Microsoft Internet Explorer 6.x with all vendor patches installed and
all vendor workarounds applied, is currently affected by one or more
Secunia advisories rated Highly critical


Mozilla Firefox 1.x with all vendor patches installed and all vendor
workarounds applied, is currently affected by one or more Secunia
advisories rated Less critical


Opera 8.x with all vendor patches installed and all vendor workarounds
applied, is currently affected by one or more Secunia advisories rated
Not critical



Microsoft Windows WMF "SETABORTPROC" Arbitrary Code Execution
Secunia Advisory: SA18255
Release Date: 2005-12-28
Last Update: 2005-12-29
Critical: Extremely critical

http://secunia.com/

Graham

"Pooh Bear" wrote ...
Microsoft Internet Explorer 6.x with all vendor patches
installed and all vendor workarounds applied, is currently
affected by one or more Secunia advisories rated Highly
critical

Secunia seems to be trying to make a name for themselves.
CERT and the other virus-tracking entities aren't nearly
as breathlessly concerned as Secunia appears to be.
Perhaps they should see that "Chicken Little" movie.

Richard Crowley wrote:

"Pooh Bear" wrote ...
Microsoft Internet Explorer 6.x with all vendor patches
installed and all vendor workarounds applied, is currently
affected by one or more Secunia advisories rated Highly
critical

Secunia seems to be trying to make a name for themselves.
CERT and the other virus-tracking entities aren't nearly
as breathlessly concerned as Secunia appears to be.
Perhaps they should see that "Chicken Little" movie.

Secunia simply seems to have been on the ball.

F Secure has also been in the forefront.

Your response is typical " oh it won't happen to me ".

I have never known a security flaw before where the infection takes
place withut a user click. *And* can happen by merely visiting a
website.

Although my PC actually passes the only known security test for this
problem so far available I have moved to using the Opera browser. It's
very good. I would recomend it.


" Monday, January 2, 2006
Targeted WMF email attacks Posted by Mikko @ 12:17 GMT

Our colleagues and business partners at Messagelabs have stopped a
very interesting WMF attack today.

A new WMF exploit file was spammed to a targeted list of a few dozen
high-profile email addresses.

The email urged recipients to open the enclosed MAP.WMF file - which
exploited the computer and downloaded a backdoor from
www.jerrynews[dot]com.

What makes the case really interesting was the cloak-and-dagger
language used in the email which was spoofed to originate from US
State Department's security unit. "

http://www.f-secure.com/weblog/


There is apparently a live WMF virus out there masquerading as a joke
jpeg file btw.

Graham

"Pooh Bear" wrote in message
...


Richard Crowley wrote:

"Pooh Bear" wrote ...
Microsoft Internet Explorer 6.x with all vendor patches
installed and all vendor workarounds applied, is currently
affected by one or more Secunia advisories rated Highly
critical

Secunia seems to be trying to make a name for themselves.
CERT and the other virus-tracking entities aren't nearly
as breathlessly concerned as Secunia appears to be.
Perhaps they should see that "Chicken Little" movie.

Secunia simply seems to have been on the ball.

F Secure has also been in the forefront.

Your response is typical " oh it won't happen to me ".

I have never known a security flaw before where the infection takes
place withut a user click. *And* can happen by merely visiting a
website.

Although my PC actually passes the only known security test for this
problem so far available I have moved to using the Opera browser. It's
very good. I would recomend it.


" Monday, January 2, 2006
Targeted WMF email attacks Posted by Mikko @ 12:17 GMT

Our colleagues and business partners at Messagelabs have stopped a
very interesting WMF attack today.

A new WMF exploit file was spammed to a targeted list of a few dozen
high-profile email addresses.

The email urged recipients to open the enclosed MAP.WMF file - which
exploited the computer and downloaded a backdoor from
www.jerrynews[dot]com.

What makes the case really interesting was the cloak-and-dagger
language used in the email which was spoofed to originate from US
State Department's security unit. "

http://www.f-secure.com/weblog/


There is apparently a live WMF virus out there masquerading as a joke
jpeg file btw.

Graham

I browse in Virtual PC, so there's absolutely no chance of catching this
thing outside of the sandbox for me.

"Pooh Bear" wrote ...
Your response is typical " oh it won't happen to me ".

McAfee rates it as "low". My computer was automatically
patched for it via my subscription.

Richard Crowley wrote:

"Pooh Bear" wrote ...
Your response is typical " oh it won't happen to me ".

McAfee rates it as "low".

MacAfee also don't have a clue IMHO. I stopped using their products
ages ago. Over-rated, over-priced and under-performing. They trade on
their name.

My computer was automatically
patched for it via my subscription.

Considering that *Microsoft haven't released a patch*, that's pretty
impressive !

Graham

Pooh Bear wrote:
Although my PC actually passes the only known security test for this
problem so far available I have moved to using the Opera browser. It's
very good. I would recomend it.

What test is this? How can I test my PC? Is there a web site with a
non-destructive version of the virus that I can visit?

I have looked at Opera in the past and dammint I don't want to get
accustomed to a new user interface.

Pooh Bear wrote:

Your response is typical " oh it won't happen to me ".

It won't happen to me, because I won't put a Microsoft operating system
on the network.
--scott

--
"C'est un Nagra. C'est suisse, et tres, tres precis."

Mike Rivers wrote:

Pooh Bear wrote:
Although my PC actually passes the only known security test for this
problem so far available I have moved to using the Opera browser. It's
very good. I would recomend it.

What test is this? How can I test my PC? Is there a web site with a
non-destructive version of the virus that I can visit?

I've posted the file at alt.binaries.schematics.electronics


I have looked at Opera in the past and dammint I don't want to get
accustomed to a new user interface.

That kinda troubled me too. Don't worry. It's a breeze. I'm sold already (
and I'm *fussy* ) - can't see me going back to IE. The page rendering is
delightfully fast. IE looks like a slug in comparison.

In any event why not just try it to see ?

Graham

Pooh Bear wrote:

What test is this? How can I test my PC? Is there a web site with a
non-destructive version of the virus that I can visit?

I've posted the file at alt.binaries.schematics.electronics

Oh, well. I don't download files from newsgroups. It seems that's one
of the best places to get viruses.

I tried Opera when it was new, and probably still unfinished. I don't
like to install stuff haphazardly since uninstallations are rarely
complete, and I don't have a test machine set aside that I can
re-install from scratch any time. So, no thanks, I'll take my chances
and stick with Netscape.

I rarely go to web sites that don't have a pretty good pedigree, so
unless some place that I visit regularly (typically for an on-line
forum, or an audio equipment manufacturer) gets infected without their
knowledge, probably by hacker infiltration, I'm reasonable safe. The
only time I ever get e-mail with files atttached that don't come from
someone that I know and that I'm expecting is through my Yahoo mail
account, and that's pretty well protected. Besides, I almost never open
those messges anyway.

Mike Rivers wrote:

Pooh Bear wrote:

What test is this? How can I test my PC? Is there a web site with a
non-destructive version of the virus that I can visit?

I've posted the file at alt.binaries.schematics.electronics

Oh, well. I don't download files from newsgroups. It seems that's one
of the best places to get viruses.

http://www.hexblog.com/2006/01/wmf_v...y_checker.html

I tried Opera when it was new, and probably still unfinished. I don't
like to install stuff haphazardly since uninstallations are rarely
complete, and I don't have a test machine set aside that I can
re-install from scratch any time. So, no thanks, I'll take my chances
and stick with Netscape.

Ok but I installed Opera and haven't regretted it. Quite the reverse
actually.

I rarely go to web sites that don't have a pretty good pedigree, so
unless some place that I visit regularly (typically for an on-line
forum, or an audio equipment manufacturer) gets infected without their
knowledge, probably by hacker infiltration, I'm reasonable safe. The
only time I ever get e-mail with files atttached that don't come from
someone that I know and that I'm expecting is through my Yahoo mail
account, and that's pretty well protected. Besides, I almost never open
those messges anyway.

You *know* that's insecure though ?

Graham

"Pooh Bear" wrote...
Richard Crowley wrote:
McAfee rates it as "low".

MacAfee also don't have a clue IMHO. I stopped using
their products ages ago. Over-rated, over-priced and
under-performing. They trade on their name.

Thank you for sharing with us. Multi-billion dollar
high-tech international corporations with staffs of
dozens of engineers who are dedicated to network
threat protection appear to have faith in McAfee.
Maybe you should offer your services to these poor
clueless customers.

My computer was automatically
patched for it via my subscription.

Considering that *Microsoft haven't released a patch*,
that's pretty impressive !

Virus scanning works by detecting the virus signature
in any file you open (incudling images, etc. in web
pages.) OS patches work by closing the loophole in
the code that the virus exploits. But I'm sure you knew
that.

Richard Crowley wrote:

"Pooh Bear" wrote...
Richard Crowley wrote:
McAfee rates it as "low".

MacAfee also don't have a clue IMHO. I stopped using
their products ages ago. Over-rated, over-priced and
under-performing. They trade on their name.

Thank you for sharing with us. Multi-billion dollar
high-tech international corporations with staffs of
dozens of engineers who are dedicated to network
threat protection appear to have faith in McAfee.
Maybe you should offer your services to these poor
clueless customers.

My computer was automatically
patched for it via my subscription.

Considering that *Microsoft haven't released a patch*,
that's pretty impressive !

Virus scanning works by detecting the virus signature
in any file you open (incudling images, etc. in web
pages.)

Mac Afee *may* have patched their AV.

OS patches work by closing the loophole in
the code that the virus exploits. But I'm sure you knew
that.

Richard Crowley wrote:

OS patches work by closing the loophole in
the code that the virus exploits. But I'm sure you knew
that.

And there is no currently available OS patch.

Graham

"Pooh Bear" wrote ...
Mac Afee *may* have patched their AV.

http://us.mcafee.com/virusInfo/defau...virus_k=137760

"Pooh Bear" wrote ...
Richard Crowley wrote:

OS patches work by closing the loophole in
the code that the virus exploits. But I'm sure you knew
that.

And there is no currently available OS patch.

Which is why we *also* need virus detection.
But you knew that, too.

Pooh Bear wrote:
Richard Crowley wrote:

OS patches work by closing the loophole in
the code that the virus exploits. But I'm sure you knew
that.

And there is no currently available OS patch.

There are a couple good workarounds. My wife, who actually knows something
about Windows (which is a lot mroe than I can say) says that you can
configure most browsers except IE to use an internal rendering engine
rather than the Microsoft one. This basically fixes the problem, unless
you're using IE, in which case you probably have so many other bugs to
worry about....
--scott
--
"C'est un Nagra. C'est suisse, et tres, tres precis."

"Scott Dorsey" wrote in message
...
Pooh Bear wrote:
Richard Crowley wrote:

OS patches work by closing the loophole in
the code that the virus exploits. But I'm sure you knew
that.

And there is no currently available OS patch.

There are a couple good workarounds. My wife, who actually knows
something
about Windows (which is a lot mroe than I can say) says that you can
configure most browsers except IE to use an internal rendering engine
rather than the Microsoft one. This basically fixes the problem, unless
you're using IE, in which case you probably have so many other bugs to
worry about....
--scott
--
"C'est un Nagra. C'est suisse, et tres, tres precis."

Here's the latest info with workarounds if you wish to use IE.

http://isc.sans.org/diary.php?rss&storyid=994

Gibson Research is a web site that I trust. OK, so I'm vulnerable, and
I downloaded the termporary patch.

What else does it disable? What function or functionss will I no longer
have? Chances are it's something I'll never notice. If that's the case,
I'll probably forget to remove it.

The following Wikipedia page discusses the status of this issue, as of
today.

Although my Security is set to High for most sites, I followed the
suggestion to set the default execution for WMF files to Notepad.

It takes just a few seconds to do this. In Windows Explorer, select Tools
Folder Options File Types. Either change the existing association, or, if
one does not exist, create a new one. You can remove it later, once
Microsoft corrects the problem (presumably next Tuesday).

William Sommerwerck wrote:

Although my Security is set to High for most sites, I followed the
suggestion to set the default execution for WMF files to Notepad.

That's pretty clever. But wouldn't it be just as effective to delete
WMF from the list of known file type associations? That way if one
comes up, it'll ask what to open it with, and I probably won't know so
I'll just cance it.

My Win2K machine didn't have WMF listed, but my WinXP does. It's now
associated with Notepad rather than the graphics viewer.

Mike Rivers wrote:

William Sommerwerck wrote:

Although my Security is set to High for most sites, I followed the
suggestion to set the default execution for WMF files to Notepad.

That's pretty clever. But wouldn't it be just as effective to delete
WMF from the list of known file type associations? That way if one
comes up, it'll ask what to open it with, and I probably won't know so
I'll just cance it.

My Win2K machine didn't have WMF listed, but my WinXP does. It's now
associated with Notepad rather than the graphics viewer.

But how do you cope with the wmf files that have been renamed to jpg ?

Graham

"Pooh Bear" wrote ...
But how do you cope with the wmf files that have been renamed to jpg ?

By using a virus scanner which checks every file (regardless of
file extention or file association) when you ask to open it.

Mike Rivers wrote:
But wouldn't it be just as effective to delete
WMF from the list of known file type associations? That way if one
comes up, it'll ask what to open it with, and I probably won't know so
I'll just cance it.

My Win2K machine didn't have WMF listed, but my WinXP does. It's now
associated with Notepad rather than the graphics viewer.

That won't save you. Windows recognizes WMF files by something inside
them. So there is no need for them to have a WMF extension. They can
be called *.jpg and still do the same damage.

Richard Crowley wrote:
"Pooh Bear" wrote ...

But how do you cope with the wmf files that have been renamed to jpg ?

By using a virus scanner which checks every file (regardless of
file extention or file association) when you ask to open it.

I keep my virus definitions up to date as well, but this particular flaw
leaves a target computer much more vulnerable than most of the others
that have been discovered. Hence, the expectation is that many virus
writers will attempt to exploit it in the near term - many more than
"usual". It is quite possible that you will encounter such a virus
BEFORE Symantec or McAfee have had the chance to identify it and
distribute a signature for it. Even in the best of cases, it can take a
week for the antivirus vendors to respond to a given threat. In most
cases, that's quick enough, but it may not be in this case.

"Jim Gilliland" wrote ...
It is quite possible that you will encounter such a virus BEFORE Symantec
or McAfee have had the chance to identify it and distribute a signature
for it. Even in the best of cases, it can take a week for the antivirus
vendors to respond to a given threat. In most cases, that's quick enough,
but it may not be in this case.

Dunno about Symantec, but McAfee had it covered about a week ago.
They released an updated signature file the same day it was discovered,
and my computer was automatically updated that same day.

Jim Gilliland wrote:

That won't save you. Windows recognizes WMF files by something inside
them. So there is no need for them to have a WMF extension. They can
be called *.jpg and still do the same damage.

If it's just a graphic file, it's no problem. I thought the trick that
people were pulling was to name an executable file with an extension
that sends them someplace where they'll be opened automatically, which
starts executing them.

Nobody is safe any more. Throw away your computer and take up the
trombone.

"Mike Rivers" wrote in message
oups.com...

Nobody is safe any more. Throw away your computer and take up the
trombone.

And then NOBODY would be safe...


--
Dave Martin
Nashville, TN

Java Jive Studio www.javajivestudio.com
Cuppa Joe Records www.cuppajoerecords.com

"Mike Rivers" wrote ...
If it's just a graphic file, it's no problem. I thought the trick that
people were pulling was to name an executable file with an extension
that sends them someplace where they'll be opened automatically, which
starts executing them.

Nobody is safe any more. Throw away your computer and take up the
trombone.

Somebody should come up with an application that scans
ANY file when you open it to see if it is infected. Oh, wait,
we already have that functionality. It is called a virus scanner!

The ONE time I've been infected in the last 10 years was when
I wasn't running a virus scanner.

Richard Crowley wrote:
"Jim Gilliland" wrote ...

It is quite possible that you will encounter such a virus BEFORE Symantec
or McAfee have had the chance to identify it and distribute a signature
for it. Even in the best of cases, it can take a week for the antivirus
vendors to respond to a given threat. In most cases, that's quick enough,
but it may not be in this case.

Dunno about Symantec, but McAfee had it covered about a week ago.
They released an updated signature file the same day it was discovered,
and my computer was automatically updated that same day.

OK, that covers one such virus. What about the dozens of others that
are being released right now that McAfee knows nothing about?

Since these viruses, unlike nearly all others, can infect a machine
without any overt action on the part of the user, it is possible that
they will propagate much more quickly than others have. So while
keeping your virus definition file up to date is a very good idea, it is
far from a complete solution. You could be infected tomorrow with a
virus that McAfee won't know about for a week. That's always been true,
but this threat appears to increase the likelihood significantly.

And I hope no one thinks that changing a browser is a complete solution
either. The web is only one of several ways for a virus like this to
get into your system.

I expect Microsoft to have a patched DLL out very quickly. They really
can't afford not to.

Mike Rivers wrote:
Jim Gilliland wrote:

That won't save you. Windows recognizes WMF files by something inside
them. So there is no need for them to have a WMF extension. They can
be called *.jpg and still do the same damage.

If it's just a graphic file, it's no problem. I thought the trick that
people were pulling was to name an executable file with an extension
that sends them someplace where they'll be opened automatically, which
starts executing them.

It's more complicated than that. The Windows Media format has a
mechanism that allows it to execute scripts. The capabilities of the
scripts are quite limited, and are ordinarily harmless. But apparently
someone discovered a flaw in the code that executes the scripts that can
force it to branch outside of its own boundaries. So they simply put
the malicious code into the WMV file (Windows just assumes that it IS
graphic data), then use the buggy scripting DLL to branch to it. Once
it gets control, it infects your system.

Unfortunately, WMV scripts can get executed without any overt action
from the user. If the file is picked up by a browser, or an email
program with a preview function, or even the "thumbnail" capability of
the Windows file explorer, the script gets executed and your computer
gets infected. Windows has been plagued with security flaws like this
for years, but this is the first one that I've seen that doesn't require
the user to do something stupid to trigger the problem.

Incidentally, I'm probably oversimplifying the mechansism in my
description above, but that's the basic idea. And if I'm reading the
situation correctly, the DLL that's causing all the trouble is actually
obsolete. The functions that it provides are no longer the normal way
to handle this - they only exist for backward compatibility.

Nobody is safe any more. Throw away your computer and take up the
trombone.

If only someone would pay me to play the trombone. Unfortunately, the
closest I might come would be to get someone to pay me to stop.

Richard Crowley wrote:
"Pooh Bear" wrote ...
Mac Afee *may* have patched their AV.

http://us.mcafee.com/virusInfo/defau...virus_k=137760

Richard, this reports on only a single exploit of the flaw. Exploits
will be appearing as fast as the spoilers can make them. The flaw is
_not_ a virus, it is a difficult flaw within the system and MS has not
published a fix. The flaw can be exploited to launch viruses and then
the virus scanners have a chance at them but since arbitrary code can be
executed under the flaw from within these file types without the
opportunity of anti-virus protection software to intervene, only an OS
patch can plug this and that has not been forthcoming.

You are not doing anyone a favor by ignorantly minimizing the arbitrary
damage that can be done by exploiting this flaw.

Anyone, if you have the ability to back your system up to a removable
drive, do so and remove it while there is still a time window during
which you can.



Bob
--

"Things should be described as simply as possible, but no simpler."

A. Einstein

Richard Crowley wrote:
"Pooh Bear" wrote ...
But how do you cope with the wmf files that have been renamed to jpg ?

By using a virus scanner which checks every file (regardless of
file extention or file association) when you ask to open it.

Christ! Associations do nothing for this problem. You do not have to
open a file to get hit. In rendering a web page from a browser, opening
and displaying such files is done intrinsically. At that point,
arbitrary code that has been placed within the file is allowed to run if
set up properly. No virus scanner works at this low a level.

Please stop minimizing this.


Bob
--

"Things should be described as simply as possible, but no simpler."

A. Einstein

Richard Crowley wrote:
"Mike Rivers" wrote ...
If it's just a graphic file, it's no problem. I thought the trick that
people were pulling was to name an executable file with an extension
that sends them someplace where they'll be opened automatically, which
starts executing them.

Nobody is safe any more. Throw away your computer and take up the
trombone.

Somebody should come up with an application that scans
ANY file when you open it to see if it is infected. Oh, wait,
we already have that functionality. It is called a virus scanner!

The ONE time I've been infected in the last 10 years was when
I wasn't running a virus scanner.

I advise you to take no precautions, Richard. Everyone else, take this
very seriously. Virus scanners are of no benefit for this one. It
isn't a virus!


Bob
--

"Things should be described as simply as possible, but no simpler."

A. Einstein

Jim Gilliland wrote:

Incidentally, I'm probably oversimplifying the mechansism in my
description above, but that's the basic idea. And if I'm reading the
situation correctly, the DLL that's causing all the trouble is actually
obsolete. The functions that it provides are no longer the normal way
to handle this - they only exist for backward compatibility.

The Microsoft "temporary fix" is to unregister shimgvw.dll. Is that the
obsolete DLL? Acccording to the Microsoft note, this disables the
thumbnail view in Windows Explorer (not Internet Explorer - I wish they
hadn't named them the same) and the Windows Image and Fax vierwer. I
don't know if I've ever used the Image and Fax Viewer, and I don't use
the thumbnail view in Explorer, so I guess I wouldn't miss it.

But those sound like current functions and losing them might be
inconvenient or even traumatic for some. Perhaps there are two paths to
this view function, via shimgvw.dll and some other route.

Mike Rivers wrote:
Jim Gilliland wrote:

Incidentally, I'm probably oversimplifying the mechansism in my
description above, but that's the basic idea. And if I'm reading the
situation correctly, the DLL that's causing all the trouble is actually
obsolete. The functions that it provides are no longer the normal way
to handle this - they only exist for backward compatibility.

The Microsoft "temporary fix" is to unregister shimgvw.dll. Is that the
obsolete DLL?

No, that's the DLL that is called by the application, but the actual
problem code is located in a lower level DLL called GDI32. And I didn't
mean to imply that the entire DLL was obsolete, just the particular
function "Escape(SETABORTPROC)" that is causing all the trouble.

Disabling the "shimgvw" DLL may solve the problem, but also removes some
current Windows functionality. In addition, there is some concern that
a "smart" virus may come along and re-register the DLL, then take
advantage of its vulnerability. You could rename or delete the DLL, but
Windows also has "file protection" - which will detect the missing file
and replace it. So we really do need a fix from Microsoft to put this
thing to bed.

There is also some concern that there may be other routes within the
myriad DLLs that make up Windows to allow a virus to exploit the Escape
function of GDI32. The path through shimgvw.dll is the only one that
has been discussed publicly, but it is certainly possible that there are
other Windows functions that can also trigger the vulnerability. So
unregistering shimgvw.dll isn't a surefire cure.

Unregistering the DLL is certainly a smart move, though. You can also
try using a temporary - and very unofficial, since it didn't come from
Microsoft - patch that was referenced earlier in this thread. The patch
simply adds a new DLL that intercepts the obsolete call and renders it
harmless. The patch is described he

http://isc.sans.org/diary.php?rss&storyid=994

The good thing about this patch is that it actually traps the specific
function within GDI32. So even if some malicious coder discovers
another path to reach it, this patch should protect you. But again,
it's not official, and we really have no way of knowing how thoroughly
it solves the problem - or if it really solves it at all!

Acccording to the Microsoft note, this disables the
thumbnail view in Windows Explorer (not Internet Explorer - I wish they
hadn't named them the same) and the Windows Image and Fax vierwer. I
don't know if I've ever used the Image and Fax Viewer, and I don't use
the thumbnail view in Explorer, so I guess I wouldn't miss it.

But those sound like current functions and losing them might be
inconvenient or even traumatic for some. Perhaps there are two paths to
this view function, via shimgvw.dll and some other route.

Jim Gilliland wrote:


You can also
try using a temporary - and very unofficial, since it didn't come from
Microsoft - patch that was referenced earlier in this thread. The patch
simply adds a new DLL that intercepts the obsolete call and renders it
harmless.

Yeah, I did that, too. Before installing that program, when I ran his
test, it said I was vulnerable, and after installing it, the test said
I was not. But then I don't suppose it's a very comprehensive test.

Now I wish I hadn't sold my trombone. I guess I could play the banjo
instead.

When you learn how to play the banjo with your lips, please let me know. ;-)

Tom

"Mike Rivers" wrote in message
oups.com...

Jim Gilliland wrote:


You can also
try using a temporary - and very unofficial, since it didn't come from
Microsoft - patch that was referenced earlier in this thread. The patch
simply adds a new DLL that intercepts the obsolete call and renders it
harmless.

Yeah, I did that, too. Before installing that program, when I ran his
test, it said I was vulnerable, and after installing it, the test said
I was not. But then I don't suppose it's a very comprehensive test.

Now I wish I hadn't sold my trombone. I guess I could play the banjo
instead.

I was forwarded an alert on this from a friend at Lawrence Berkeley Labs today. See

http://www.lbl.gov/cyber/vulnerabilities/wmf_vuln.html

They are recommending the following "unofficial" patch, which has been tested and approved by a number of security organizations
including CERT, be downloaded and installed on all their windows computers until Microsoft comes out with something (expected next
Tuesday Jan 10):

http://www.lbl.gov/cyber/vulnerabili..._hexblog14.exe

Not sure if this is the same patch described in the link below, but LBL wants their people to install this patch *instead of*
unregistering shimgvw.dll, which they believe to be ineffective.

Fred Thompson
ft at peoplepc dot com


"Jim Gilliland" wrote in message ...
Mike Rivers wrote:
Jim Gilliland wrote:

Incidentally, I'm probably oversimplifying the mechansism in my
description above, but that's the basic idea. And if I'm reading the
situation correctly, the DLL that's causing all the trouble is actually
obsolete. The functions that it provides are no longer the normal way
to handle this - they only exist for backward compatibility.

The Microsoft "temporary fix" is to unregister shimgvw.dll. Is that the
obsolete DLL?

No, that's the DLL that is called by the application, but the actual problem code is located in a lower level DLL called GDI32.
And I didn't mean to imply that the entire DLL was obsolete, just the particular function "Escape(SETABORTPROC)" that is causing
all the trouble.

Disabling the "shimgvw" DLL may solve the problem, but also removes some current Windows functionality. In addition, there is
some concern that a "smart" virus may come along and re-register the DLL, then take advantage of its vulnerability. You could
rename or delete the DLL, but Windows also has "file protection" - which will detect the missing file and replace it. So we
really do need a fix from Microsoft to put this thing to bed.

There is also some concern that there may be other routes within the myriad DLLs that make up Windows to allow a virus to exploit
the Escape function of GDI32. The path through shimgvw.dll is the only one that has been discussed publicly, but it is certainly
possible that there are other Windows functions that can also trigger the vulnerability. So unregistering shimgvw.dll isn't a
surefire cure.

Unregistering the DLL is certainly a smart move, though. You can also try using a temporary - and very unofficial, since it
didn't come from Microsoft - patch that was referenced earlier in this thread. The patch simply adds a new DLL that intercepts
the obsolete call and renders it harmless. The patch is described he

http://isc.sans.org/diary.php?rss&storyid=994

The good thing about this patch is that it actually traps the specific function within GDI32. So even if some malicious coder
discovers another path to reach it, this patch should protect you. But again, it's not official, and we really have no way of
knowing how thoroughly it solves the problem - or if it really solves it at all!

Acccording to the Microsoft note, this disables the
thumbnail view in Windows Explorer (not Internet Explorer - I wish they
hadn't named them the same) and the Windows Image and Fax vierwer. I
don't know if I've ever used the Image and Fax Viewer, and I don't use
the thumbnail view in Explorer, so I guess I wouldn't miss it.

But those sound like current functions and losing them might be
inconvenient or even traumatic for some. Perhaps there are two paths to
this view function, via shimgvw.dll and some other route.

Scott Dorsey wrote:

Pooh Bear wrote:

Your response is typical " oh it won't happen to me ".

It won't happen to me, because I won't put a Microsoft operating system
on the network.

Hell, I won't put any M$ software of any kind in any computer I own. My
employer's win2K laptop does get connected to my home network, but it's
their problem. And it beats driving 95 miles into the office every f^%#$&
day. I don't think there's much risk in that one winbows box infecting any
of my Debian boxes or my hardware router or print server. If it does, they
don't want to see my next expense report,