±Recent Visitors

Recent Visitors to Com-Central!

±User Info-big

Welcome Anonymous


Latest: cgsimpson
New Today: 0
New Yesterday: 0
Overall: 6645

People Online:
Members: 0
Visitors: 199
Total: 199
Who Is Where:
01: Community Forums
02: Community Forums
03: Community Forums
04: CPGlang
05: Community Forums
06: Community Forums
07: Community Forums
08: CPGlang
09: Community Forums
10: Community Forums
11: CPGlang
12: Supporters
13: Photo Gallery
14: Home
15: Community Forums
16: CPGlang
17: Community Forums
18: Community Forums
19: Community Forums
20: Community Forums
21: Community Forums
22: Community Forums
23: Community Forums
24: Community Forums
25: Community Forums
26: Community Forums
27: Community Forums
28: Photo Gallery
29: Downloads
30: Photo Gallery
31: Home
32: Downloads
33: Community Forums
34: Photo Gallery
35: Community Forums
36: Community Forums
37: CPGlang
38: Photo Gallery
39: Community Forums
40: Photo Gallery
41: Home
42: Statistics
43: Community Forums
44: News
45: Community Forums
46: Community Forums
47: Community Forums
48: Community Forums
49: Home
50: Home
51: Community Forums
52: Community Forums
53: Home
54: Home
55: Community Forums
56: Community Forums
57: Community Forums
58: Community Forums
59: CPGlang
60: Downloads
61: Home
62: Community Forums
63: Home
64: Community Forums
65: Community Forums
66: Community Forums
67: Community Forums
68: Downloads
69: Home
70: Community Forums
71: Community Forums
72: Community Forums
73: Community Forums
74: Home
75: Community Forums
76: Community Forums
77: Community Forums
78: Community Forums
79: Community Forums
80: Photo Gallery
81: Community Forums
82: Community Forums
83: Community Forums
84: Downloads
85: Community Forums
86: Community Forums
87: Community Forums
88: Community Forums
89: Community Forums
90: Community Forums
91: Photo Gallery
92: Community Forums
93: CPGlang
94: Community Forums
95: Home
96: Home
97: Member Screenshots
98: Home
99: Home
100: Community Forums
101: Community Forums
102: Your Account
103: Community Forums
104: Home
105: Community Forums
106: Community Forums
107: Downloads
108: Community Forums
109: Community Forums
110: Downloads
111: Photo Gallery
112: Home
113: CPGlang
114: Community Forums
115: Community Forums
116: Community Forums
117: Community Forums
118: Community Forums
119: Home
120: Community Forums
121: Community Forums
122: Community Forums
123: Community Forums
124: Home
125: Search
126: Home
127: Community Forums
128: Community Forums
129: Home
130: Community Forums
131: Photo Gallery
132: Community Forums
133: Community Forums
134: Community Forums
135: Community Forums
136: Home
137: Community Forums
138: Home
139: Home
140: Community Forums
141: Community Forums
142: Photo Gallery
143: Search
144: Home
145: CPGlang
146: Community Forums
147: Home
148: Photo Gallery
149: Community Forums
150: CPGlang
151: Community Forums
152: Statistics
153: Community Forums
154: Community Forums
155: Community Forums
156: Community Forums
157: Downloads
158: CPGlang
159: Community Forums
160: Community Forums
161: Photo Gallery
162: Home
163: Community Forums
164: Community Forums
165: CPGlang
166: Community Forums
167: Home
168: Home
169: Community Forums
170: Downloads
171: Community Forums
172: Community Forums
173: Photo Gallery
174: Community Forums
175: Community Forums
176: Photo Gallery
177: Community Forums
178: Photo Gallery
179: Photo Gallery
180: Community Forums
181: Community Forums
182: Photo Gallery
183: Community Forums
184: Home
185: Photo Gallery
186: Community Forums
187: Community Forums
188: Community Forums
189: Community Forums
190: Photo Gallery
191: Community Forums
192: Community Forums
193: Photo Gallery
194: Community Forums
195: CPGlang
196: Downloads
197: Home
198: Community Forums
199: Community Forums

Staff Online:

No staff members are online!
This looks like a bad one! :: Archived
Resolve issues with your computer problems here or read about the latest computer parts and information.
Post new topic    Revive this topic    Printer Friendly Page     Forum Index ›  Hardware

Topic Archived View previous topic :: View next topic  
Author Message
Power User

Offline Offline
Joined: Jan 05, 2005
Posts: 6256
Location: Cyberspace
PostPosted: Sun Jan 01, 2006 5:53 pm
Post subject: This looks like a bad one!


Advice on impementing the fix from y'all?
'Extremely Critical Flaw' in Windows Discovered, Already Exploited
Friday, December 30, 2005
By Lisa Vaas

Microsoft Corp. has issued a security advisory for what Secunia is deeming an "extremely critical flaw" in Windows Metafile Format (.wmf) that is now being exploited on fully patched systems by malicious attackers.
Websense Security Labs is tracking thousands of sites distributing the exploit code from a site called iFrameCASH BUSINESS.
That site and numerous others are distributing spyware and other unwanted software, replacing users' desktop backgrounds with a message that warns of spyware infection and which prompts the user to enter credit card information to pay for a "spyware cleaning" application to remove the detected spyware.
Vulnerable operating systems include a slew of Windows Server 2003 editions: Datacenter Edition, Enterprise Edition, Standard Edition and Web Edition.
Also at risk are Windows XP Home Edition and Windows XP Professional, making both home users and businesses open to attack.
In this fluid attack, researchers have kept up a steady stream of new details about the extent of the exploit's reach, with Google Desktop being the latest reported vector.
F-Secure reported on Wednesday that Google Desktop tries to index image files with the exploit, executing it in the process. F-Secure reports that this exploitation-via-indexing may wind up occurring with other desktop search engines as well.
(Story continues below)

Google had no immediate comment. To avoid the problem, security experts suggest disabling the feature's indexing of media files, or to remove Google Desktop altogether.
A workaround called REGSVR32 has been posted and was included in Microsoft's advisory. However, it should be noted that as of Thursday evening, some security researchers were reporting that the workaround is not fully successful.
The workaround is as follows, as quoted from the advisory:
Un-register the Windows Picture and Fax Viewer (Shimgvw.dll)
1. Click Start, click Run, type "regsvr32 -u %windir%system32shimgvw.dll" (without the quotation marks), and then click OK.
2. A dialog box appears to confirm that the un-registration process has succeeded.
� Click OK to close the dialog box.
Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.
To undo this change, re-register Shimgvw.dll by following the above steps. Replace the text in Step 1 with "regsvr32 %windir%system32shimgvw.dll" (without the quotation marks).
F-Secure notes that this workaround beats filtering .wmf files, given that files with other image extensions � such as BMP, GIF, JPG, JPEG, TIFF, etc. � can be used to exploit machines.
F-Secure also recommends filtering domains at corporate firewalls. These sites should be listed as off-limits:
F-Secure notes that it's seen 57 versions of this malicious .wmf file exploit as of Thursday, detected as PFV-Exploit.
The security firm is predicting that, even though the exploit has only been used to install spyware or fake antispyware/antivirus software thus far, it anticipates that real viruses will start to spread soon.
According to the Sunbelt Software blog, "any application that automatically displays a WMF image" can be a vector for infection, including older versions of Firefox, current versions of Opera, Outlook and all current versions of Internet Explorer on all Windows versions.
"This is a zero-day exploit, the kind that give security researchers cold chills," according to Sunbelt's blog. "You can get infected by simply viewing an infected WMF image."
According to F-Secure, Trojan downloaders are taking advantage of the vulnerability to install Trojan-Downloader.Win32.Agent.abs, Trojan-Dropper.Win32.Small.zp, Trojan.Win32.Small.ga and Trojan.Win32.Small.ev.
F-Secure also reports that some of the Trojans install hoax anti-malware programs such as Avgold.
F-Secure traced the exploit to Russian sites, one of which is allegedly registered to former Soviet Union President Mikhail Gorbachev.
Sunbelt warns that users are likely to get infected by being directed to one of the sites via spam that offer dirty pictures, free software or other bait.
The attack works by tricking users into opening malicious ".wmf" files in "Windows Picture and Fax Viewer" or by previewing such a file by selecting it in Windows Explorer. The attack can also be triggered automatically when visiting malicious Web sites via Internet Explorer.
Although Secunia deemed the flaw highly critical, at least one security researcher was dismissive of the bug's severity.
Pete Lindstrom, research director for Spire Security LLC, said that at this stage in the game, anything that requires user interaction is hardly worth notice.
"There's no such thing as 'extremely critical' when user interaction is required," Lindstrom said. "That's just silly."
But as far as using IE goes, download of malicious software is automatic, happening immediately upon going to the site, pointed out Alex Eckelberry, president of Sunbelt Software.
"There is no user interaction required," he wrote in an e-mail exchange. "You hit the Web site, you get hit immediately. No prompts, nothing."
John Pescatore, an analyst with Gartner Inc., said that this type of attack may be slowed down by requiring users to click on a malicious .wmf file or to go to a malicious Web site, but that doesn't mean it won't spread fast, given users' willingness to click on bait.
"One of these [attacks] where clicking on a URL [is involved], those can spread pretty fast," he said, given users' proclivity to click away.
"We do online consumer studies. Two years ago, 30 percent had fallen for phishing [schemes]. They entered their user name, password or credit card information. This year, many fewer completely fell for them, but they still clicked on the link in the phishing e-mail."
Given the rise of keystroke loggers that can automatically be downloaded onto a user's system after the user visits a malicious site, that means the Web-surfing population is still ripe for phishing, Pescatore said.
"They're still clicking on links, and whenever malicious software gets installed, that's when you get a critical rating, because all sorts of bad things can happen."
According to Secunia, the vulnerability is caused by an error in handling corrupted .wmf files � a graphics file format used to exchange graphics information between Microsoft Windows applications that can hold vector and bit-mapped images.
Secunia confirmed the vulnerability on a fully patched system running Windows XP SP2. The advisory said that Windows Server 2003 SP0 and SP1 systems have also reportedly been affected.
A Microsoft spokesman told eWEEK in an e-mail exchange on Wednesday that Microsoft "is investigating new public reports of a possible vulnerability in Windows," although he didn't give an ETA for a patch.
"Microsoft will continue to investigate the public reports to help provide additional guidance for customers," he said. "Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a fix through our monthly release process or issuing a security advisory, depending on customer needs."
The spokesman went on to encourage customers to follow Microsoft's Protect Your PC guidelines of enabling a firewall, getting software updates and installing anti-virus software.
Customers who think they've been affected can also contact Product Support Services, which is at 1-866-PCSAFETY in North America or at support.microsoft.com/security for outside North America.
Microsoft also advises customers who think they've been attacked to contact their local FBI office or to post the incident on www.ifccfbi.gov. Customers outside the United States should contact the national law enforcement agency in their country, the spokesman said.
The advisory issued by Microsoft later on Wednesday said that Microsoft is aware of the code, which allows an attacker "to execute arbitrary code in the security context of the logged-on user, when such user is visiting a Web site that contains a specially crafted Windows Metafile (WMF) image."
Microsoft's advisory echoed Lindstrom's take, however, stating that attackers have "no way to force users to visit a malicious Web site."
Instead, the advisory continued, attackers have to persuade users to visit the sites, "typically by getting them to click a link that takes them to the attacker's Web site."
The advisory said that Microsoft would either be issuing a patch through its monthly release process or would provide an out-of-cycle security update, "depending on customer needs."
Microsoft's spokesman declined to state how many customers had reported that they had been victimized by the attack.
Secunia advised that users avoid opening or previewing untrusted .wmf files, as well as set security level to "High" in IE.
Lindstrom noted that the long-term answer to dealing with what he called this type of "flotsam and jetsam" of constant security alerts is to install host intrusion prevention software to designate what software is allowed to run on a system and what it's allowed to do.
As far as the short-term response to this particular vulnerability goes, Lindstrom echoed Secunia's advisory when it comes to untrusted files: "Don't click on it," he said.
Editor's Note: This story was updated to include Microsoft's statement, more on the recommended workaround and more details about the exploit from Sunbelt and F-Secure.

"All facts go to clearly prove that Shades is a thrice-cursed traitor & mentally deranged person steeped in inveterate enmity toward mankind"
Back to top
View user's profile Photo Gallery

Offline Offline
Joined: Jan 21, 2005
Posts: 6995
Location: Central Illinois, USA
PostPosted: Wed Jan 04, 2006 11:51 am
Post subject: Re: This looks like a bad one!

Thanks for the heads up on this one Ascout! I don't know about anyone else, but I like and use WMP quite often... Wink
Back to top
View user's profile Visit poster's website Photo Gallery
Display posts from previous:   
Post new topic    Revive this topic    Printer Friendly Page    Forum Index ›  Hardware
Page 1 of 1
All times are GMT - 6 Hours

Archive Revive
This is an archived topic - your reply will not be appended here.
Instead, a new topic will be generated in the active forum.
The new topic will provide a reference link to this archived topic.