have to “buy” anything here. If you don't trust the “patch” you can manually disable Windows Metafile- then restore it once Microsoft figures out the solution here.

If you search Google you can find chatter about this exploit. But no mention of it at Windows update. Hmmm

Minnow, I think the “non secured” refers to unsecured web pages that are sent over the internet. These pages can be intercepted by a “third party” and read. No big deal. Vast majority of data sent over the internet are unencrypted.

[Richy Rich]

ooops,

Minnow, I couldn't find it on Windows update... The vulnerability was discovered last Tues/Wed. Hackers are going to try to take advantage here, since it is SOOO easy to plant a trojan...

[Minnow]

Richy, thanks for the info. Graphic files was one thing I never worried about before. This really sucks,, I need to get away from IE

[jag]

personally; i disassociated the .wmf file extension to always get an application prompt... you can never be to careful... here's the text from windoze, -cheers, and good luck... (hopefully a patch will be available tuesday)
---------------------------------

Microsoft Security Advisory (912840)
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution.
Published: December 28, 2005 | Updated: December 30, 2005

Microsoft is investigating new public reports of a vulnerability in Windows. Microsoft is also aware of the public release of detailed exploit code that could be used to exploit this vulnerability. Based on our investigation, this exploit code could allow an attacker to execute arbitrary code on the user's system by hosting a specially crafted Windows Metafile (WMF) image on a malicious Web site. Microsoft is aware that this vulnerability is being actively exploited.

Microsoft has determined that an attacker using this exploit would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site. In an e-mail based attack, customers would have to be persuaded to click on a link within a malicious e-mail or open an attachment that exploited the vulnerability. In both the web and email based attacks, the code would execute in the security context of the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Microsoft will continue to investigate these reports and provide additional guidance depending on customer needs.

Customers are encouraged to keep their anti-virus software up to date. The Microsoft Windows AntiSpyware (Beta) can also help protect your system from spyware and other potentially unwanted software. Customers can also visit Windows Live Safety Center and are encouraged to use the Complete Scan option to check for and remove malicious software that take advantage of this vulnerability. We will continue to investigate these public reports.

Upon completion of this investigation, Microsoft will take appropriate action to help protect our customers. This will include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs. If you are a Windows OneCare user and your current status is green, you are already protected from known malware that uses this vulnerability to attempt to attack systems.

Microsoft’s investigation into this malicious act is ongoing. We are working closely with our anti-virus partners and aiding law enforcement in its investigation.

Microsoft encourages users to exercise caution when they open e-mail and links in e-mail from untrusted sources. For more information about Safe Browsing, visit the Trustworthy Computing Web site.

We continue to encourage customers to follow our Protect Your PC guidance of enabling a firewall, applying software updates and installing antivirus software. Customers can learn more about these steps at the Protect Your PC Web site.

Customers who believe they have been attacked should contact their local FBI office or post their complaint on the Internet Fraud Complaint Center Web site. Customers outside the U.S. should contact the national law enforcement agency in their country.

Customers who believe they may have been affected by this issue can also contact Product Support Services. You can contact Product Support Services in the United States and Canada at no charge using the PC Safety line (1 866-PCSAFETY). Customers outside of the United States and Canada can locate the number for no-charge virus support by visiting the Microsoft Help and Support Web site.

Mitigating Factors:
•

In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site.
•

In an E-mail based attack of the current exploit, customers would have to be persuaded to click on a link within a malicious e-mail or open an attachment that exploited the vulnerability.
•

An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
•

By default, Internet Explorer on Windows Server 2003, on Windows Server 2003 Service Pack 1, on Windows Server 2003 with Service Pack 1 for Itanium-based Systems, and on Windows Server 2003 x64 Edition runs in a restricted mode that is known as Enhanced Security Configuration This mode mitigates this vulnerability where the e-mail vector is concerned although clicking on a link would still put users at risk. In Windows Server 2003, Microsoft Outlook Express uses plain text for reading and sending messages by default. When replying to an e-mail message that is sent in another format, the response is formatted in plain text. See the FAQ section of this vulnerability for more information about Internet Explorer Enhanced Security Configuration.
General Information

[Richy Rich]

Quote:

In an E-mail based attack of the current exploit, customers would have to be persuaded to click on a link within a malicious e-mail or open an attachment that exploited the vulnerability.

Jag, the tech guys I listened to over the weekend say any e-mail that contains a malicious/infected Metafile (thumbnail), the person only needs to 'open' the e-mail and will get zapped/infected. In other words, you don't need to click on a link in your e-mail. That's what makes this one so dangerous. Again, that's the info I picked up. Just passing it along...