Variations are coming out faster than AV vendors can keep up. Check out
f-secure's blog.

http://www.f-secure.com/weblog/



--
Josh Einstein
Tablet Enhancements for Outlook 2.0 - Try it free for 14 days
www.tabletoutlook.com
"Leythos" <void@nowhere.lan> wrote in message
news:Imzuf.278259$tD4.150970@tornado.ohiordc.rr.co m...
> In article <OddXjBJEGHA.2036@TK2MSFTNGP14.phx.gbl>,
> josheinstein@hotmail.com says...
>> I'm just saying people should trust security experts. There *are* people
>> out
>> there more qualified to give security guidance than you or MS. SANS,
>> F-secure, and Steve Gibson are 3 such parties.
>>
>> The patch may be unknown to or untested by you, but not to those security
>> experts.
>
> Having a fully updated AV solution, blocking at the firewall for the
> known attachments/http files, I'm not installing a third party patch. At
> this time our AV product seems to catch it and the firewall blocks most
> of them, so I'm going to leave the computers the way they are instead of
> having to support a patch that I don't know how it impacts the entire
> base of users computers.
>
> --
>
> spam999free@rrohio.com
> remove 999 in order to email me

"Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in message
news:eqpjUcIEGHA.1088@tk2msftngp13.phx.gbl...
> Chris H. wrote:
>> Incorrect, Jim. Users should wait for the official patch, and not
>> risk (1) going to some web site not connected with Microsoft, and (2)
>> not installing some "patch" or other software on their machine from
>> an unknown source.
>> As noted in the security bulletin issued, there are specific
>> instances where this violation of a computer can take place, and they
>> include being lured to a web site.
>>
>> Protection of the computer will come with intelligent computer usage,
>> including not visiting an unknown site for a "fix" not coming
>> directly from Microsoft.
>>
>
> If you believe the security bulletin you are have obviously not seen this
> exploit in action. Build a test machine, fully update Windows, install
> your antivirus and antispyware apps of choice and go to one of the many
> known sites that use this exploit. The machine will be infected, no if,
> ands, or buts. The people using the exploit are changing it often enough
> that the antivirus/spyware/malware apps can't keep up. I have tried it.
> have you? It was scary. I immediately ran the unofficial patch on my own
> machines. By the way many sites you think may be safe are not, knoppix-std
> dot org is one site that was known to be hacked and was distributing
> malware via this exploit. To most this would certainly seem to be a safe
> site. Many on these newsgroups regularly recommend using knoppix.
>
> Kerry
>
>
>
>
>> "Jim" <reply@groups.please> wrote in message
>> news:kMwuf.37341$Lb1.8673@bignews3.bellsouth.net.. .
>>> Chris,
>>>
>>> You are acting in an extremely irresponsible manner. This is one
>>> of the largest exploits ever to hit the Windows platform (in number
>>> of machines affected), and you are telling people to do nothing.
>>>
>>> The only thing more irresponsible than your post is Microsoft's
>>> refusal to take immediate action for such an exploit.
>>>
>>> Jim
>>>
>>> "Chris H." <winxpnews@hotmail.com> wrote in message
>>> news:um047fHEGHA.140@TK2MSFTNGP12.phx.gbl...
>>>> Microsoft has not released a patch at this point. Please do not
>>>> download or install a patch from any other source.
>>>> --
>>>> Chris H.
>>>> Microsoft Windows MVP/Tablet PC
>>>> Tablet Creations - http://nicecreations.us/
>>>> Associate Expert
>>>> Expert Zone - www.microsoft.com/windowsxp/expertzone
>
>
>



Does deleting the .wmf file association solve the problem or am I
misunderstanding it?

tia,

Regards

In article <ul7bITJEGHA.4000@TK2MSFTNGP10.phx.gbl>,
josheinstein@hotmail.com says...
> Variations are coming out faster than AV vendors can keep up. Check out
> f-secure's blog.
>
> http://www.f-secure.com/weblog/

And with firewalls that implement Proxy services you can filter 99% of
the exposure out.

--

spam999free@rrohio.com
remove 999 in order to email me

Richard Urban wrote:
> The patch works fine. I have installed it on my three computers without any
> problem. Even if it caused a couple of glitches, it is better than having
> your computer taken over, and controlled, by an unknown individual.
>
I saw some where there is a program to test to see if your system is
vulnerable to attack, where do I find it?

Rashputin wrote:
> "Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in message
> news:eqpjUcIEGHA.1088@tk2msftngp13.phx.gbl...
>> Chris H. wrote:
>>> Incorrect, Jim. Users should wait for the official patch, and not
>>> risk (1) going to some web site not connected with Microsoft, and
>>> (2) not installing some "patch" or other software on their machine
>>> from an unknown source.
>>> As noted in the security bulletin issued, there are specific
>>> instances where this violation of a computer can take place, and
>>> they include being lured to a web site.
>>>
>>> Protection of the computer will come with intelligent computer
>>> usage, including not visiting an unknown site for a "fix" not coming
>>> directly from Microsoft.
>>>
>>
>> If you believe the security bulletin you are have obviously not seen
>> this exploit in action. Build a test machine, fully update Windows,
>> install your antivirus and antispyware apps of choice and go to one
>> of the many known sites that use this exploit. The machine will be
>> infected, no if, ands, or buts. The people using the exploit are
>> changing it often enough that the antivirus/spyware/malware apps
>> can't keep up. I have tried it. have you? It was scary. I
>> immediately ran the unofficial patch on my own machines. By the way
>> many sites you think may be safe are not, knoppix-std dot org is one
>> site that was known to be hacked and was distributing malware via
>> this exploit. To most this would certainly seem to be a safe site.
>> Many on these newsgroups regularly recommend using knoppix. Kerry
>>
>>
>>
>>
>>> "Jim" <reply@groups.please> wrote in message
>>> news:kMwuf.37341$Lb1.8673@bignews3.bellsouth.net.. .
>>>> Chris,
>>>>
>>>> You are acting in an extremely irresponsible manner. This is
>>>> one of the largest exploits ever to hit the Windows platform (in
>>>> number of machines affected), and you are telling people to do
>>>> nothing. The only thing more irresponsible than your post is
>>>> Microsoft's
>>>> refusal to take immediate action for such an exploit.
>>>>
>>>> Jim
>>>>
>>>> "Chris H." <winxpnews@hotmail.com> wrote in message
>>>> news:um047fHEGHA.140@TK2MSFTNGP12.phx.gbl...
>>>>> Microsoft has not released a patch at this point. Please do not
>>>>> download or install a patch from any other source.
>>>>> --
>>>>> Chris H.
>>>>> Microsoft Windows MVP/Tablet PC
>>>>> Tablet Creations - http://nicecreations.us/
>>>>> Associate Expert
>>>>> Expert Zone - www.microsoft.com/windowsxp/expertzone
>>
>>
>>
>
>
>
> Does deleting the .wmf file association solve the problem or am I
> misunderstanding it?
>
> tia,
>
> Regards

It doesn't solve the problem. The file can be named with any valid graphics
extension e.g. jpg. Windows will try to open the file, realise it's a wmf
file not a jpg and open it appropriately. You would have to disable all
graphics associations recognised by Windows. Unregistering the Windows
Picture and Fax viewer will help but the problem is deeper than that file
alone.

Kerry

Experts: Windows Flaw Can't Wait for Microsoft Fix
http://www.pcworld.com/news/article/...010306X,00.asp
Users should consider applying an unofficial security patch, researchers
say.

Peter Sayer, IDG News Service
Tuesday, January 03, 2006


Users of the Windows OS should install an unofficial security patch now,
without waiting for Microsoft to make its move, security researchers at The
SANS Institute's Internet Storm Center (ISC) advised this week.


Advertisement




Their recommendation follows a new wave of attacks on a flaw in the way
versions of Windows from 98 through XP handle malicious files in the WMF
(Windows Metafile) format. One such attack arrives in an e-mail message
entitled "happy new year," bearing a malicious file attachment called
"HappyNewYear.jpg" that is really a disguised WMF file, security research
companies including iDefense and F-Secure said. Even though the file is
labeled as a JPEG, Windows recognizes the content as a WMF and attempts to
execute the code it contains.

Microsoft advised on December 28 that to exploit a WMF vulnerability by
e-mail, "customers would have to be persuaded to click on a link within a
malicious e-mail or open an attachment that exploited the vulnerability."
Microsoft's advisory can be found online.

However, simply viewing the folder that contains the affected file, or even
allowing the file to be indexed by desktop search utilities such as the
Google Desktop, can trigger its payload, F-Secure's Chief Research Officer
Mikko Hypponen wrote in the company's blog.


More Attacks Possible
In addition, source code for a new exploit was widely available on the
Internet by Saturday, allowing the creation of new attacks with varied
payloads. The file "HappyNewYear.jpg," for example, attempts to download the
Bifrose backdoor, researchers said.

These factors exacerbate the problem, according to Ken Dunham, director of
the rapid response team at iDefense.

"Risk has gone up significantly in the past 24 hours for any network still
not protected against the WMF exploit," Dunham warned in an e-mail on
Sunday.

Alarmed by the magnitude of the threat, staff at the ISC worked over the
weekend to validate and improve an unofficial patch developed by Ilfak
Guilfanov to fix the WMF problem, according to an entry in the Handler's
Diary, a running commentary on major IT security problems on the ISC Web
site.

"We have very carefully scrutinized this patch. It does only what is
advertised, it is reversible, and, in our opinion, it is both safe and
effective," Tom Liston wrote in the diary.

"You cannot wait for the official MS patch, you cannot block this one at the
border, and you cannot leave your systems unprotected," Liston wrote.

In the diary, ISC provided a link to the version of the patch it has
examined, including a version designed for unattended installation on
corporate systems.

While ISC recognizes that corporate users will find it unacceptable to
install an unofficial patch, "Acceptable or not, folks, you have to trust
someone in this situation," Liston wrote.

Microsoft representatives could not immediately be reached for comment on
Monday morning.

Guilfanov published his patch on his Web site on Saturday. His introduction
to it can be found online.

F-Secure's Hypponen highlighted Guilfanov's patch in the F-Secure company's
blog on Saturday night, and then on Sunday echoed the ISC's advice to
install the patch.

Not all computers are vulnerable to the WMF threat: those running
non-Windows operating systems are not affected.

According to iDefense's Dunham, Windows machines running Windows Data
Execution Prevention (DEP) software are at least safe from the WMF attacks
seen so far. However, Microsoft said that software DEP offered no protection
from the threat, although hardware DEP may help.

Microsoft Urges Users to Wait for Official Patch
http://www.pcworld.com/news/article/...010306X,00.asp
Software giant says fix for WMF flaw is coming, advises against installing
unofficial fixes.

Peter Sayer, IDG News Service
Tuesday, January 03, 2006


Some security researchers are advising Windows users to rush to install an
unofficial patch to fix a vulnerability in the way the OS renders graphics
files, but Microsoft wants customers to wait another week for its official
security update, it announced Tuesday.


Advertisement




The problem is in the way various versions of Windows handle graphics in the
WMF (Windows Metafile) format. When a vulnerable computer opens a
maliciously crafted WMF file, it can be forced to execute arbitrary code.
Microsoft published a first security advisory on December 28, saying it had
received notification of the problem on December 27 and was investigating
whether a patch was necessary.

On Tuesday, Microsoft updated the advisory to say it has completed
development of its own patch, and is now testing it for release next week.

"Microsoft recommends that customers download and deploy the security update
for the WMF vulnerability that we are targeting for release on January 10,
2006," said the advisory, the full text of which can be found online.

The company says it carefully reviews and tests its security updates, and
offers them in 23 languages for all affected versions of its software
simultaneously. It "cannot provide similar assurance for independent
third-party security updates," it says.


Threat Level
The number of users potentially at risk is high, with all versions of
Windows exhibiting the vulnerability, but the number actually affected so
far is relatively low, researchers say.

However, the chance of running into a malicious WMF file is climbing, and
with it the danger of running an unpatched system. Already, one security Web
site has had to warn its readers to stay away: the owners of the
knoppix-std.org site warned in a forum posting that hackers had modified the
site so as to attempt to exploit the vulnerability on site visitors'
machines.

There is "a lot of potential risk" associated with the vulnerability,
according to Jay Heiser, a research vice president with Gartner and the
company's lead analyst on information security issues. "If it can be
exploited in any significant way, it would be an extremely big risk."

"It's a race between Microsoft and the exploit community," he says.

The bad guys had a head start in that race. Security researchers at Websense
first spotted malicious Web sites using the exploit on December 27, but
those sites may have been doing so as early as December 14, the company
says.

On December 28, Microsoft ambled out of the starting blocks with its first
security advisory acknowledging a potential problem.

Over the weekend, it updated this to suggest a way in which users could
reduce the risk by disabling an affected part of the OS, called shimgvw.dll.
Microsoft warned that the fix has the side effect of stopping the Windows
Picture and Fax Viewer from functioning normally. Others report that it also
stops Windows Explorer from showing thumbnails for digital photos.


Unofficial Fix
Security researchers outside Microsoft had other ideas: rather than disable
shimgvw.dll, they would modify it so that only the functionality considered
dangerous was blocked. By December 31, programmer Ilfak Guilfanov had
developed an unofficial patch to reduce the danger of attack, without
impairing Windows' graphics functions.

His patch quickly won the support of security researchers including The SANS
Institute's Internet Storm Center (ISC) and F-Secure.

Mikko Hypponen, chief research officer at F-Secure, feels safe recommending
the Guilfanov patch for several reasons.

"We know this guy. We have checked the code. It does exactly what he says it
does, and nothing else. We've checked the binary, and we've checked that the
fix works," he says.

He has one final vote of confidence: "We've installed it on all our own
computers."

Sophos PLC's Senior Security Consultant Carole Theriault advises businesses
not to install the unofficial patch. "We wouldn't recommend it, for testing
reasons," she says.

One of the hidden dangers of the WMF vulnerability is that things are not
always what they appear. Usually, WMF files can be identified by their .WMF
file extension, and blocked as a precaution, but attackers may choose to
disguise malicious files simply by giving them another image file suffix,
such as .JPG, because the Windows graphics rendering engine attempts to
identify graphics files by their content, not their name. That was the case
with a file with the title "happynewyear.jpg" that began circulating in
e-mail messages on December 31: If opened on a Windows machine, the file
attempts to download and install a backdoor called Bifrose.

As a consequence, says Theriault, businesses should keep existing antivirus
protection up to date and concentrate on blocking unsolicited mail while
waiting for the Microsoft patch, as this may help to screen out attacks.
They should encourage users to practice safe computing by only visiting
reputable Web sites and taking care with what they download, she says.

Jeremy Kirk of the IDG News Service contributed to this report.

You can get it here from Gibson Research.
http://www.grc.com/sn/notes-020.htm

Unfortunately the link to the site of the man who developed the site comes
back as the domain has been suspended.

Too much traffic? Or is there is more going on here than is apparent to the
naked eye.

BTW, you run the test "after" you apply the fix and reboot. The test tells
you if the fix took hold.

--


Regards,

Richard Urban
Microsoft MVP Windows Shell/User

Quote from George Ankner:
If you knew as much as you think you know,
You would realize that you don't know what you thought you knew!

"DrJoel" <joelw135@comcast.net> wrote in message
news:uTAUHoKEGHA.1088@tk2msftngp13.phx.gbl...
> Richard Urban wrote:
>> The patch works fine. I have installed it on my three computers without
>> any problem. Even if it caused a couple of glitches, it is better than
>> having your computer taken over, and controlled, by an unknown
>> individual.
>>
> I saw some where there is a program to test to see if your system is
> vulnerable to attack, where do I find it?

Richard Urban wrote:
> You can get it here from Gibson Research.
> http://www.grc.com/sn/notes-020.htm
>
> Unfortunately the link to the site of the man who developed the site comes
> back as the domain has been suspended.
>
> Too much traffic? Or is there is more going on here than is apparent to the
> naked eye.
>
> BTW, you run the test "after" you apply the fix and reboot. The test tells
> you if the fix took hold.
>

Too much traffic. The site started as a simple blog, and was quickly
overwhelmed. The big-name mirrors I've seen so far, in addition to grc,
are:

http://castlecops.com/a6436-Newest_W...s_the_Day.html
(http://castlecops.com/t143213-Hexblog_WMF_FAQ.html)

http://handlers.sans.org/tliston/wmffix_hexblog14.exe
(this is a direct link to the executable - there's nothing on his index
page)

http://sunbeltblog.blogspot.com/2006...nofficial.html

--
~ Rosanne
Don’t save my sneakemail address – when it gets spammed, it gets changed.

Jim wrote:
> Chris,
>
> You are acting in an extremely irresponsible manner.


No, you're the one trying to con people into downloading an unknown
patch from an unofficial source. What specific type of malware are you
trying to distribute.



--

Bruce Chambers

Help us help you:
http://dts-l.org/goodpost.htm
http://www.catb.org/~esr/faqs/smart-questions.html

You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH