And Just One More Thing

Mainly computer and world related comments and postings.

Thursday, January 05, 2006

The tense period has passed. Thankfully. And no one was hurt.

Unless you consider over a million infected PC's means no one was hurt.

I don't know how I feel about it. On the one hand, one million PC's is nothing if you're Microsoft, but on the other hand, if you're grandma and one of those computers happens to be yours, it hurts quite a bit. Especially if grandma has to take her computer to the local 'pc discount store' and pay them $100.00 to clean it up. I don't know about you, but it's not something that makes me all warm and fuzzy.

So, if you haven't heard, Microsoft have released their patch for the .wmf vulnerability today. You can get it by visiting the windows update site at:
Their Web Based Update Site

Here are instructions for any of you that applied the third party patch and un-registered your .dll file.

1. Reboot your system to clear any vulnerable files from memory
2. Download and apply the new patch from the above mentioned site.
3. Reboot
4. Uninstall the unofficial patch, by using one of these methods:
a. Add/Remove Programs on single systems. Look for "Windows WMF Metafile Vulnerability HotFix"
b. or at a command prompt:
"C:\\Program Files\\WindowsMetafileFix\\unins000.exe" /SILENT
c. or, if you used msi to install the patch on multiple machines you can uninstall it with this:
msiexec.exe /X{E1CDC5B0-7AFB-11DA-8CD6-0800200C9A66} /qn
5. Re-register the .dll if you previously unregistered it (use the same command but without the "-u"):
regsvr32 %windir%\\system32\\shimgvw.dll
6. Optionally, reboot one more time just for good measure (not required, but doesn't hurt)

We tested the patch, and it does block the attack just like the unofficial patch does.

I've very happy that the patch has finally been released and that we can go back to normal. Having said that, it still doesn't help the millions and millions of users out there that don't have automatic updates turned on and that don't even know there is a vulnerability out there in the first place. However, at least we've done our part to help educate users about the dangers and if it helped minimize any virus infections, it was worth it. Again, pass on the word or links to this website to help do your part.

The only last remaining bit of uncomfortable feeling I have now is the fact that this patch was only released for Win2K, Win2003, and WinXP. What about the millions of Win98 and WinME boxes out there? A lot of people keep running Windows 98 because it's a great platform to run games on. Since these computers won't be getting updates, there is still the potential of a pretty nasty virus and/or worm to take advantage of the vulnerability. I guess we'll just have to wait and see. And that's exactly what Microsoft is doing.


Tuesday, January 03, 2006

So far we've had a quiet day. That's a good thing.

That bad news? People are working on the next big payload for the .wmf vulnerability right now. (Hopefully they won't be able to release it before the Microsoft patch becomes available)

How will it arrive? An instant messenger? ... Imagine an image appears in your IM window perhaps attached as an avatar for someone's profile and 'bam' you're infected. And guess what. You machine now looks at your entire IM contact list and manages to send out to everyone you have in your contact list. How long would it take to infect millions of machines with IM? How about Email? One email message sent to someone with the "Preview" pane turned on and, once again, you're hit. And, of course, Outlook can easily manage to send out a nice little email to all your friends in your address book. What about a hacked advertising service? You visit and an exploited advertisment for Viagra pops up infecting your machine and the other million or so people viewing the page at the same time.

So anyway, here we are. Microsoft has some pretty worthless information regarding the issue at present:
"Although the issue is serious and malicious attacks are being attempted, Microsoft's intelligence sources indicate that the scope of the attacks are not widespread."
- Microsoft Security Advisory (912840)

Of course everyone is jumping all over the oxymoronic "Microsoft's intelligence sources" bit in their informational release. Pretty funny, indeed.

Per my previous blog entry regarding unregistering the offending .dll, Microsoft also recommends:
~ user awareness, not surfing to “bad” places and all other sorts of generic solutions that are not relevant to this problem.
~ to keep anti-virus signatures up to date - but tests show that many anti-virus products trigger only on the payload if they trigger at all. And the payload of the successful massive attack will be new, mitigating AV signature defenses.

There is an interesting Powerpoint Presentation available for download here. If you'd like a pdf version instead, get it here. It's a little cryptic (as most Powerpoint presentations go) however there is great information and some good tidbits to gleen from the information. It's definitely recommended reading.

I'm going to continue posting information and updates as this situation progresses. Additionally, I'll keep my fingers crossed that something doesn't come out over the next 7 days. Currently Microsoft have said that they'll release a patch on January 10th. Time will tell if it's too little too late.

If anyone needs help buying macs or configuring new linux boxes, let me know ;)


Monday, January 02, 2006

What's with the .wmf vulnerability this time?

This is going to be big, folks!!!

I mean here is a vulnerability we've known about and along comes a sideswiping release of proof of concept code during, no less, the New Year's celebration weekend. What gives? I don't really understand the thought process that goes through the minds of some people. Why do we all have to have our Holiday weekends ruined by something like this? Maybe it's that old mantra, "No rest for the wicked"?

So folks, if you aren't aware, please take the time to learn about this issue. Right now there is no Microsoft patch available and we're all essentially sitting ducks unless you happen to be using an operating system that isn't vulnerable (i.e. any OS that Microsoft hasn't released).

Essentially the problem with this vulnerability is this: You load a compromised .wmf file on your system (and it doesn't have to be a .wmf extension, it could also be a .gif, .jpg, .jpeg or a myriad of other extensions) and you're going to be toast. Okay, maybe that's a bit harsh, but to understand it better, read the f-secure weblog for more information. And since the file extension doesn't matter at this point, it's essentially destroying any hope of using an Antivirus signature to help thwart it. i.e. No McAfee or Norton to help us out this time.

"Just trust us" is what's coming out of the Internet Storm Center. ( Personally, I have applied the patch and unregistered the offending .dll on my test system and I've seen, so far, that it's still okay. Unfortunately the people behind the operating system running most of the worlds PC's are conspicuously quiet at this point. Granted their last official word was from December 30th, but that isn't adequate at this point. I shudder to think what is going to happen tomorrow morning when offices start opening back up after the long weekend and holiday festivities. I for one will be crossing my fingers all this week.

My instructions are as follows:
Open up cmd.exe and execute the following line without the quotes:
"regsvr32 -u %windir%\system32\shimgvw.dll"
(To re-register the .dll if you feel like it for some reason, just run the command but remove the "-u" from the above line)

And then, after you have done that, run this patch:

What does the patch do and how does it work? (Pulled from
The wmfhotfix.dll is injected into any process loading user32.dll. The DLL then patches (in memory) gdi32.dll's Escape() function so that it ignores any call using the SETABORTPROC (ie. 0x09) parameter. This should allow Windows programs to display WMF files normally while still blocking the exploit. The version of the patch located here has been carefully checked against the source code provided as well as tested against all known versions of the exploit. It should work on WinXP (SP1 and SP2) and Win2K.

This is an untested patch (other than the bulk of the security community that has tested and verified the patch) so use at your own risk, however, right now it's safer to apply this patch and unregister the .dll than to sit and wait for your PC and network to become infected.

I hope that this ends up being a small blip in the overall scheme of security issues for 2006, but I'm a bit more afraid that this could be the worst security issue this year if not this decade. Time will tell.

The more people that communicate this issue the better. Help spread the word.