OT: Huge virus threat for Windows XP


Windows PCs face 'huge' virus threat By Kevin Allison in San Francisco Published: January 2 2006 18:18 Last updated: January 2 2006 22:19
Computer security experts were grappling with the threat of a newweakness in Microsoft's Windows operating system that could put hundreds of millions of PCs at risk of infection by spyware or viruses.
The news marks the latest security setback for Microsoft, the world's biggest software company, whose Windows operating system is a favourite target for hackers.
"The potential [security threat] is huge," said Mikko Hyppnen, chief research officer at F-Secure, an antivirus company. "It's probably bigger than for any other vulnerability we've seen. Any version of Windows is vulnerable right now." The flaw, which allows hackers to infect computers using programs maliciously inserted into seemingly innocuous image files, was first discovered last week. But the potential for damaging attacks increased dramatically at the weekend after a group of computer hackers published the source code they used to exploit it. Unlike most attacks, which require victims to download or execute a suspect file, the new vulnerability makes it possible for users to infect their computers with spyware or a virus simply by viewing a web page, e-mail or instant message that contains a contaminated image.
"We haven't seen anything that bad yet, but multiple individuals and groups are exploiting this vulnerability," Mr Hyppnen said. He said that every Windows system shipped since 1990 contained the flaw.
Microsoft said in a security bulletin on its website that it was aware that the vulnerability was being actively exploited. But by early yesterday, it had not yet released an official patch to correct the flaw. "We are working closely with our antivirus partners and aiding law enforcement in its investigation," the company said. In the meantime, Microsoft said it was urging customers to be careful opening e-mail or following web links from untrusted sources.
Meanwhile, some security experts were urging system administrators to take the unusual step of installing an unofficial patch created at the weekend by Ilfak Guilfanov, a Russian computer programmer.
Concerns remain that without an official patch, many corporate information technology systems could remain vulnerable as employees trickle back to work after the holiday weekend.
"We've received many e-mails from people saying that no one in a corporate environment will find using an unofficial patch acceptable," wrote Tom Liston, a researcher at the Internet Storm Center, an antivirus research group. Both ISC and F-Secure have endorsed the unofficial fix.
Microsoft routinely identifies or receives reports of security weaknesses but most such vulnerabilities are limited to a particular version of the Windows operating system or other piece of Microsoft software. In recent weeks, the company has been touting its progress in combating security threats.
The company could not be reached on Monday for comment.
http://news.ft.com/cms/s/0d644d5e-7bb3-11da-ab8e-0000779e2340.html
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

<SNIP>
FYI, here is the relevant link on Microsoft's site. http://www.microsoft.com/technet/security/advisory/912840.mspx
todd
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
todd wrote:

Todd, that would be the "irrelevant" link. Notice how Microsoft is *rushing* to issue a patch by the 10th of January. Trustworthy Computing, indeed.
*This* is a relevant link: http://isc.sans.org/diary.php
(Read through -- actual fix to mitigate are contained within.)
--
DC Linux RU #1000111011000111001

The word 'politics' is derived from the word 'poly', meaning 'many'
  Click to see the full signature.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
"DC" wrote in message

After applying countless MS patches/SP's in the early days, and then having to rebuild servers that no longer worked, I'd just as soon take my chances with the "threat", than with a MS "update" rushed to press.
--
www.e-woodshop.net
Last update: 12/13/05
  Click to see the full signature.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

I think you need to look up the definition of "relevant". Here, I'll do it for you. http://dictionary.reference.com/search?q=relevant
todd
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
DC wrote:

I wouldn't call 10 days a rush to fix. The patch will probably only open new holes. Meanwhile, Norton Anti Virus stock goes up again, probably the one who put out the virus in the first place. "Trustworthy Computing" you have to be kidding! There is nothing Trustworthy about MicroCrap! The only thing they trust is PROFIT!
Good Luck Microsoft users. RV
--
"you can lead them to LINUX
but you can't make them THINK"
  Click to see the full signature.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
I found a place that has the fix for the problem. It is free and is on Steve Gibson's website. Here is the link to it.
http://www.grc.com/sn/notes-020.htm
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
:I found a place that has the fix for the problem. : It is free and is on Steve Gibson's website. : Here is the link to it. : : http://www.grc.com/sn/notes-020.htm : Yup, and MS expects their response to be out shortly too, but people shouldn't panic over it. It's a rather mundane bug actually, especially if a person surfs with a reasonably safe attitude. Just don't mess with windows metafiles from a site and you should be OK. MS's link given in an earlier thread also does a pretty fair job of explaining it, along with symantec, mdavee, avg and all the rest. It is not impending doom as the one poster tried to make it sound.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Pop wrote...(in part)

If windows metafiles had to have a specific extension to be recognized, you might have more control over whether you view or download one. However, windows metafiles don't have to have a WMF extension.
Internet Explorer on Windows XP, in particular, detects and plays most windows metafiles automatically by examining the header information at the beginning of the file. It doesn't care what the file extension is. You can test this for yourself:
1. Find a safe WMF on your local machine. (If you use MS Office and installed any clipart with it, you'll find a bunch.)
2. Copy the file to your desktop.
3. Use Rename to change the file extension to something other than WMF, e.g., <filename>.blah (Ignore the warning that the file may become unusable if you change the extension.)
4. Open an IE window.
5. Drag and drop the renamed file onto the IE window.
6. Observe that IE opens and plays the WMF.
I said "plays" instead of "displays" because a WMF stores vector data as a series of windows GDI commands. Essentially, that portion of the WMF is a script.
By the way, there are several flavors of windows metafiles and IE doesn't automatically play all of them. So, if when you run the test, IE asks if you want to save the file, click cancel or no and try a different file. Again, the MS Office clip art is a good source for the types that "work."
Not trying to fan the flames or anything. Just wanted to point out that the vulnerability is greater than an interested party might like to admit.
Cheers,
Jim
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
: Pop wrote...(in part) : > Just don't mess with windows metafiles from a site and : > you should be OK. : : If windows metafiles had to have a specific extension to be recognized, : you might have more control over whether you view or download one. : However, windows metafiles don't have to have a WMF extension. : : Internet Explorer on Windows XP, in particular, detects and plays : most windows metafiles automatically by examining the header information : at the beginning of the file. It doesn't care what the file extension is. : You can test this for yourself: : : 1. Find a safe WMF on your local machine. (If you use MS Office and : installed any clipart with it, you'll find a bunch.) : : 2. Copy the file to your desktop. : : 3. Use Rename to change the file extension to something other than WMF, : e.g., <filename>.blah : (Ignore the warning that the file may become unusable if you change : the extension.) : : 4. Open an IE window. : : 5. Drag and drop the renamed file onto the IE window. : : 6. Observe that IE opens and plays the WMF. : : I said "plays" instead of "displays" because a WMF stores vector data as : a series of windows GDI commands. Essentially, that portion of the WMF is : a script. : : By the way, there are several flavors of windows metafiles and IE doesn't : automatically play all of them. So, if when you run the test, IE asks if : you want to save the file, click cancel or no and try a different file. : Again, the MS Office clip art is a good source for the types that "work." : : Not trying to fan the flames or anything. Just wanted to point out that : the vulnerability is greater than an interested party might like to : admit. : : Cheers, : : Jim
Didn't mean to minimize it so much; sorry if that's what it sounded like, and your advice is good too. Guess I was reacting to the end of the world post preceding.
Pop
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Pop wrote...

You're reaction was well reasoned (I share it), and I agree that it's "not the impending doom" that it's been portrayed. Jeez, we've heard so much over-reaching gloom about computer viruses and the like -- remember Y2K? -- that it's only natural and right to downplay the latest.
I only wanted to point out that many folks wouldn't be able to avoid infection from a maliciously designed web page simply by avoiding WMFs. However, I seriously doubt many will be hit by such pages, for a number of reasons we don't need to go into here. So, not so easy to avoid if encountered, but not much of a threat, either.
Jim
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On Thu, 5 Jan 2006 06:25:39 -0700, Jim Wilson

I am running w/98 and I got a WMF the other day that wouldn't play. It said the file was corrupt. I am guessing this was the virus.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
The snipped-for-privacy@aol.com entity posted thusly:

To paraphrase an old expression...
Never attribute to malice, that which can be explained by the weaknesses of Microsoft.
Larry
--
There are 10 kinds of people --
those who understand binary, and those who don't.
  Click to see the full signature.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

Related Threads

HomeOwnersHub.com is a website for homeowners and building and maintenance pros. It is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.