Microsoft scrambles to fix 'severe' security flaw

Previously unknown flaw leaves PCs vulnerable to spyware, viruses



A previously unknown flaw in Microsoft Corp.'s Windows operating system is leaving computer users vulnerable to spyware, viruses and other programs that could overtake their machines and has sent the company scrambling to come up with a fix.

Microsoft said in a statement yesterday that it is investigating the vulnerability and plans to issue a software patch to fix the problem. The company could not say how soon that patch would be available. (MSNBC is a Microsoft - NBC joint venture.)

Mike Reavey, operations manager for Microsoft's Security Response Center, called the flaw "a very serious issue."
Security researchers revealed the flaw on Tuesday and posted instructions online that showed how would-be attackers could exploit the flaw. Within hours, computer virus and spyware authors were using the flaw to distribute malicious programs that could allow them to take over and remotely control afflicted computers.

Unlike with previously revealed vulnerabilities, computers can be infected simply by visiting one of the Web sites or viewing an infected image in an e-mail through the preview pane in older versions of Microsoft Outlook, even if users did not click on anything or open any files. Operating system versions ranging from the current Windows XP to Windows 98 are affected.

An estimated 90 percent of personal computers run on Microsoft Windows operating systems. Microsoft has found itself under attack on several instances and has been forced to issue a number of patches to keep computers running Windows safe. Mac and Linux computer users are not at risk with this attack, even if their computers run Microsoft programs such as Office or the Internet Explorer Web browser.


Reavey encouraged users to update their anti-virus software, ensure all Windows security patches are installed, avoid visiting unfamiliar Web sites, and refrain from clicking on links that arrive via e-mail or instant message.

"The problem with this attack is that it is so hard to defend against for the average user," said Johannes Ullrich, chief research officer for the SANS Internet Storm Center in Bethesda.

At first, the vulnerability was exploited by just a few dozen Web sites. Programming code embedded in these pages would install a program that warned victims their machines were infested with spyware, then prompted them to pay $40 to remove the supposed pests.

Since then, however, hundreds of sites have begun using the flaw to install a broad range of malicious software. SANS has received several reports of attackers blasting out spam e-mails containing links that lead to malicious sites exploiting the new flaw, Ullrich said.

Dean Turner, a senior manager at anti-virus firm Symantec Corp. of Cupertino, Calif., said the company has seen the vulnerability exploited to install software that intercepts personal and financial information when users of infected computers enter the data at certain banking or e-commerce sites.

Eric Sites, vice president of research and development for anti-spyware firm Sunbelt Software, said he has spotted spyware being downloaded to a user's machine by online banner advertisements.
"Pretty much all of the spyware guys who normally use other techniques for pushing this stuff down to your machine are now picking this exploit up," Sites said.

Because the vulnerability exists within a faulty Windows component, security experts warn that Windows users who eschew Internet Explorer in favor of alternative Web browsers, such as older versions of Firefox and Opera, can still get their PCs infected if they agree to download a file from a site taking advantage of the flaw.

Richard M. Smith, a Boston security and privacy consultant, said he was particularly worried that the vulnerability could soon be used to power a fast-spreading e-mail worm.

"We could see the mother of all worms here," Smith said. "My big fear is we're going to wake up in the next week or two and have people warning users not to read their e-mail because something is going around that's extremely virulent."


From:
http://www.msnbc.msn.com/id/10651414/

Workaround, Protections Emerge for WMF Exploit


Updated: Anti-malware products deploy detection signatures as exploits multiply, and a registry-based workaround has been developed.

Anti-virus and intrusion protection firms are reacting quickly to a new zero-day exploit for Windows, and a workaround has been devised by an independent researcher.

According to AV-Test, an anti-virus research firm, numerous anti-virus firms were detecting some of the four exploits for the vulnerability that they had at that point. AntiVir, Avast!, BitDefender, Ewido, F-Secure, Fortinet, Ikarus, Kaspersky, McAfee and NOD32 detected all four.

By the same token, many products, such as ClamAV and Trend Micro, had no protection. The situation is very fluid, so by the time you read this, more protection and more exploits will likely be available.

Many other companies are still in the process of implementing protection and have deployed it only for some of the available exploits.

And a workaround has been posted by Jerome Athias to the Full-Disclosure security mailing list. The workaround disables WMF parsing in two different ways.


First, you can unregister the specific DLL that implements the vulnerable code from the system using a command line program. To disable the DLL click Start, then Run, then enter the following command:

• regsvr32 /u shimgvw.dll

To re-enable the same DLL, click Start, then Run, then enter the following command:

• regsvr32 shimgvw.dll

• he workaround has been confirmed by iDEFENSE as effective in preventing the current versions of the exploit, with a caveat. Previous vulnerabilities in the parsing of WMF files have led to additional vulnerabilities in EMF files, a later version of the metafile format. iDEFENSE warns that this workaround may not be effective against such future attacks.

• Athias warns that if you unregister shimgvw.dll, Windows Explorer will not display thumbnails anymore. So the registry operation is a much better way.
  
  Editor's Note: This story has been modified to remove a registry modification which had been reported effective against the vulnerability. Subsequent testing shows that it is not effective against the vulnerability.
  
  
  From:
  http://www.eweek.com/article2/0,1895,1906211,00.asp

Solution from , and thanks to Castlecops:


There is a new danger floating around the Internet right now, a zero-day exploit taking advantage of the Windows Media Format (WMF) vulnerability. Its not limited to WMF files, it is taking the shape of images as well. This exploit is currently billed as the worst infection in history. It can hide rootkits, it can even hide itself.

This is not a joke.

Many antivirus companies can not discover this malware at present. Microsoft is not responding fast enough. Download a brand new WMF vulnerability checker to see if you are susceptible [details]. However, don't let this stop you from applying two specific workaround patches.

Read the following two articles and install the "Windows WMF Hotfix" followed by de-registering the file "shimgvw.dll". Then reboot. Now, wait with the rest of us for Microsoft and antivirus companies to officially patch this vulnerability and detect/clean it. Spread the word.

- Install the WMF Hotfix
- De-register the "shimgvw.dll" file

UPDATE: New versions of the hotfix and checker exist which permit system administrators to batch deploy and check network systems. [Read Here]


http://castlecops.com/

Microsoft just released an official patch:

Security Update for Windows XP (KB912919)



Go get it now at windows update.