Urgent Security Alert for All Windows Users

[Wiz Feinberg]

George asked: <BLOCKQUOTE><font size="1" face="Verdana, Arial, Helvetica">quote:</font><HR><SMALL>
Do you recommend we turn off Windows auto update after installing the above referenced temp patch? I'm wondering what would happen if the patch gets applied thru the auto update function before the temp patch gets removed.
</SMALL><HR></BLOCKQUOTE>
Do NOT turn off automatic Windows updates. After you do receive the eventual MS patch via Windows Update, then you can uninstall the private hotfix and test for vulnerabilities using the test file I mentioned in my last post.

There will be more info released on the security sites once MS does release a patch, and I will post it here.

------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
<small>Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage</small>

[Wiz Feinberg]

Microsoft is about to release an approved patch for the WMF vulnerability, supposedly for "all affected platforms." That may in include deprecated OSs like Windows 98. The patch will be pushed out on January 10, which is the second Tuesday of the month, the standard patch release day for MS. You can read the entire MS advisory here: http://www.microsoft.com/technet/security/advisory/912840.mspx

Until then I still recommend using the third part patch mentioned previously, as well as lowering your rights for your day to day browsing account. If you have Win XP you can use Fast User Switching to enter your Admin level account to install, uninstall, or update programs, or to run defragmenter, then switch back to continue browsing, etc.

Remember, the damage inflicted by any trojan, hijacker, backdoor, or sleazeware installer is limited by the scope of the user's rights for the affected account. Limited accounts will not allow any program to install any files into the system directories, or install any services, or alterations to the Windows "shell"

------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
<small>Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage</small>

[Wiz Feinberg]

On January 2nd I said that I was looking into what protection was available for Windows 9x or ME computers. I have found a third party patch available on the NOD32 website, which users of Windows 95, 98 and ME can install, at least until MS releases their "official patch."

Go to this page and scroll down where it says - WMF Patch by Paolo Monti. You will find a download link to his zipfile containing the patch, along with his disclaimers and a list of OSs covered.

For those who didn't already know about NOD32 Anti Virus, it is among the top rated products in the World.

------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
<small>Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage</small><font size="1" color="#8e236b"><p align="center">[This message was edited by Wiz Feinberg on 04 January 2006 at 04:24 PM.]</p></FONT>

[Anders Brundell]

Is Microsofts fix KB912919 the solution?

[Wiz Feinberg]

According to the Microsoft security bulletin I got this afternoon, the security update will be available at 2:00 pm PT as MS06-001.

[Mike Selecky]

From the info on Microsoft's site it appears that Win98 is not protected by this patch:


Date Bulletin Description Affected Software Service Packs Bulletin Rating
Jan 5, 2006 Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (912919): MS06-001

Affected Software: Windows 2000 Advanced Server, Windows 2000 Datacenter Server, Windows 2000 Professional, Windows 2000 Server, Windows XP Home Edition, Windows XP Professional, Windows Server 2003 for Small Business Server, Windows Server 2003, Datacenter Edition, Windows Server 2003, Enterprise Edition, Windows Server 2003, Standard Edition, Windows Server 2003, Web Edition Windows 2000 Service Pack 4, Windows XP Service Pack 1, Windows XP Service Pack 2, Windows Server 2003 Gold, Windows Server 2003 SP1 Critical
<font size="1" color="#8e236b"><p align="center">[This message was edited by Mike Selecky on 05 January 2006 at 04:21 PM.]</p></FONT>

[Jon Light (deceased)]

I received notification of a Windows update via auto-notification. It didn't have the usual form by which I could see the details and opt in/out. So I don't know for a fact that I downloaded this particular patch. But I downloaded something. FWIW, I uninstalled the private temp patch and ran the security check which declared me 'invulnerable'. Trusting nothing, anymore, I will wait and see what more patches, tests, and general info come down the pike.

[Wiz Feinberg]

Here is what Microsoft has to say to it's customers who are still running Windows 98, or M.E. operating system, regarding this vulnerability and the patch which was released today...
<BLOCKQUOTE><font size="1" face="Verdana, Arial, Helvetica">quote:</font><HR><SMALL>
Are Windows 98, Windows 98 Second Edition, or Windows Millennium Edition critically affected by one or more of the vulnerabilities that are addressed in this security bulletin?
No. Although Windows 98, Windows 98 Second Edition, and Windows Millennium Edition do contain the affected component, the vulnerability is not critical because an exploitable attack vector has not been identified that would yield a Critical severity rating for these versions.
</SMALL><HR></BLOCKQUOTE>
Please refer to my information posted yesterday about a patch for Windows 9x, from a third party.

Users who did receive the official update can test their system using the vulnerability test file mentioned several posts above here, then uninstall the private patch, if they installed it as a stop-gap measure.

[Wiz Feinberg]

<h3>Leo LaPorte and Steve Gibson are joined by Ilfak Guilfanov, at Security Now</h3>

Here's one you guys won't want to miss. As you know by now, I am a security nut, and one of my feeding grounds is at grc.com/securitynow.htm

Well, there is a brand new audio transcript available at SecurityNow, in which Ilfak Guilfanov joins Leo and Steve to discuss the Windows WMF vulnerability and the patch he created, while the world waited for Microsoft to release it's own version. The new episode is #21, The Windows MetaFile (WMF) Vulnerability. Download it and play it in your media player, and learn.

------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
<small>Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage</small><font size="1" color="#8e236b"><p align="center">[This message was edited by Wiz Feinberg on 05 January 2006 at 09:59 PM.]</p></FONT>

[Colin Goss]

Windows released their wmf patch today and I have downloaded it. However the thumbnail pictures of graphic files in the windows explorer still does not work - the patch above removed that. How can this be restored?

[Jon Light (deceased)]

The very first post in this thread provides instructions for disablng and for re-enabling the component involved with thumbnail previews. That was the first thing I did. I just did the re-enabling procedure and it all seems to work again.

[Ray Minich]

The "security now" website is a great resource. Thanks Wiz.
(As Andy Grove of Intel fame is supposed to have said, "Be afraid, very afraid...
."
From the news.com site...
(Andy)Grove came to the U.S. as a refugee from Hungary (via a quick stop in Austria). After graduate school at UC Berkeley, he joined Fairchild and then Intel, as its fourth employee. Besides serving as CEO and Chairman at Intel, he has written a number of books, including "Only the Paranoid Survive."

<font size="1" color="#8e236b"><p align="center">[This message was edited by Ray Minich on 06 January 2006 at 12:13 PM.]</p></FONT>

[Pete Burak]

I downloaded the Win98 patch fro the site Wiz posted. It says no reboot is required (although something will probably cause me to reboot before long).

So am I good to go now? (besides the fact that I'm using a box that I got in '98).

[Al Marcus]

Hi Wiz-How do you "copy" and "Paste" from the forum and where do you paste it to....al


------------------
My Website..... www.cmedic.net/~almarcus/

[Wiz Feinberg]

Al queried Wiz's Positronic net with this question:
<BLOCKQUOTE><font size="1" face="Verdana, Arial, Helvetica">quote:</font><HR><SMALL>
How do you "copy" and "Paste" from the forum and where do you paste it to?
</SMALL><HR></BLOCKQUOTE>
Assuming that you are using a Windows PC or laptop, and you have a mouse with left and right buttons on top of it, locate the text/commands that you want to copy. As you move your mouse over standard text the cursor should change to a vertical I-beam shape. When you see the beginning of the text to be copied press down on the left mouse button and hold it down. Now, drag the mouse to the end of the text to be copied, then left go of the left button. Your desired text should be highlighted (in blue). Next, press the Control and C keys together, to copy the highlighted text. Find the destination field and click in it to make it active, then press the Control and V keys together, to paste it into that field.

It sounds to me like you want to copy and paste the command to de-, or re-register the vulnerable .dll, right? If that is the case follow my expert instructions to copy the code snippette from my first Post in this thread. Once it is copied it stays in a virtual space in memory called the Windows Clipboard. Next, click you left mouse button on the START button, on the left end of the taskbar on the bottom of the Windows Desktop. One of the first options to flyout (on the right in Windows XP) is named RUN. Click on RUN and a text input field will open. Click once inside that text input field to make it active, then press the Control and V keys together, to paste the command into the Run box, then press your ENTER key to execute it.

If you have copied the correct code, without leaving anything out, or including an unneeded character, you will see a popup notice that such and such a .dll was (Un)Registered (depending on which code you copied and pasted). The change should take place immediately. If it doesn't, click once on an empty spot on the Windows desktop to refresh the view and try viewing thumbnails in your images/pictures folder. If that still doesn't work , try rebooting the computer. If that doesn't work, try putting your boots to the computer (that'll fix 'er for good!).

------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
<small>Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage</small><font size="1" color="#8e236b"><p align="center">[This message was edited by Wiz Feinberg on 06 January 2006 at 03:40 PM.]</p></FONT>

[Bobby Boggs]

<SMALL>The patch will be pushed out on January 10, which is the second Tuesday of the month</SMALL>

<SMALL>According to the Microsoft security bulletin I got this afternoon, the security update will be available at 2:00 pm PT as MS06-001.</SMALL>

Ok. I'm a little confused. Is the patch ready now? If so? Can I go back to business as usual?? I'm running XP. Thanks for all you do. Regards Bobby

[Steinar Gregertsen]

It was automatically installed on my PC when I turned it on this morning, so if yours is set to update automatically you should have it by now.

Do a check with the vulnerability checker Wiz posted on the first page of this thread, just to be sure.

Steinar

------------------
www.gregertsen.com

[Bobby Boggs]

Gee, I'm really a dummy. I thought we were supposed to set it up where nothing could be auto installed.Limited user or whatever it's called?

<SMALL>Read the instructions on that web page, download either the .exe or .zip file, check for viruses, then run it. It will tell you if your computer is vulnerable to at least one exploit, but not all of them</SMALL>

Is this the program you're relying on? Just asking. Thanks.........bb <font size="1" color="#8e236b"><p align="center">[This message was edited by Bobby Boggs on 06 January 2006 at 10:55 PM.]</p></FONT>

[Wiz Feinberg]

Ilfak's patch has saved many tens of thousands of computers from being compromised, until Microsoft released basically the same thing. Yes, I did trust it, and those who recommended it. Listen to his interview with Leo Laporte and Steve Gibson, and you will understand why.

------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
<small>Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage</small>

[Steinar Gregertsen]

Bobby, you can check your PC and, if needed, download the update on Microsoft's website here.
That should take care of it.

Steinar

------------------
www.gregertsen.com

[Bobby Boggs]

Thanks Steinar. Regards Bobby

[Anders Brundell]

Stinar;
Is the fix you got automatically called KB912919? I got that fix installed automatically from MS update page the other day, but I haven't been able to understand if that's the very fix in question, so I'm not a 100 proof sure if my pc is safe now.

Anders

[Bill Bosler]

Anders - That's the one. You can read about it by opening your main menu and going to Windows Updates and click Update History.

[Charlie McDonald]

Thank you!

[Anders Brundell]

Thanks, Bill!

Then I dare to remove Ilfak Guilfanov's fix.