What is Digg?132 Comments
- stoops, on 10/12/2007, -0/+6Actually macintel, security of *nix's, *BSD's and OS X comes through its source being friggin freely available to anyone in the world, thus allowing exploits such as this to be caught ahead of time by a HUGE amount of security experts. Security through obscurity relies on the malicious user of being ignorrent which is wrong security model (ie microsoft's closed source which nobody can improve upon).
- caffeinated, on 10/12/2007, -1/+5dupe... and firefox won't help you here:
"In our tests (under XP SP2) older versions of Firefox (1.0.4) defaulted to open WMF files with "Windows Picture and Fax Viewer", which is vulnerable. Newer versions (1.5) defaulted to open them with Windows Media Player, which is not vulnerable...but then again, Windows Media Player is not able to show WMF files at all so this might be a bug in Firefox. Opera 8.51 defaults to open WMF files with "Windows Picture and Fax Viewer" too. However, all versions of Firefox and Opera prompt the user first." -fsecure .... if you're running windows, you're vulnerable. - joeyjojo, on 10/12/2007, -0/+3"This is why I don't want Mac to get above 10% market share. Yes, the BSD foundation may make OS X more secure but that doesn't mean immune. Security comes through obscurity."
10% of a world wild market share is hardly obscure. And obscurity is hardly security. - caffeinated, on 10/12/2007, -0/+3I ran this sploit through msf earlier this morning against xp sp2 ... very nasty.
You can use these registry files to disable/enable Windows Print/Fax Viewer:
https://www.securinfos.info/english/WPFV_disable.reg
https://www.securinfos.info/english/WPFV_enable.reg - elpottsy, on 10/12/2007, -0/+2'Time to upgrade to firefox'
'This includes older versions of Firefox, current versions of Opera, Outlook and all current version of Internet Explorer on all versions of Windows.'
Maybe reading the articles you submit would help the accuracy of your comments! - Hypersapien, on 10/12/2007, -2/+4I don't even allow IE to get past my firewall. If it wasn't for software compatability (read: games), I'd be using linux.
- ja450n, on 10/12/2007, -0/+2@glengineer
Staying back on Windows 98 will not keep you safe from this.
i inadvertandly infected my Mac's VirtualPC (running 98) with this very problem. - bmatherlyjr, on 10/12/2007, -0/+2Why not just pull the WMF file extension out of the known file types prohibiting it's execution until a fix is implemented? Sounds like a simple fix to me.
- mfouchi, on 10/12/2007, -0/+2dfloyd888 is correct. My laptop has DEP enabled and it hit me last night while I was browsing at about 10pm. DEP stopped it dead in its tracks.
It was pretty cool - the WMF file tried to open up in the viewer, then DEP came up and stomped its ass. - spamdies, on 10/12/2007, -0/+2The way you get rid of it is to reboot in safe mode, kill the temp files (all of them) in your profile, run spybot, and if i remember correctly it has 2 entry's you have to kill under msconfig.
- caffeinated, on 10/12/2007, -0/+2MS05-053 is NOT the fix for this... Yes, it fixed another similar exploit that targeted the GRE, but I just ran this exploit against a fully patched (including 053) xp pro sp2 box... it was compromised as soon as i opened the wmf page.
- RonAcierno, on 02/07/2008, -1/+3I really need to get an Apple ....
- einsteindesign, on 10/12/2007, -0/+2Windows MetaFile (WMF) files are the poor-man's EPS file. Vector graphics files most often used with clipart, including parts of the Word/Office clip art gallery. You may have used them without realizing what type of file you had.
I'm actually not surprised by this, as you can stuff a lot of garbage into a vector file. PostScript files are basically code tossed at the printer and executed by the rip engine. Printers used to have hardware limits and not much code to exploit, at least not until the networked devices and web-based controls created a backdoor that can be exploited.
So. You throw those same buffer exploits at a software viewer instead of a hardware rip, and bada bing you own some boxen. - kevin2735, on 10/12/2007, -0/+1This gets a digg because one of my boxes was hit with this and the info here was very helpful. Thanks Digg users!
- raita, on 10/12/2007, -1/+2http://www.microsoft.com/technet/security/Bulletin/MS05-053.mspx for fix
- TXBueller, on 10/12/2007, -2/+3I found the patch via Symantec here:
http://securityresponse.symantec.com/avcenter/security/Content/15352.html - Rounin, on 10/12/2007, -0/+1http://www.f-secure.com/weblog/archives/archive-122005.html#00000753
- JonUK, on 10/12/2007, -1/+2More details on this exploit can be found here: http://www.frsirt.com/exploits/20051228.ie_xp_pfv_metafile.pm.php
It certainly looks like a nasty one. - hitman619, on 10/12/2007, -0/+1OH MY GOD! This just happened to me 2 nights ago and I had to reformat my comp. I could not remove the virus. I installed SpySweeper, AdWare, SpyBot, and I installed norton 2006 - and all were non-effective. The only way I could even use the system is to unplug the network cable. The virus kept tyring to send emails and norton kept scanning them, like 30 at a time! It was insane. I went to a questionable site looking for a crack so I kinda deserved it (I guess) but DAMN. I'm no comp guru but i've been around the block I consider myself a intermediate-advance computer person and NEVER have I send such a dominate virus reek havok on a system. BEWARE!!!!!!!
- zcrum, on 10/12/2007, -0/+1I own a computer repair shop and have seen quite a few of these come in over the past two weeks. Its not so bad to alleviate but does take a good amount of time.
- tsupersonic, on 10/12/2007, -0/+1Surf the web carefully as (older versions of) firefox is vulnerable. What do you people do to get viruses, spyware, and etc? Try to be careful, I run XP w/ a Mcafee Virusscan enterprise, mcafee firewall, ms antispyware, and spysweeper. Yes, I am paranoid, but when you get your system infected with viruses or spyware, I laugh.
- Rorduruk, on 10/12/2007, -0/+1I got his last night, sadly, from Firefox. Went to war with it, and had to start yanking dll's left and right, because the AV and Spyware (Spybot, Adaware, MS) couldnt quite turn it over. Had to go as far as doing a repair install, so many dll's were hijacked and munged.
- BLKMGK, on 10/12/2007, -0/+1Zero Day = UNPATCHED. It's as simple as that. This is browser agnostic, it hits the subsystem in Windows NOT a particular browser...
- SweetsGreen, on 10/12/2007, -0/+1*****...this just happened to one of the computers at work.
Norton doesn't pick it up (except for trying to scan all the outgoing emails)
nor does Adaware or Spybot.... - Macintel, on 10/12/2007, -2/+3This is why I don't want Mac to get above 10% market share. Yes, the BSD foundation may make OS X more secure but that doesn't mean immune. Security comes through obscurity.
- Conway, on 10/12/2007, -0/+1Will the noscript extension in FF protect me? Doesn't sound like it.
- mancat, on 10/12/2007, -0/+1"Not only is BSD more secure because of it's open design, but it is designed with the internet in mind - Windows NT wasn't."
This is said frequently, that Unix was designed "with networking in mind." It was not. Networking was not an original element considered in the general design of Unix. TCP/IP was not even present in Unix until the first Berkeley release. NT has always had TCP/IP networking. It was not something that was "added on" at a later date, it was there from the start. - NtroP, on 10/12/2007, -0/+1This from isc.sans.org:
"...Regarding DEP (Data Execution Protection) of XPSP2, the default settings of DEP will not prevent this exploit from working. Comments we have received in the meantime suggest that if you enable DEP to cover all programs (as documented on Microsoft Technet ), the WMF exploit attempt will result in a warning and not run on its own.
While the original exploit only refered to the Microsoft Picture and Fax Viewer, current information is that any application which automatically displays or renders WMF files is vulnerable to the problem. This includes Google Desktop, if the indexing function finds one of the exploit WMFs on the local hard drive..."
So if you have XPSP2 and DEP enabled for ALL programs, you should be OK.
-- I love my Mac. - DarkestDays, on 10/12/2007, -0/+1i'm thinking this is or can be in the form of a Winamp exploit. i visited a warez site a few nights ago looking for...well something and i got hit with this very exploit. i noticed (among many things) that it had created or modified my winamp.ini file with malicious code, the same script code i saw running before it had infected my system.
my recommendations: if you get nailed with this sucker, don't reboot! bring up msconfig and disable any startups that you don't recognize, stop any services that shouldn't be running, then try uninstalling (add/remove programs) anything that doesn't belong. look for new directories too that might have been created. i did a directory/file search for anything that had been created or modified that same day and it helped me find most of the little gems it had installed or manipulated. of course, to be sure i rid myself of anything i may have missed, i recalled my backup image :)
think it was the first time i really ever got infected with something. my bad for going to such a site as i did... - nu11, on 10/12/2007, -0/+1"Security comes through obscurity. "
Yeah right. Security through obscurity is no security at all. - Warptera, on 10/12/2007, -0/+1
Firefox still has the vulnerability. However it just prompts the user to open it.
"Internet Explorer will automatically launch the "Windows Picture and Fax Viewer". Note that Firefox users are not totally imune either. In my install of Firefox, a dialog box will ask me if I would like to load the image in "Windows Picture and Fax Viewer". If I allow this to happen ("pictures are safe after all" NOT!), the exploit will execute." - LilGator, on 10/12/2007, -0/+1DEP will result in a warning, but is it still possible to comply and launch anyway ?
- nzeeshan, on 10/12/2007, -0/+0m00kie .. if you do an unregister on that dll file .. it gets rid of most vulnerabilities but also breaks your windows and picture fax viewer and IE capability to view any thumbnails and makes Paint also useless.
- Goatweed, on 10/12/2007, -0/+0so there's no official M$ fix that works?
- beasty_dave_Mk2, on 10/12/2007, -0/+0"...like most people would have done by now..."
You're saying that "most" of the firefox users have "change(d) the download actions to work properly" on wmp? uh...I think not. - weebs, on 10/12/2007, -0/+0is this the same as SpyAxe? I ran into this thing last night, or at least something similar, and it was bad news. I ended up just doing a system restore and it completely resolved the problem, but I certianly got a scare.
- astrotrain, on 10/12/2007, -0/+0Looks like it is back to the drawing-board for M$ Security Team.
"I say, I say, I made a funny....M$...Security....." - Foghorn Leghorn
Seems like Microsoft takes way too long to develop security patches anymore. Its almost as
if they are sitting around playing Tiddly Winks to see who will create the patch. By the time
they do create a patch, twenty more security issues come out, and they drop the first one
to work on the latest twenty.
This is why its best to go for an Open Source OS such as Linux, that way you have a user community who supports it rather then a handful of people who are allowed to touch and modify the source code. - hazmat, on 10/12/2007, -0/+0Noticed it dropped a file in C:boot.inx and some junk on the destop as shown in the sunbeltblog. It also tries to run the netsh command.
- boicraig, on 10/12/2007, -0/+0This hit my boyfriends machine just the other day. He was just surfing...pissed me off tho, since the day before I had just restored his HD from another attack. He is going to loose internet priviliges...
- cubbieco, on 10/12/2007, -0/+0The problem with windows is that even in XP some software still requires administrator privileges to run. So most everybody runs as an administrator and these viruses can get to the central system. I've read that Windows Vista will be better about this and require a password to modify certain system files which should help with most common viruses.
What the Mac has going, and why everybody says its more secure is that Unix/Linux was designed to have everything run as a limited user. So you get a virus, it just affects your user account and not the whole system. You need to type a password every time you want to install system-wide software. Most well written recent OSX software will allow you to install inside your user space so you rarely need the system password if you want to be extra careful.
So if everybody gets a Mac, yes there still will be exploits, but they will be much more difficult to write because the system as a whole was built with a better security model. No more of this clicking a stupid attachment and fragging your whole system because of a single click.
I purchased my first mac 2 months ago, it won't be my last. :-) - theevilshiftkey, on 10/12/2007, -0/+0Yawn... There's a new exploit in Windows. Whoop dee doo. There will be a new exploit in Unix next week and we won't hear a thing about it. There will be half a dozen new viruses and we won't hear about them either. Why do we care about this one? Because pointing it out helps to make Microsof look bad. It has nothing to do with anything else.
- gildude, on 10/12/2007, -0/+0BTW, Symantec has detection / prevention for this in their DEFs from today.
http://securityresponse.symantec.com/avcenter/venc/data/bloodhound.exploit.56.html - loker269, on 10/12/2007, -0/+0"Take heed of your own advice. If not mistaken, the current version of firefox (1.5) is not susceptible. "
it is susceptible if you change the download actions to work properly like most people would have done by now since windows media player can not handle wmf's....so the only reason you think it is not susceptible is because someone at mozilla made an error and told a file to open with the wrong program..... - beasty_dave_Mk2, on 10/12/2007, -0/+0"Maybe reading the articles you submit would help the accuracy of your comments!"
Take heed of your own advice. If not mistaken, the current version of firefox (1.5) is not susceptible. - sublime, on 10/12/2007, -0/+0Thanks caffeinated for those registry fixes. Much easeir than patch/restart
- beasty_dave_Mk2, on 10/12/2007, -0/+0also, for those that missed it, Caffeinated mentioned that;
"You can use these registry files to disable/enable Windows Print/Fax Viewer:
https://www.securinfos.info/english/WPFV_disable.reg
https://www.securinfos.info/english/WPFV_enable.reg .." - LilGator, on 10/12/2007, -0/+0Regardless this is not a browser exploit, the problem lies with WPFV. Firefox does at least ask you what you want to do with this .wmf first... whereas IE goes to town.
- Shroomie, on 10/12/2007, -0/+0This happened to my cousin a couple weeks ago.
- baddmojoe, on 10/12/2007, -0/+0"ignorrent"
Ironic. Digg needs to make spell checking mandatory. - multifaceted, on 10/12/2007, -0/+0@spamdies
Thank you so much for posting how to fix it.
"The way you get rid of it is to reboot in safe mode, kill the temp files (all of them) in your profile, run spybot, and if i remember correctly it has 2 entry's you have to kill under msconfig." -
Show 51 - 100 of 132 discussions
Digg is coming to a city (and computer) near you! Check out all the details on our 
© Digg Inc. 2009
— Content created and posted by Digg users is