digg

Facebook Connect Join Digg About

A huge virus threat for every Windows PC ever made

news.ft.com Experts believe that this could be the biggest vulnerability that has ever surfaced for Windows PCs. Other than the users themselves.

Who dugg this? Made popular Jan 3, 2006

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

202 Comments

show profanity settings
expand all
  • Kloser331, on 10/12/2007, -0/+7Before I'm labeled a fan boy, allow me to say that I have computers with Windows, Linux, and OS X on them. I use all of them.

    What is with people that act like nothing is wrong with Windows? Windows is seriously flawed. It needs to be taken down to nothing and rebuilt. Some PC users are staring at a house that is falling over and saying, "looks fine to me."

    The fact is this: I heard about this while I was working on Friday and did a little research. This threat appeared to be pretty great and hackers had released 60 pieces of malware in a couple of days (source is Leo's radio show on Sunday).

    I had to call my wife and tell her not to use the PC until I got home. If she needed to browse the web, she should use Linux or OS X. I've never had to do that with other OS's. A lot of ppl view Linux users as very techie people, but the fact of the matter is that you should be more of a techie to use windows or else your computer will have viruses come out of every orifice.

    The 800 pound gorilla that is in the middle of the Microsoft Pollyanna's room is that Windows is in serious need of a mulligan here.
  • linker3000, on 10/12/2007, -0/+6Bibble:

    Unregistering the relevant DLL is not 100% secure as any app can re-register it, PLUS the Windows GDI interface has a link to the exploit too which doesn't even need the DLL. Go for the unofficial patch mentioned higher in the thread.
  • IceBurrg, on 10/12/2007, -1/+5"Any sane person would not open a WMF"

    Call it anna_kournikova_nude.wmf and watch how many people will open it.
  • puny_midget, on 10/12/2007, -0/+4This exploit can install viri or spy/adware onto your computer just by visiting ANY website with an infected image. All it has to do is load the image, even if it's a thumbnail or general graphic like a company logo or whatever. This is really serious. Because Windows now disregards the file extensions and uses MIME instead, a website could disguise the WMF file as a jpeg or gif. So unless you're browsing and not loading images, you should be getting very paranoid right about now...
  • colinlinton1978, on 10/12/2007, -0/+4if you are looking for a fix to this problem, check out this site. it contains a program to check to see if you are vulnerable, and also contains a fix to the problem. it is endorsed on ww.grc.com and has been validated to work. http://www.hexblog.com/2005/12/wmf_vuln.html
  • Quell23, on 10/12/2007, -0/+3Video of exploit at work.
    http://www.websensesecuritylabs.com/images/alerts/wmf-movie.wmv

    recommend blocking traffic from these two netblocks:
    InterCage Inc.: 69.50.160.0/19 (69.50.160.0 - 69.50.191.255)
    Inhoster: 85.255.112.0/20 (85.255.112.0 - 85.255.127.255)

    Demo of exploit:
    http://www.heise.de/security/dienste/browsercheck/demos/ie/wmfexp2.php

    Everything you need to know about it:
    http://isc.sans.org/diary.php?storyid=993
  • deadkenny, on 10/12/2007, -0/+3"Boy does it feel good to be a Linux user now!"

    So long as the flaw hasn't been ported across with Wine or Mainsoft products;-)

    There are of course hundreds of flaws like this in linux libraries that are found almost every day, but they don't get alarming publicity that encourages virus writers and are patched up in due course.
  • TC-14, on 10/12/2007, -0/+2For the WMF Vulnerability Patch:
    http://www.hexblog.com/2005/12/wmf_vuln.html#more

    Lynx 2.8.5 ported to Windows for those wanting to do only text based browsing.:
    http://csant.info/downloads/lynx_setup-2.8.5rel-1.zip

    And for Firefox users, go to Tools -> Options... -> Content, and untick the Load Images checkbox.
  • ForbesBingley, on 10/12/2007, -0/+2"Any sane person would not open a WMF"

    Sanity rarely has any foothold in the mind of the average computer user.

    If inexperience is the order of the day, naiveté is often a common bedfellow...
  • scutter, on 10/12/2007, -1/+3> That's what I see as the problem with Microsoft -- they're responding. They're just not being proactive about this sort of thing.

    I have no idea how you can make that statement. I work with Microsoft on an almost daily basis. They turned their whole company around to make security top priority. On the server front, Windows Server 2003 is one of the most secure operating systems out there. Anyone who has worked with Microsoft or attended any of their conferences can tell you this.

    My point is, that they are NOT just being reactive to security concerns. Quite the contrary. That said, their response to this threat is suboptimal. I suspect it is one of three reasons:

    1) Disabling this "feature" may have implications for MS and 3rd-party applications, and they are trying to analyze the impact to that.
    2) Their Windows build and QA process is still horribly broken (slow). I know that this was one of the reasons that Jim Alchin supposedly pushed for a "reset" on the Longhorn/Vista project.
    3) They are waiting to release the fix on their normal monthly patch cycle.

  • kdehead, on 10/12/2007, -0/+2joe six pack dumb user wont check digg.com for fixes - or grc.com.
    heck - he wont even know what a "fix" is.
    the potential target base for this therefore is simply enormous - in the millions.

    expect vastly more spam in 2006 as a result.
  • Quell23, on 10/12/2007, -0/+2If the demo functions, the Windows pocket calculator opens. This does not appear, the demo failed.
  • jav1231, on 10/12/2007, -0/+1Frankly, the industry needs this to an extent. It is imperative to get Windows out of the corporate environment and this vulnerability is why. MS decided long ago to shoot down Netware and everyone thought it was the greatest thing since sliced bread. Netware SA's warned people for years that an ass-backwards approach to security would prove a security risk. It has. Windows SA's have spent countless hours patching a server OS that is basically a desktop OS. Only in 2003 has MS decided to even address default ports. We "sold our souls" for easy use and we're wondering why we have this big check to pay. While I realize it means more work, patching, and possible removal of more malware in the long run it is my hope that more people will abandon this shoddy, ill-conceived product and get back to taking their systems more seriously.
  • SpeedyG, on 10/12/2007, -2/+3This is HUGE, folks. Everyone needs to use those drop-down boxes and mark all this OS nonsense as off-topic.

    Viewing a webpage with a WMF image file on it can infect you.

    Having a corrupted image on your hard drive indexed by something like Google Desktop can infect you.

    Viewing an infected image with the Windows picture/fax viewer will infect you.

    Seeing an e-mail with an infected image inside of it will get you infected.

    And EVERY version of Windows is vulnerable.

    Stop with the flame wars and get serious.
  • dirtyfratboy, on 10/12/2007, -0/+1what the hell?!?!?!?!

    "submitted by poondaddy 30 minutes ago" even though its at 1154 diggs.

    how does this happen???
  • kdehead, on 10/12/2007, -1/+2http://blog.ziffdavis.com/seltzer/archive/2006/01/03/39684.aspx

    in the comments:
    "Dude! What happens if I take a malicious WMF with, change the extension to JPG, then bombard your win 98 machine? You are HOSED! Even though there is no default rendering or indexing velnerability - a dumb or unlucky user who clicks on a WMF or a JPG file that is REALLY a WMF under the hood will still trigger the GDI32 in question.... from iDefense:

    Dunham said that iDefense analysed a live sample of a WMF attack spread via email and disguised as a JPG file. He said it was fully functional and downloaded and installed a variant of a trojan called Bifrose."

    is this true? anyone got any links , more info?
  • voltagex, on 10/12/2007, -1/+2uhh the person who wrote about "legit" windows installs didn't know what he/she was talking about, makes no difference, you're vulnerable if you run windows it seems. Also any picture type can be exploited it seems.
  • inactive, on 10/12/2007, -0/+1"Love the last sentance of that description."

    25 to life?
  • brickbat, on 10/12/2007, -0/+1Go to security now on grc.com and get the patch. It is 100% effective and doesn't ***** up your system.
  • Quell23, on 10/12/2007, -0/+1Forgot to add email test:
    http://www.heise.de/security/dienste/emailcheck/demos/go.shtml?kategorie=virendummies
  • Kloser331, on 10/12/2007, -0/+1Fooboy, this affects Firefox too. If you browse a webpage on Firefox with a malicious WMF file, you're just as screwed as the noobs.
  • tombalablombaa, on 10/12/2007, -0/+1It's a feature, not a bug, somebody way back thought it would be good to be able to execute code out of WMF files.

    As the guys @ MS just copy old code in, nobody ever saw it or thought about (why would they, it seemed bug free :) )
  • nogami, on 10/12/2007, -0/+1bibble: I believe there are still other ways to exploit the problem without using WMF files so that unregistering the DLL is only a partial fix.

    Went with the patch myself...

    (Use firefox, so not particularly concerned anyway)
  • Bibble, on 10/12/2007, -0/+1Kymehra:
    Rather than use the unofficial patch I've put the following into our logon script
    "regsvr32 -u -s %windir%system32shimgvw.dll"
    This will silently unregister the DLL that handles WMF files. I also use a custom reg key in HKCU so that when MS produce a patch I can reregister the dll.

    hope that helps
  • TheProfessional, on 10/12/2007, -0/+1Something Awful forum moderator (he moderates the computer hardware/software forum) has created a fix:

    http://forums.somethingawful.com/showthread.php?s=&threadid=1759903
  • rc_collins, on 10/12/2007, -1/+2Can we not turn this into fark? Having punchlines in the descriptions is just annoying.

    --dan
  • scutter, on 10/12/2007, -0/+1Microsoft has made great progress on the security front, but their slow response to this threatens to undo all that. I can't believe they can't release a patch until January 10 for something this bad. They are getting as slow and bloated as IBM.
  • wilf_brim, on 10/12/2007, -1/+2Some thoughts:
    1) First of all, Apple fanbois, please sod off. Your OS has less than 5% market share. Even a brain damaged virus writer wouldn't bother. Security through obscurity doesn't count.

    2) I am rather pissed that MS hasn't worked harder to get a fix out the door. The workaround (unregistering photo and fax viewer) will work, but disables thumbnail views and other functionalities. They are "investigating reports" of a vulnerability and exploits. "Investigating reports"?!?! Hey, idiots! Go to FSecure (and 4 or 5 other places) and read what they did. You can replicate their findings (should only take a few hours to take a virgin machine and get it throughly hosed) then DO SOMETHING! Don't wait for another week. Yes, normally they can be measured and throughtful in their responses. They have a zero day exploit. The rules have changed.

    3) For everybody else (non sysadmins) get Ilfak Guilfanov's patch. It has been reasonably well vetted and appears to work. Also (even for sysadmins) check F-Secure for a list of sites know to be exploiting this vulnerability to add to your blocked list.
  • clevershark, on 10/12/2007, -0/+1>Microsoft has made great progress on the security front, but their slow response to this threatens to undo all that.<

    That's what I see as the problem with Microsoft -- they're responding. They're just not being proactive about this sort of thing. I'm just astounded that an image format should make allowances for arbitrary code being executed if an image can't be properly displayed. Does that actually sound like a good idea to *anyone*?
  • sumrandommember, on 10/12/2007, -0/+1If configured correctly Firefox will ask you to open or save a WMF before downloading it.
  • zzz@tkz, on 10/12/2007, -0/+0Damnit, I thought this would have already been posted =P.

    Yea, one of my parent's friends told me about this, reminds me of the 2.0 PSP exploit...
  • DigiRaven, on 10/12/2007, -0/+0boy these hackers really have nothing else to do in their miserable except making others miserable. How in the hell someone can figure something out like this? You know they can put selfish brains to use to help the world and not destroy it.
  • TomP, on 10/12/2007, -0/+0Mirror Here: http://digg.com/links/WMF_Exploit_Patch_Mirror

    - Tom | http://www.tomwrote.info
  • hankosky, on 10/12/2007, -0/+0http://www.heise.de/security/dienste/browsercheck/demos/ie/wmfexp2.php failed for me.
  • Yodacola, on 10/12/2007, -1/+1DUPE
    digg.com/security/WMF_FAQ
  • inactive, on 10/12/2007, -0/+0Do you really think a vulnerability in Windows this HUGE was only caught just now? And it was in every version of Windows since 1990? Just have some great firewalls on your computer and all should be good...
  • spamdies, on 10/12/2007, -0/+0@xopl
    If you think I depend on MS updates entirely for my systems security, then in fact you mistaken. (biting my tongue, trying not to snap at the fanboi) regardless, you missed the point, and I made mine. Everyone stating that OS x is impenetrable and has 0 security flaws, is either completely uninformed, completely unaware, completely lieing or a complete moron.



  • Vladk1000, on 10/12/2007, -0/+0Download the official patch, if you don't want to get the virus.

    _________________________
    http://ultra-tech.blogspot.com/
  • bitemegates, on 10/12/2007, -0/+0Hotfix here: http://www.grc.com/sn/notes-020.htm
  • _jinx_, on 10/12/2007, -0/+0@dork:

    "but if the file can be "disguised" as JPEG it just doesn't make sense!"

    the file can easily be converted, there is a difference. whether or not the code is still executable after conversion is a good question... if it is. This is a nasty exploit!

    Also, for all the fanboys whether its linux, apple, bsd what ever... no matter how you feel about windows doesnt change that fact they own 90% of the market share and this exploit is a big deal. Pointing the finger and saying told you so doesn't change a damn thing in the computer industry.
  • mrpinto, on 10/12/2007, -0/+0A few things to clarify here:
    Fact: Windows IS less secure than Mac OS X or Linux when all vendor-supplied patches are applied. Secunia knows this, sysadmins know this and you should know it.

    Why?
    Fact: Windows IS targeted more than other OSes. Most viruses nowadays are created with the purpose of generating botnets for spam relays and DDOS attacks. More users of the target OS = bigger net.
    Fact: Windows IS less secure by design than other OSes. If it weren't, MS wouldn't be working toward establishing rules that have long been place for others. Rules like actually enforcing least-rights-user policies for instance.

    Does it matter?

    Not really. Sysadmins with sufficient acumen can protect even a windows network. Gamers are too addicted to their games to care. The rest of windows users are too dumb to know what hit them. They just waltz into Best Buy or CompUSA or whatever and buy a new box when their old one is p0wned beyond recognition.

    The rest of us know that we can sit happy on Mac/Linux boxen, secure by both design and obscurity, and pop up occasionally to laugh at those too weak or confused to escape from MS.

    I'm pretty darned sure that I'm the only one using my computer right now. Few Windows users can credibly make that claim.

    Disclaimer: I develop apps for windows and the web for a living. I have extensive experience with MS, Mac and Linux.
  • FuManchu, on 10/12/2007, -0/+0quote:
    I need a fix for my Win 98 SE box =(
    -------------------------------------
    If you have a machine that won't run Win2000 or XP, you'd get a lot more out of it if you installed a Linux distro. I just put Ubuntu Breezy Badger [5.10] on my daughter's 5 year old Dell laptop [500 MHz Celeron with 128 MB RAM] and it works nice now --even the wireless PC card.

    If you gotta have windows2000 or XP running, IMHO, **DO** the Ilfak Guilfanov patch!!

    http://www.hexblog.com/
    is the current good webpage for links to the patch --his server is croaking under all the hits he's getting.
  • applekid805, on 10/12/2007, -0/+0I'm a windows user and I keep saying to myself that I need a mac, but money problems are holding me back

    so for now I'm a switcher at heart

    damn windows
    damn microsoft
  • Specter, on 10/12/2007, -0/+0sad day if people only find out about this now... a week later
  • skartel, on 10/12/2007, -0/+0http://web.aanet.com.au/skartel/?p=105
  • deadkenny, on 10/12/2007, -0/+0"I'm running Linux, and I have NONE of the bugs Windows has"
    Indeed, you just have different bugs ;-)
  • AttroPheed, on 10/12/2007, -0/+0People that open files in spam emails should be perm-banned from computing altogether and forced to use a mac.
  • mcsurfer, on 10/12/2007, -0/+0windows
    full of holes
    pretty ugly
    unsustainable
  • richiejp, on 10/12/2007, -0/+0woohoo it worked.... oh *****.
  • mikedoth, on 10/12/2007, -0/+0Will this be the one that causes government to make the switch to OSS or Macs?
  • Fetching more discussions...
    Show 51 - 100 of 203 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.