I assume that doesn't include users who browse Russian p*rn sites? :-) BTW, are there any examples of this being used anywhere, yet?
-- Dirk The Consensus:- The political party for the new millenium http://www.theconsensus.org
I still write PL/M code.
Graham
"Terry Pinnell" schreef in bericht news: snipped-for-privacy@4ax.com...
S Risk Assessment - Home Users: Low - Corporate Users: Low
-- Thanks, Frank. (remove \'q\' and \'.invalid\' when replying by email)
" Some clown is spamming out "Happy New Year" emails which will infect Windows machines very easily. These emails contain a new version of the WMF exploit, which doesn't seem to be related to the two earlier Metasploit WMF exploits we've seen.
The emails have a Subject: "Happy New Year", body: "picture of 2006" and contain an exploit WMF as an attachment, named "HappyNewYear.jpg" (MD5: DBB27F839C8491E57EBCC9445BABB755). We detect this as PFV-Exploit.D.
When the HappyNewYear.jpg hits the hard drive and is accessed (file opened, folder viewed, file indexed by Google Desktop), it executes and downloads a Bifrose backdoor (detected by us as Backdoor.Win32.Bifrose.kt) from www[dot]ritztours.com. Admins, filter this domain at your firewalls.
It's going to get worse."
Graham
I stand corrected, and may I say I'm glad to be in this case. Good find, John and I both searched and couldn't find anything. I searched on the terms "WMF" and "exploit" and the MS search engine responded there was nothing, despite those two terms appearing in the first paragraph of your link. My fault: I should have used Google to search Microsoft's site.
I think those sites are wrong, because there's a high motivation for bad sites to use the exploit, given its easy use, which is well understood by now, and its very powerful results. The email delivery path is exceedingly dangerous to anyone who doesn't have an appropriate browser with image display turned off. For example, my wife is OK, just barely because I rebuilt her machine over the holidays, but her sister, brother and mother are not. They erase their spam by first inspecting it. Her sister now uses G-mail, so she may be OK, if Google is on top of things. But my mother-in-law uses an old version of I.E. Damn. There's no way I can fix that for her -- she's in FL. I should have worked on it last October.
We can't count on Norton AV, they haven't updated their definitions since Dec 30th (more than 48 hours), and they completely failed to stop the exploit test when I tried it yesterday, before installing Ilfak Guilfanov's patch. So I think these AV companies are off the mark: right now they aren't doing anything about a dangerous active exploit, so they say, hey, don't worry! Sheesh!
--
Thanks,
- Win
In 1997 (IIRC) I mentioned in a post, the possibility of a buffer overflo in a properly malformed jpeg, causing code to be executed. IIRC, though that was last weeks bug. This one is due to the fact that the file viewer does not only do one file type, but many. The viewer does not assume that the file extension correctly reflects the filetype, and looks inside the file to determine what it is. Thus, if you have an appliaciton that deals with .jpg, .gif, .wmv, then you save a .wmf as .jpg, it'll be opened by the application, and it'll determine that it's really a .wmf, and deal with it that way.
A wmf renamed as a jpg .
That's Microsoft for you ! The application doesn't check that the file is what it claims to be.
Quite !
Graham
I keep looking at OS/2 / ecomstation, as it looks like a excellent, extremely stable, properly built OS, however spending about $320 CND on an OS that does not support a lot of the programs I need seems excessive.
The common stuff like browsing, email (newsgroups?), pdf's, media, etc seems to be well taken care of, although OOO office has it's good and bad points.
The real problems arise with stuff like an Assembler for Atmel AVR's, C compilers for embedded processors, Gerber viewers, PCB Layout, typical design tools etc. Drivers can be a issue too.
As an OS/2 user do you have many workarounds for these problems?
I should buy a copy one of these days to try it out, and at least support decent software. I really am getting sick of MS's buggy bloatware that forces you to upgrade every so often due to compatibility issues, forcing the hardware to be updated with it, nasty marketing schemes, security issues, viruses, rights issues, proprietary formats that keep changing, it's phoning home capabilities and why, it's annoying "try to do everything for you" and animations in XP, etc, etc. Maybe eCS will be my OS of choice once win 2K is no longer useful.
Barbarian.
Well, you have to factor in all the stuff you don't need, like Norton AV, spyware removers, and so on....not to mention Office. My laptop has
3 OSes on it: XP, Fedora Core 4, and OS/2 4.52 plus many fixes (I work for IBM, but even round there I'm considered a diehard [read, loonie]).If you need to run all the latest Windows things, you're going to need Windows. If there are other methods, e.g. open source SW, you can usually use Linux or OS/2.
Cheers,
Phil Hobbs
Kaspersky Labs has the opposite risk rating, calling it "extremely critical". I have found that McAfee generally underates virus risks at the onset. They will probably change their rating by mid week when people go back to work.
-- Mark
That opened fine here in FF 1.5.
-- Terry Pinnell Hobbyist, West Sussex, UK
Still true today, it's now nearly 96 hours since their last update.
--
Thanks,
- Win
seems
points.
it's
once
I just ported Orcad to my cell phone ;-)
--DF
Anyone? With shimgvw.dll unregistered, if you open a My Computer or Explorer folder containing JPGs and view it in Thumbnail View, do you get proper thumbnails? Or just the large icon of whatever image viewing program you have associated with JPGs? The latter applies here, and also just had same result on my wife's PC.
-- Terry Pinnell Hobbyist, West Sussex, UK
The experts at Norton don't panic, you mean ;) What did you expect?
Sheesh! Hahaha, unbelievable.
The internet is going to melt, hahahaha....
What a brilliant joke.
-- Thanks, Frank. (remove 'q' and '.invalid' when replying by email)
"qrk" schreef in bericht news: snipped-for-privacy@4ax.com...
No, Kapersky rates it as "moderate risk":
And: "The vulnerability itself is regarded as extremely critical (the highest possible rating). As yet, there is no patch for this vulnerability."
Which is a different thing. The bare fact that people can download and install software can be seen as a vulnerability too, and there is nothing more critical than that. Hey, they can even remove software from their PC's, deleting entire folders. Another 'vulnerability'.
I dare say that last night more PC's were damaged accidently by deleting folders, than by this entire WMF thing.
-- Thanks, Frank. (remove \'q\' and \'.invalid\' when replying by email)
Why would a linux viewer run windows-specific code added to allow the cancelling of print jobs in windows 3.x ? I would expect most viewers to completely ignore the SetAbort commands, or at worst complain about the file.
And why would someone running linux run as root?
Which is one reason I don't worry too much about email. However, suppose someone posted a malware .wmf here, on SED?
-- Dirk The Consensus:- The political party for the new millenium http://www.theconsensus.org
Actually, I think one of the major problems with Windoze is that they don't tell their customers _not_ to run as "ADMINISTRATOR". I know not to run as root, but take a moment to consider - even if I did decide to download a wmf file, and it had executable code, that code would only execute on a Windoze box. In the first place, it doesn't have execute permission. In the second place, it was written to interface to Windoze, so its first system call would give a segment violation, and Linux would let you know, and quietly shut it down and unload it from memory. (well, 'free()' the memory.) In the third place, even if it got through all of those hoops, it wouldn't have write permission on system files, so it wouldn't be able to do anything malicious even if it _could_ execute on a Linux box.
So, of course, I stand behind my assertion that Bill Gates should clue up, download a Linux, have his codemonkeys port the eye candy, drivers, and easy install scripts (but smarten them up a bit - I'm available for that task, BTW), and sell it as ***Microsoft Linux***! It's totally legal! If I had his resources, I'd do it myself!
As it is, the best we can do today is support, for example, Patrick Volkerding, who put together the Slackware distribution. It was my first Linux, back in the late 1990's, and I picked it because of the name.
There's only about two things I still need windows for, and I'm kind of working on narrowing that down if I can. ;-)
Cheers! Rich
OK, sorted. I have reliable confirmation elsewhere that loss's of thumbnails *is* a consequence.
-- Terry Pinnell Hobbyist, West Sussex, UK
ElectronDepot website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.