|
|  | Extremely Critical New zero-day Windows vulnerability being exploited. | | | |
| IMPORTANT NOTICE: There is an extremely dangerous vulnerability in Windows that you should be aware of. Exploits are currently making the rounds that have the potential of causing wide spread and devastating damage.
UPDATE (01/05/2006 5pm CT): Microsoft's patch is READY and being released early. Read the story here.
01/01/2006 1:00 pm Update: SANS is recommending this unofficial patch (click here to download) for the 0day WMF exploit. It has been tested by the SANS people, a couple of antivirus companies and on computers here at NIST.org. It is not very enterprise friendly as it needs to be installed, and later uninstalled, on every computer. But it's all we have at the moment. See the file description for more information. In addition to the patch you should unregister the shimgwv.dll with Windows, see these instructions from Microsoft.
To un-register Shimgvw.dll, follow these steps:
- Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK.
- A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.
01/01/2006 1:15 am Update: SANS.org and F-Secure are reporting that a new exploit of this vulnerability has been published. The new exploit is much more advanced and dangerous than the previous exploit. According to F-Secure "It enables clueless newcomers to easily craft highly variable and hard-to-detect variations of image files. Images that take over computers when viewed." The WMF images can be renamed to have a more common file extension such as JPG or GIF. How many of your users would click on "Funny Santa.jpg" or "adorable baby.jpg"? I would suggest most of them. Even the smart ones have been told over the years that images can not spread viruses (etc). This is a very serious situation. I am monitoring this situation closely and have recommended some possible solutions. Check back here frequently for updates on this situation. ---------------------------
A new zero-day vulnerability is currently being exploited through Trojan email messages that allows for Arbitrary Code Execution. , prompting Microsoft to release an Advisory in record time.
The vulnerability is related to Microsoft Windows WMF (Windows Metafiles) handling. Even fully patched Windows XP SP2 machines using IE or Firefox are vulnerable. "0day" means you have little or no time to react. This current threat is no exception, there are no patches currently available to address this vulnerability. It is recommended that if you have the ability to block WMF files at your perimeter mail gateway that you do so immediately. The website unionseek[DOT]com is also involved and should be blocked at your company's HTTP proxy if possible. (It is now being reported that WMF files disguised as JPEGS, GIFs, etc. can be used to exploit this so simply blocking WMF files won't be enough.)
Entry vectors include: Rogue web pages, Trojan eMail messages, P2P downloads. Even Firefox is not immune as a downloaded WMF graphics file immediately loads the "Windows Picture and Fax Viewer", which is vulnerable. Over the past 24 hours F-Secure has seen three different WMF files carrying the 0day WMF exploit. Their antivirus program currently detects them as W32/PFV-Exploit.A, .B and .C.
NOTE: Any 3rd party program that utilizes the shimgvw.dll graphics rendering engine is also vulnerable. This includes the Google Desktop and (as discovered by NIST.org) Lotus Notes. Click here for information on the Lotus Notes vulnerability.
Warning to IT Security types: Do not attempt to analyze this exploit from a Windows based computer. It is very easy to trigger this exploit.
Microsoft has moved very quickly to get information out on this serious threat: Microsoft Advisory
They are also listing a work around that disables the Windows Picture and Fax Viewer (Shimgvw.dll) through a registry setting.
Click here to read the other NIST.org articles on the WMF Exploits
US-CERT.GOV Technical Cyber Security Alert
See F-Secure.com for more information.
Also see Secunia.com's Extremely Critical advisory and SANS.org 12/29 Handler's Diary
| |
          
|
Latest NIST.org news and comments |
|
|
|
|
|
| Training / Books
»Security Certifications -
» CISSP, SSCP, Security+, etc.
»Computer Forensics
»Ethical Hacking
»Malware, Spyware, Viruses
»FISMA Compliance, Policies, etc
»PKI, Encryption, Smartcards
»Windows Security Guides
»HIPAA, SOX, CISP, etc.
|
NIST.org Security Bookstore
|
|
|
Our news can be syndicated by using these rss feeds.
|
|
|
