Microsoft Windows WMF Handling - Arbitrary Code Execution

Started by Eric the Red, December 28, 2005, 02:45:35 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages 1 2
User actions

Paddy

#15
January 02, 2006, 08:11:24 PM
Corrine the link
Fix Described Here:  http://www.hexblog.com/2005/12/wmf_vuln.htm 

It gives me a HTTP 404 Page not found

I can only get to it via the home page..

numbnuts. :exorcize:
This is one race of people for whom psychoanalysis is of no use whatsoever - Sigmund Freud (about the Irish)

Never argue with a fool, they will lower you to their level and then beat you with experience.

Corrine

#16
January 02, 2006, 08:40:33 PM
Thanks, Paddy.  Looks like I missed the letter "l" when I copied the URL.  I've corrected. it now.  :rose:

Even Wikipedia is following this:  http://en.wikipedia.org/wiki/2005_WMF_vulnerability


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Eric the Red

#17
January 03, 2006, 12:27:37 AM
SANS have published links at the Internet Security Center to the WMF FAQ's in various languages:

Quote
Catalan
Deutsch
English
Español
Italiana and Italiana
Polska
Suomenkielinen

See this page
"The time to start running is around about the "e" in "Hey, you!" "

Corrine

#18
January 03, 2006, 05:17:47 PM
Microsoft updated Security Advisory (912840) promising a security update for the vulnerability on 10 January 2006:

Quote[Snip]

Microsoft has completed development of the security update for the vulnerability. The security update is now being localized and tested to ensure quality and application compatibility. Microsoft's goal is to release the update on Tuesday, January 10, 2006, as part of its monthly release of security bulletins. This release is predicated on successful completion of quality testing.

The update will be released worldwide simultaneously in 23 languages for all affected versions of Windows once it passes a series of rigorous testing procedures. It will be available on Microsoft's Download Center, as well as through Microsoft Update and Windows Update. Customers who use Windows' Automatic Updates feature will be delivered the fix automatically.

[Snip]

http://www.microsoft.com/technet/security/advisory/912840.mspx


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Eric the Red

#19
January 03, 2006, 06:40:37 PM
Update to hotfix .msi

Version 1.4 of the hotfix in msi form for system administrators is now available at this location
"The time to start running is around about the "e" in "Hey, you!" "

Die Hard

#20
January 03, 2006, 10:42:22 PM
QuoteAn equally ugly fix (but perhaps preferable) is to do the following:

1. Go to My documents, Tools, Folder Options, File Types.
2. Change WMF Image to notepad and select Always Open with this.

Your WMF files will open in Notepad.  Ugly, but it is a fix.

This is how it looks when associating WMF-files with notepad:
I do not post a link when it´s immediately infectious, but the link is in the address-bar in the screen-shot (if anyone wants to try the local settings )




[attachment deleted by admin]
I create and edit my posts in GS-NOTES

Corrine

#21
January 03, 2006, 11:04:34 PM
Ilfak's servers are temporarilly down.  His fix is hosted at both SunBelt and Castle Cops.

Castle Cops Hexblog forum link:  http://castlecops.com/f212-Hexblog.html

Sunbelt Download links here:  http://sunbeltblog.blogspot.com/2006/01/alternate-download-for-unofficial.html

Information From:  http://sunbeltblog.blogspot.com/2006/01/ilfak-temporarily-living-at-castlecops.html


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Eric the Red

#22
January 03, 2006, 11:14:48 PM
QuoteAn equally ugly fix (but perhaps preferable) is to do the following:

1. Go to My documents, Tools, Folder Options, File Types.
2. Change WMF Image to notepad and select Always Open with this.

Your WMF files will open in Notepad.  Ugly, but it is a fix.

In addition, in the next week until Microsoft release their patch:


  • Read emails in plain text.
  • If you have a Windows XP computer, enable DEP (Data Execution Prevention).
  • Do not click on links received via email or instant messaging programs and sent by unknown senders.
"The time to start running is around about the "e" in "Hey, you!" "

Eric the Red

#23
January 04, 2006, 04:55:16 PM
Update in respect of Ilfak Guilfanov's unofficial patch for the Windows .WMF flaw (from the ISC weblog

QuoteIlfak's site is back, reduced to the bare minimum as it had very high load. If you still can't reach it's possible that there is some caching between you/your ISP/Ilfak's site.

Thanks to Alexander H for pointing out that, due to changes on Ilfak's site, URLs from old diary entries don't work anymore. You can go to the main web page, http://www.hexblog.com to access Ilfak's files.

Just one more update - if you can't access the site, the main reason is that your DNS server(s) still don't have the updated (new) DNS entries. Ilfak changed IP address of his site so it will take a while for this to propagate. The new IP address is 216.227.222.95, and you can reach the site by going to http://216.227.222.95.
"The time to start running is around about the "e" in "Hey, you!" "

mgee

#24
January 05, 2006, 11:43:21 PM
Microsoft appeared to be releasing the patch for this danger today.

Article Link: http://news.yahoo.com/s/ap/20060105/ap_on_hi_te/microsoft_security

Article:

Microsoft Releases Patch for Windows Flaw

SEATTLE - Microsoft Corp. released a software patch for its Windows operating system Thursday to fix a flaw that has spawned attempts to take control of Internet-connected computers.

Initially, Microsoft said it didn't expect to do so until at least Tuesday, but the Redmond software maker said it finished testing earlier than planned and was able to release it on its Web site.

The flaw is in an element of Windows that is used to view images. If a user is tricked into viewing an image, such as on a malicious Web site or within an e-mail attachment, that person's computer could be attacked.

Microsoft confirmed last week that some people were trying to take advantage of it. On Thursday, the company said outbreaks appeared to be limited.

One mitigating factor is the fact that the vulnerability requires a person to take action, such as opening an e-mail from a stranger or following a link to an unknown Web page.

Nevertheless, security experts have said the flaw could still pose a risk because personal firewalls offer little protection and the attacks can easily be modified to get around security software such as antivirus programs. Also, the flaw affects versions of Windows desktop and server software going back to     Windows 98.

Microsoft had offered some technical options for decreasing the risk of an exploit. Other security companies had prepared their own patches while Microsoft worked on the official one.

___

On the Net:

http://www.microsoft.com/technet/security/bulletin/ms06-001.mspx


"...love builds up." (1 Corinthians 8:1)

Eric the Red

#25
January 06, 2006, 06:22:49 PM
With the release of the official patch from Microsoft the significance of this thread has decreased. As a result I am unpinning this and returning it to the usual thread sequence. See this thread for patch details

May I express my thanks to all of you who have contributed to this and other threads in respect of the WMF vulnerability - you make a great team!  :thumbsup:
"The time to start running is around about the "e" in "Hey, you!" "

Skittles

#26
January 09, 2006, 02:19:16 PM
I really like this article at Castle Cops.  A Must Read article.  Which I think that Corrine linked above already.

http://castlecops.com/a6445-WMF_Exploit_FAQ.html
Print
Go Up Pages 1 2
User actions