Home | Community | Message Board

Avalon Magic Plants
This site includes paid links. Please support our sponsors.


Welcome to the Shroomery Message Board! You are experiencing a small sample of what the site has to offer. Please login or register to post messages and view our exclusive members-only content. You'll gain access to additional forums, file attachments, board customizations, encrypted private messages, and much more!

Shop: Left Coast Kratom Buy Kratom Capsules   PhytoExtractum Buy Bali Kratom Powder   Kraken Kratom Red Vein Kratom   Unfolding Nature Unfolding Nature: Being in the Implicate Order

Jump to first unread post Pages: 1
InvisibleDiploidM
Cuban

Folding@home Statistics
Registered: 01/09/03
Posts: 19,274
Loc: Rabbit Hole
Yet Another Windows Security Flaw
    #5127246 - 12/31/05 07:04 PM (18 years, 2 months ago)

http://seattlepi.nwsource.com/business/253931_msftflaw30.html

Hackers seize on newfound flaw in Windows
Visiting certain Web sites can infect computers

By ROCHELLE GARNER
BLOOMBERG NEWS

A newfound flaw in Microsoft Corp.'s Windows operating system is being used by hackers to install malicious code on personal computers.

Users can infect their computers by visiting certain Web sites that are able to exploit some Windows-based applications, Internet security company Panda Software said. It called the discovery "one of the most serious vulnerabilities recently detected."

The flaw in the world's most popular software leaves PCs open to adware and spyware as well as Trojans, which can hide damaging programs.

Internet Explorer, Outlook and the Windows Picture and Fax viewer are used to insert the potentially harmful code, said Patrick Hinojosa, chief technology officer of Panda.

"Because this exploits particular programs on Windows, rather than Windows itself, your machine can get infected simply by visiting a Web site that's set up to exploit the flaw," Hinojosa said.

Microsoft is investigating reports of the problem, the company said on its Web site. It hasn't yet developed a security patch, and recommends that customers use caution and keep antivirus software up to date.

Panda found cases of infection almost immediately after the flaw was first reported Tuesday, Hinojosa said.

Web sites exploiting the security lapse include toolbarbiz.biz and buytoolbar.biz, Panda said. The sites are set up to install malicious code by using the way applications process Windows Metafiles to show images.

Microsoft has been working to improve the security of Windows, which has come under attack from more than 17,000 computer viruses and worms.

The latest vulnerability was found in Windows XP, Windows 2000 and Windows NT systems. Panda said it is still testing Windows 98 for the flaw.


--------------------
Republican Values:

1) You can't get married to your spouse who is the same sex as you.
2) You can't have an abortion no matter how much you don't want a child.
3) You can't have a certain plant in your possession or you'll get locked up with a rapist and a murderer.

4) We need a smaller, less-intrusive government.

Extras: Filter Print Post Top
InvisibleRandalFlagg
Stranger
Registered: 06/15/02
Posts: 15,608
Re: Yet Another Windows Security Flaw [Re: Diploid]
    #5127260 - 12/31/05 07:11 PM (18 years, 2 months ago)

Another Windows security hole?!?! Say it ain't so...this never happens.

Extras: Filter Print Post Top
OfflineThePredator
Your a eunich ifyou don't useunix!

Registered: 08/23/05
Posts: 542
Last seen: 17 years, 8 months
Re: Yet Another Windows Security Flaw [Re: RandalFlagg]
    #5127592 - 12/31/05 09:22 PM (18 years, 2 months ago)

Be aware that this exploit isn't a mild annoyance like most that come out, this is a full blown one that will probably put 50% or more computers at risk. Places like frsirt (i highly advise everybody to check regularly on their site) has up a critical announcement on the homepage about it http://www.frsirt.com/english/


--------------------

Extras: Filter Print Post Top
InvisibleDiploidM
Cuban

Folding@home Statistics
Registered: 01/09/03
Posts: 19,274
Loc: Rabbit Hole
Re: Yet Another Windows Security Flaw [Re: Diploid]
    #5127989 - 01/01/06 01:01 AM (18 years, 2 months ago)

http://isc.sans.org/diary.php?storyid=992

* New exploit released for the WMF vulnerability - YELLOW (NEW)
Published: 2006-01-01,
Last Updated: 2006-01-01 02:55:47 UTC by Tom Liston (Version: 9(click to highlight changes))

New exploit
On New Year's eve the defenders got a 'nice' present from the full disclosure community.

The source code claims to be made by the folks at metasploit and xfocus, together with an anonymous source.

Note: We have been able to confirm that this exploit works. We are in the process of getting information to AV vendors ASAP. We can also confirm that having the file and simply opening the directory can be enough to get the exploit running.

The exploit generates files:

with a random size;
no .wmf extension, (.jpg), but could be any other image extension actually;
a random piece of junk in front of the bad call; carefully crafted to be larger than the MTU on an ethernet network;

a number of possible calls to run the exploit are listed in the source;

a random trailer
From a number of scans we did through virustotal, we can safely conclude there is currently no anti-virus signature working for it. Similarly it is very unlikely any of the IDS signatures for the previous versions of the WMF exploits work for this next generation.

Judging from the source code, it will likely be difficult to develop very effective signatures due to the structure of the WMF files.

Infection rate
McAfee announced on the radio yesterday they saw 6% of their customer having been infected with the previous generation of the WMF exploits. 6% of their customer base is a huge number.

Yellow
Considering this upsets all defenses people have in place, we voted to go to yellow in order to warn the good guys out there they need to review their defenses.

We hate going back to yellow for something we were yellow on a couple of days ago and had returned to green, but the more we look at it and the uglier it gets.

UNofficial patch
We want to be very clear on this: we have some very strong indications that simply un-registering the shimgvw.dll isn't always successful. The .dll can be re-registered by other processes, and there may be issues where re-registering the .dll on a running system that has had an exploit attempted against it will cause the exploit to succeed.

For those of you wanting to try an unofficial patch with all the risks involved, please see here. (md5 99b27206824d9f128af6aa1cc2ad05bc)
Initially it was only for Windows XP SP2. Fellow handler Tom Liston worked with Ilfak Guilfanov to help confirm some information required to extend it to cover Windows XP SP1 and Windows 2000.

Note: Tom has taken this thing apart and looked at it very, very closely. It does exactly what it advertises and nothing more. The wmfhotfix.dll will be injected into any process loading user32.dll. It then will then patch (in memory) gdi32.dll's Escape() function so that it ignores any call using the SETABORTPROC (ie. 0x09) parameter. This should allow for Windows to display WMF files normally while still blocking the exploit. We want to give a huge thanks to Ilfak Guilfanov for building this and for allowing us to host and distribute it.

Note #2: When MS comes out with a real patch, simply uninstall this from Add/Remove programs on the Control Panel. Mr. Guilfanov did a great job with this ...

Patching with unofficial patches is very risky business, this comes without any guarantees of any kind.
Please do back out these unofficial patches before applying official patches from Microsoft.

Belt and suspenders
There is possibility to do the proven belt and suspenders approach here. Using the unofficial path and using the workaround from Microsoft together. Just remember to unto the damage done before applying any official patch for this vulnerability.

New Snort signatures
We are receiving signatures from Frank Knobbe that detect this newest variant, but we haven't done much testing for false positives or negatives at this point.
http://www.bleedingsnort.com/...

Frank also restated some warnings:

There is one important note in regards to ALL published signatures including this one. All these signatures will fail to detect the exploits when the http_inspect preprocessor is enabled with default settings. By default, the flow_depth of the preprocessor is 300 which is too short to cover the whole exploit. Should the exploit be transmitted on port 80 and http_inspect is enabled, no alert will occur. Note that it will still alert on any ports (using the all port sig below) that are not configured in http_inspect (ie FTP).
One solution is to add the statement "flow_depth 0" to the http_inspect preprocessor (actually the appropriate http_inspect_server line in the config). This will tell the preprocessor not to truncate the reassembled pseudo-packet, but it will have an adverse impact on performance. On busy networks, this will lead to 100% CPU utilization of the Snort process and major packet drops.
So we're between a rock, a solid surface, and a hard place. The exploits are web based, yet the signature will fail with http_inspect enabled. With it disabled, Snort will miss all rules containing uricontent and pcre/U statements. With it enabled, and flow_depth set to 0, Snort will alert on the exploit, but also process all uricontent rules in such a fashion that its CPU utilization is skyrocketing.
The only viable solution at this point is to run two instances of Snort. One with your normal set of rules and http_inspect enabled with either the default or "sane" values for flow_depth. The second instance should run with http_inspect disabled or flow_depth set to 0 (in the appropriate http_inspect_server config line), and process only rules that have to cover a larger than 300 byte area for content matches on ports configured in http_inspect. This two-pronged approach assures that Snorts performance is kept at normal levels, preventing packet loss.

Overview
A chronological overview of all WMF related articles on this site.

Thanks
Thanks to all handlers working on this today, especially Lorna, Tom, Kevin, Jim, Scott and all those I forgot. This was a cooperative effort.


Wishing all windows machines, their users, owners and administrators a happy New Year, with a bit fewer nasty exploits


--------------------
Republican Values:

1) You can't get married to your spouse who is the same sex as you.
2) You can't have an abortion no matter how much you don't want a child.
3) You can't have a certain plant in your possession or you'll get locked up with a rapist and a murderer.

4) We need a smaller, less-intrusive government.

Extras: Filter Print Post Top
Jump to top Pages: 1

Shop: Left Coast Kratom Buy Kratom Capsules   PhytoExtractum Buy Bali Kratom Powder   Kraken Kratom Red Vein Kratom   Unfolding Nature Unfolding Nature: Being in the Implicate Order


Similar ThreadsPosterViewsRepliesLast post
* Yet Another Windows Security Flaw - More Serious Than Usual DiploidM 816 2 01/04/06 04:44 PM
by drtyfrnk
* Department of Homeland Security Warns Of Windows Security Flaws DiploidM 824 2 08/15/06 06:50 PM
by Catalysis
* Critical Security Flaw In Photoshop DiploidM 1,446 8 05/01/07 04:35 AM
by Seuss
* Microsoft PowerPoint Security Flaw Allows Full Control Of Victim's Computer DiploidM 895 2 07/23/06 10:57 PM
by ChuangTzu
* Mozilla Patches 13 Firefox Security Flaws, Eight Critical DiploidM 904 2 07/28/06 11:34 AM
by Vvellum
* Microsoft Word security flaw BuzzDoctor 1,739 9 10/19/02 11:48 AM
by Purple_Voyage
* Windows security mm. 1,836 1 06/01/01 06:08 PM
by Its Pat
* Microsoft Issues Patch for 'Critical' Windows Secu Mojo_Risin 1,150 4 11/21/02 06:44 PM
by Mojo_Risin

Extra information
You cannot start new topics / You cannot reply to topics
HTML is disabled / BBCode is enabled
Moderator: trendal, automan, Northerner
1,011 topic views. 0 members, 0 guests and 0 web crawlers are browsing this forum.
[ Show Images Only | Sort by Score | Print Topic ]
Search this thread:

Copyright 1997-2024 Mind Media. Some rights reserved.

Generated in 0.027 seconds spending 0.008 seconds on 14 queries.