Viruses now in jpg files? Gif files?

[David H. Lipman]

From: "Juergen Nieveler" <[email protected]>


|
| Affected, yes - but the function call in GDI32 existed a lot longer:
| http://www.f-secure.com/weblog/archives/archive-012006.html#00000761
|
| Juergen Nieveler

From my POV they never did fix the GDI+ interface the first time.

 

[David H. Lipman]

From: "Default User" <[email protected]>

|
| No.
|
| Additional protection can be gained by enabling DEP on Windows XP SP2 or
| 2003 Server OS.
|
| http://support.microsoft.com/kb/875352#kb2
| "The primary benefit of DEP is that it helps prevent code execution from
| data pages, such as the default heap pages, various stack pages, and memory
| pool pages. Typically, code is not executed from the default heap and the
| stack. Hardware-enforced DEP detects code that is running from these
| locations and raises an exception when execution occurs. If the exception
| is unhandled, the process will be stopped. Execution of code from protected
| memory in kernel mode causes a Stop error.
|
| DEP can help block a class of security intrusions. Specifically, DEP can
| help block a malicious program in which a virus or other type of attack has
| injected a process with additional code and then tries to run the injected
| code. On a system with DEP, execution of the injected code causes an
| exception. Software-enforced DEP can help block programs that take
| advantage of exception-handling mechanisms in Windows."
|
| Your best bet is to "turn on DEP for all programs".
|
| There is still no guarantees with DEP, but it is a far more proactive way
| of blocking zero_day_vulnerabilities than waiting for M$ to create a patch.


http://www.microsoft.com/technet/security/advisory/912840.mspx

Choose "Frequently Asked Questions"

Q: I have DEP enabled on my system, does this help mitigate the vulnerability?

A: Software based DEP does not mitigate the vulnerability. However, Hardware based DEP may
work when enabled: please consult with your hardware manufacturer for more information on
how to enable this and whether it can provide mitigation.

 

[shplink]

so what's the answer? Shift to Linux? Has anyone written the definitive
Linux system that can be sold OTC, with patches if necessary?

This whole image file problem could be a boon for Apple and the Mac.

I installed Ubuntu for a couple of relative computer newbies at their
home. They absolutely love it. Ubuntu, like most popular Linux
distributions has a built-in update manager.
It also comes with Open Office, GIMP, and a great number of applications
whose equivalents in the MS world cost a ton of money.
Most importantly, my noobs are not worried about virus or spyware attacks.

So why sell Linux? There are free distros that work wonderfully well!

 

[Andy Walker]

From: "Default User" <[email protected]>


|
| No.
|
| Additional protection can be gained by enabling DEP on Windows XP SP2 or
| 2003 Server OS.
|
| http://support.microsoft.com/kb/875352#kb2
| "The primary benefit of DEP is that it helps prevent code execution from
| data pages, such as the default heap pages, various stack pages, and memory
| pool pages. Typically, code is not executed from the default heap and the
| stack. Hardware-enforced DEP detects code that is running from these
| locations and raises an exception when execution occurs. If the exception
| is unhandled, the process will be stopped. Execution of code from protected
| memory in kernel mode causes a Stop error.
|
| DEP can help block a class of security intrusions. Specifically, DEP can
| help block a malicious program in which a virus or other type of attack has
| injected a process with additional code and then tries to run the injected
| code. On a system with DEP, execution of the injected code causes an
| exception. Software-enforced DEP can help block programs that take
| advantage of exception-handling mechanisms in Windows."
|
| Your best bet is to "turn on DEP for all programs".
|
| There is still no guarantees with DEP, but it is a far more proactive way
| of blocking zero_day_vulnerabilities than waiting for M$ to create a patch.


http://www.microsoft.com/technet/security/advisory/912840.mspx

Choose "Frequently Asked Questions"

Q: I have DEP enabled on my system, does this help mitigate the vulnerability?

A: Software based DEP does not mitigate the vulnerability. However, Hardware based DEP may
work when enabled: please consult with your hardware manufacturer for more information on
how to enable this and whether it can provide mitigation.

This is good information for those who have hardware DEP capabilities.
I wonder how many people who have gone with 64bit processors even use
this function (or maybe it's on by default)?

From the SANS article: http://isc.sans.org/diary.php?storyid=994

"With Windows XP SP2, Microsoft introduced DEP. It protects against a
wide range of exploits, by preventing the execution of 'data
segements'. However, to work well, it requires hardware support. Some
CPUs, like AMD's 64 Bit CPUs, will provide full DEP protection and
will prevent the exploit."

 

[Andy Walker]

[The above url is unreachable from my host due to security settings]

They have apparently lost their service. The web site now says
"Account for domain hexblog.com has been suspended". Does anyone know
if they were testing the exploit while entering the site?

 

[Art 2-threepenny bits]

http://isc.sans.org/diary.php?storyid=994

(1 Jan)

* What versions of Windows are affected?

Windows XP, (SP1 and SP2), Windows 2003 are affected by the currently
circulating exploits. Other versions may be affected to some extent. Mac
OS-X, Unix or BSD is not affected.

Note: If you're still running on Win98/ME, this is a watershed moment: we
believe (untested) that your system is vulnerable and there will be no
patch from MS. Your mitigation options are very limited. You really need
to upgrade.

Are you bursting with a short question?

Shane

--


The Sugitive

Chapter One: http://tinyurl.com/bcevp

Chapter Two: http://tinyurl.com/ag92o

Chapter Three: Coming to an URL near you soon!

------------------------------------

 

[kurt wismer]

Windows PCs face ‘huge’ virus threat
By Kevin Allison in San Francisco

“The potential [security threat] is huge,” said Mikko Hyppönen,
chief research officer at F-Secure, an antivirus company. “It’s
probably bigger than for any other vulnerability we’ve seen. Any
version of Windows is vulnerable right now.”

Any version? Here is the IT industry falling right in line with
Microsoft, making sure that no-one knows that Windows 98 is immune to
this problem.

maybe you should read more about the problem... it was originally a
*feature* in windows 3.0 and exists in every version since then... w98
is not immune...

 

[louise]

Default User wrote:

The patch issued by http://www.hexblog.com/2005/12/wmf_vuln.html is
MUCH more reliable solution and should be implemented.

[The above url is unreachable from my host due to security settings]

They have apparently lost their service. The web site now says
"Account for domain hexblog.com has been suspended". Does anyone know
if they were testing the exploit while entering the site?

I just got it now without any problem. Perhaps you should
lower your security settings long enough to download the patch.

Louise

 

[Bill]

They have apparently lost their service. The web site now says
"Account for domain hexblog.com has been suspended". Does anyone know
if they were testing the exploit while entering the site?

They likely got too many hits.

 

[Andy Walker]

Andy Walker wrote:

I just got it now without any problem. Perhaps you should
lower your security settings long enough to download the patch.

Louise

I am able to load the page, but get the "account suspended" message.
The html code for wmf_vuln.html begins with "<TITLE>Site has been
suspended</TITLE>", which would indicate someone created the page and
is hosting it at the url http://www.hexblog.com/2005/12/wmf_vuln.html
..

A whois on hexblog.com shows the domain status as "Active", so maybe
its a hosting related issue. It certainly does look strange.

Try flushing your page cache for your browser and reload. See if you
get the new page with the "suspended" message. I cleared all mine and
still get it every time I attempt to load.

 

[Art]

I am able to load the page, but get the "account suspended" message.

Use this url instead:

http://www.grc.com/sn/notes-020.htm

Art

http://home.epix.net/~artnpeg

 

[Andy Walker]

They likely got too many hits.

That's what I was thinking. After checking the DNS entries it looks
like the site is being hosted at two separate sites with separate 'A'
records. I just tried the url again and got the page. It appears the
site hosted at 66.245.191.65 is the problem, where the one at
216.227.222.95 appears to be working correctly.

 

[Andy Walker]

Use this url instead:

http://www.grc.com/sn/notes-020.htm

Art

http://home.epix.net/~artnpeg

Thanks, I was able to load the site using
http://216.227.222.95/2005/12/wmf_vuln.html .

Andy

 

[Virus Guy]

maybe you should read more about the problem... it was originally
a *feature* in windows 3.0 and exists in every version since then
. .. w98 is not immune

Then tell me which component of 98 (ie which dll, ocx, exe, etc) is
responsible for rendering or handling WMF files.

As I've said before, I have an application (ACDsee) that seems to
handle my WMF files (although they appear on my system with a corel
draw icon). When I click on the previously-mentioned test file
(browsercheck.wmf) I get a prompt to download the file. I do, then
double-click it, and ACDsee opens it - but complains about not being
able to load the standard plug-in "IDE_ACDStd.apl". I can't get all
the properties of that wmf file, but ACDSee says that it's 1020 x 1320
x 24 bits.

So again I ask what did Macro$haft ship with Win-3.x, or Win-9x, to
render or handle .wmf files?

What does Microsoft Office do with wmf files? Does office 2000 have a
native handler for wmf files?

And what exactly is the current problem?

Is it that WMF files include specifications for executable code?

Or is this a problem with ->mal-formed<- wmf files and how Win-NT
fails to check the parameters of wmf files and then trips over itself
trying to render the file (leading to some buffer over-run and then
running exploit code) -?

 

[Virus Guy]

* What versions of Windows are affected?

Note: If you're still running on Win98/ME, this is a watershed
moment: we believe (untested) that your system is vulnerable
and there will be no patch from MS.

Again I ask which component of Win-9x is responsible for handling .WMF
files. Or does it take, say, the installation of MS office (perhaps
Office 97, or office 2000) in order for Win-9x to be able to handle
wmf files? If so, what is the component responsible for wmf handling?

Your mitigation options are very limited. You really
need to upgrade.

Why? I've NEVER seen wmf files in web pages, and if they are there,
well I guess they shouldn't be.

Why the hell would I want to down-grade to a bloated and
over-complicate OS like XP? XP does NOTHING that I can't do in 98.
NOTHING!

 

[Doc]

As I've said before, I have an application (ACDsee) that seems to
handle my WMF files (although they appear on my system with a corel
draw icon). When I click on the previously-mentioned test file
(browsercheck.wmf) I get a prompt to download the file. I do, then
double-click it, and ACDsee opens it - but complains about not being
able to load the standard plug-in "IDE_ACDStd.apl". I can't get all
the properties of that wmf file, but ACDSee says that it's 1020 x 1320
x 24 bits.

So again I ask what did Macro$haft ship with Win-3.x, or Win-9x, to
render or handle .wmf files?

Also Win 9x here (Win ME). IrfanView handles .wmf files for me. When I open
a .wmf by double clicking it, IrfanView displays the image. The following
dll's are in use by Irfanview. Looks like GDI32.dll is the common factor.

Process: I_VIEW32.EXE Pid: FD97465D

Name Description Company Name Version
ADVAPI32.DLL Win32 ADVAPI32 core component Microsoft Corporation
4.90.0000.3000
COMCTL32.DLL Common Controls Library Microsoft Corporation
5.81.4916.0400
COMDLG32.DLL Common Dialogs DLL Microsoft Corporation 5.50.4134.0100
GDI32.DLL Win32 GDI core component Microsoft Corporation 4.90.0000.3000
i_view32.exe IrfanView Irfan Skiljan 3.09.0007.0000
KERNEL32.DLL Win32 Kernel core component Microsoft Corporation
4.90.0000.3000
MSVCRT.DLL Microsoft (R) C Runtime Library Microsoft Corporation
6.01.9844.0000
OLE32.DLL Microsoft OLE for Windows and Windows NT Microsoft Corporation
4.71.3328.0000
SHELL32.DLL Windows Shell Common Dll Microsoft Corporation
5.50.4134.0100
SHLWAPI.DLL Shell Light-weight Utility Library Microsoft Corporation
6.00.2800.1740
USER32.DLL Win32 USER32 core component Microsoft Corporation
4.90.0000.3000
WINSPOOL.DRV Win32 WINSPOOL core component Microsoft Corporation
4.90.0000.3000

An odd thing I have just noted - I disassociated .wmf files so that there
is NO default application associated with .wmf files, and even after a
reboot doubleclicking a .wmf file still starts up IrfanView.

 

[Gabriele Neukam]

On that special day, Art 2-threepenny bits,
([email protected]) said...

(huge fullqupote)

Are you bursting with a short question?

Shane,

I am not Peter Seiler, but still I can't understand why you are citing
38 lines, and put a question behind them, which doesn't even make sense
to me. What were you about to say?


Gabriele Neukam

(e-mail address removed)

 

[Art 2-threepenny bits]

On that special day, Art 2-threepenny bits,
([email protected]) said...

(huge fullqupote)


Shane,

I am not Peter Seiler, but still I can't understand why you are citing
38 lines, and put a question behind them, which doesn't even make sense
to me. What were you about to say?

Gabriele, the poster to whose post I replied will understand.

And you do seem a *little* like Peter, though you never have before. But,
hey, we can all have little out-of-character impulses from time-to-time!

The point of not snipping is to retain mystique. I'm sorry, but if you got
my response, you'd understand. imo it is about a social wisdom that
transcends the actual subject of the thread and of which I haven't seen
since The Rafters was here. Of course pretty much anyone who doesn't know
what it was about will probably disagree, and maybe they'd be right too,
even if also ignorant (in a logical rather than pejorative sense).


Shane

--


The Sugitive

Chapter One: http://tinyurl.com/bcevp

Chapter Two: http://tinyurl.com/ag92o

Chapter Three: Coming to an URL near you soon!

------------------------------------

 

[Mr. Uh Clem]

Again I ask which component of Win-9x is responsible for handling .WMF
files. Or does it take, say, the installation of MS office (perhaps
Office 97, or office 2000) in order for Win-9x to be able to handle
wmf files? If so, what is the component responsible for wmf handling?

http://www.isc.sans.org/diary.php?date=2006-01-03 contains ppt and
pdf presentations explaining the problem. Given W98 is vulnerable
along with everything later, I would guess the architecture
has not changed.

Why? I've NEVER seen wmf files in web pages, and if they are there,
well I guess they shouldn't be.

But of course, one can't know what is in a page ahead of time.

Why the hell would I want to down-grade to a bloated and
over-complicate OS like XP? XP does NOTHING that I can't do in 98.
NOTHING!

Agreed. Win98 served us well --- until we started having problems
with a daughter and the user level security did not cut it anymore.
Hopefully, someone will come out with a patch for 98.

 

[Sean Cousins]

It also comes with Open Office, GIMP,

Those apps are free to Windows users too.

Most importantly, my noobs are not worried about virus or spyware attacks.

So long as they are not gamers that is fine. If you are then forget
Linux.