Urgent Security Alert for All Windows Users

[Wiz Feinberg]

<h1>Newly Discovered & Immediately
Exploited Windows Vulnerability</h1>
<small>Courtesy http://www.grc.com and Steve Gibson - Security Now</small>

A serious new remotely exploitable Windows vulnerability has been discovered in a highly-used and readily exploitable Windows component. The "SHIMGVW.DLL" is used for rendering Windows Metafiles, but can reportedly also be invoked whenever Windows attempts to display non-metafile images as well.

Since malicious exploits for this vulnerability are already in the wild and are being actively used to install malware into user's machines . . .

You should IMMEDIATELY disable Windows' use of this
DLL until new patches from Microsoft are available.


To immediately disable the vulnerable Windows component:

Logon as a user with full administrative rights.

Click the Windows "Start" button and select "Run..."

Enter the following string into the "Open" field:

regsvr32 -u %windir%\system32\shimgvw.dll

(You can copy/paste from this page using Ctrl-C/Ctrl-V)

Click "OK" to unregister the vulnerable DLL.

If all goes well, you will receive a confirmation prompt, and your system is now safe. No need to reboot, but you might want to just to be sure that any possible currently loaded instance is flushed out.


To eventually reenable the "SHIMGVW.DLL" component:

Logon as a user with <u>full administrative rights</u>.

Click the Windows "Start" button and select "Run..."

Enter the following string into the "Open" field:

regsvr32 %windir%\system32\shimgvw.dll

(You can copy/paste from this page using Ctrl-C/Ctrl-V)
Same as the one above, but no "-u" for "uninstall".

Click "OK" to re-register the (hopefully) non-vulnerable DLL.
<hr>
More from spywareinfo.com

Web sites which engage in drive-by installations are going nuts. In less than 48 hours after this flaw became public knowledge, thousands of web sites are believed to have started using the exploit to install spyware. At least one adware program, which pops up advertisements on certain partner web sites, is exploiting the WMF flaw to install additional software.

This is a very dangerous problem. The Windows graphics rendering engine runs as a system process, which means that software installed through this flaw will have system-level permissions. Any piece of software, running on a vulnerable system, can execute a malicious package merely by attempting to open a specially-crafted image. This includes your email program, your web browser and image viewing software. The most likely means of exploiting this flaw will be to insert malicious images onto web pages and within spam email.

<hr>
I will keep you updated as more facts, fixes or workarounds emerge.

------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
<small>Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage</small><font size="1" color="#8e236b"><p align="center">[This message was edited by Wiz Feinberg on 30 December 2005 at 11:39 AM.]</p></FONT><font size="1" color="#8e236b"><p align="center">[This message was edited by Wiz Feinberg on 06 January 2006 at 03:41 PM.]</p></FONT>

[Jon Light (deceased)]

When the Microsoft Security Response Center Operations Manager tells a newspaper that the flaw is "a very serious issue" you know there's trouble.
I successfully performed the above procedure.

[Steinar Gregertsen]

Done. Thanks Wiz!

Steinar

------------------
www.gregertsen.com

[Walter Stettner]

Done also!

Thanks for the alert!

Kind Regards, Walter

www.lloydgreentribute.com
www.austriansteelguitar.at.tf

[Bill Bosler]

Thanks, Wiz!!

[Larry Robbins]

Not sure what all that means but, better safe than sorry. Thanks Wiz!

[John Bresler R.I.P.]

Me too!!

[Steinar Gregertsen]

Ugh! I can't open my photos anymore, but I guess that's some of the point with disabling the dll........? I can open them in PhotoShop, but that's a bit of a workaround, hopefully Microsoft will offer a fix for this pretty soon....

Steinar

------------------
www.gregertsen.com

[Jim Phelps]

Yeah, I noticed my Windows Explorer doesn't show thumbnails anymore.... I suppose I can live with that until this thing dies down or there's a patch from Microsoft. Thanks again for the heads up, Wiz.

[Wiz Feinberg]

<h2><center>GO TO RED ALERT</center></h2>

The news from various security sources indicates that this vulnerability is seated deep within the various versions of the Windows SubSystem, at least back to Windows 95, and possibly earlier. I remember using Windows WMF graphics files on my first Windows 95 computer, which was upgraded from Windows 3.11. It is browser and email client agnostic and can even infect a DOS box, provided Google Desktop Search is installed and tries to index a downloaded WMF image.

I propose these temporary solutions, in addition to the one I posted at the start of this thread:

Simply opening an email that contains a hostile WMF image can infect your computer. This can happen if you have a live preview of new emails. Turning off the Preview feature will give you one level of protection. Find your email options for layout and de-select Previewing. In Outlook Express this is found under View > Layout - with a checkbox labeled Show Preview Pane. Uncheck that option and click Apply.

You should also disable html functions when reading email, which also disables the displaying of any embedded images. If you use Microsoft Outlook Express open your options (Tools > Options) to the Read tab and check the box labeled "Read all messages in plain text." If you use Outlook there will be a similar option somewhere (I don't use Outlook). If you get your email via your browser find your options and see if there is one to block images and active content and select that option.

Users can also ditch Internet Explorer for Firefox or Opera. The vulnerability isn't within IE itself, but that browser does open WMF files automatically without asking permission from the user. Firefox and Opera at least put up a dialog box asking the user if he or she wants to open the file with Windows Picture and Fax Viewer. Using Firefox or Opera, however, doesn't guarantee that a PC is immune, since a malicious WMF file could still be introduced via e-mail.

People are out there trying to trick everybody they can to visit websites that have malicious WMF files embedded in them. Their goals are to install adware, spyware, keyloggers, backdoors and other bad stuff on your computers.

<h3>Another Useful Solution</h3>

One more thing you can do if you are running Windows 2000 or newer is to lower your user priviledges to "User" or "Limited User." First go to Control Panel and open the Users and Passwords item and create a new account with Admin privileges and give it a password. Next, open your existing account by name and change it to Limited User in Windows XP, or to User in Windows 2000 or Server. Once you apply these changes log off your account and log back in with limited privileges. This will limit the damage that can be done if your computer gets infected via this exploit.

If you need admin privileges to install or update a program use your RunAs command, or else log off and log into your new Admin account and perform the upgrade or installation from there, selecting All Users can use the program, if asked.

I have been reading a lot about this problem, and so far these are the best actions you can take to protect yourselves. As I learn of any more proactive things to do to protect your PCs I will post them in this thread.


------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
<small>Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage</small><font size="1" color="#8e236b"><p align="center">[This message was edited by Wiz Feinberg on 31 December 2005 at 08:56 AM.]</p></FONT>

[Larry Robbins]

WOW,
Did all of the above, and thats no small undertaking for someone with my limited brain power!But, better safe than sorry I guess.
Thank you Wiz, for looking out for all of us!
This is a bit of a pain but, it sure beats the heck out of the alternitive!
...Oh yeah...even using Mozilla Firefox now!
<font size="1" color="#8e236b"><p align="center">[This message was edited by Larry Robbins on 31 December 2005 at 11:18 AM.]</p></FONT>

[Wiz Feinberg]

<h3>Another temporary fix for the WMF Vulnerability</h3>

I just read information at GRC about a temporary patch that has been created by another security pro, and is available via GRC, on this page: http://www.grc.com/sn/notes-020.htm

Read the details first, then decide if you want to install this private sector patch. If you do apply it be sure to remove it after Microsoft issues it's official patch (hopefully real soon!)

I just installed the temporary patch with no ill effects.

For those of you who don't already know, GRC.com is owned and operated by Steve Gibson, one of the foremost professionals in the online security business. Maybe you've heard about, or used his ShieldsUp Port Scanner to test your defenses against hostile TCP scans. Steve is a forerunner in alerting the public to exploitable vulnerabilities in Windows operating systems, and I am an avid reader of his website.

Steve has teamed up with Leo Laporte, formerly of TechTV, to produce a series of security alerts with great details about the implications of various vulnerabilites in the technologies we depend upon. They are in downloadable audio and html format, and can be found at: http://www.grc.com/securitynow.htm


------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
<small>Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage</small><font size="1" color="#8e236b"><p align="center">[This message was edited by Wiz Feinberg on 31 December 2005 at 12:35 PM.]</p></FONT><font size="1" color="#8e236b"><p align="center">[This message was edited by Wiz Feinberg on 31 December 2005 at 12:43 PM.]</p></FONT>

[Wiz Feinberg]

Here is the text of the Securia bulletin about this vulnerability

Secunia Advisory: Microsoft Windows WMF "SETABORTPROC" Arbitrary Code
Execution
. Extremely critical
. Description: A vulnerability has been discovered in Microsoft
Windows, which can be exploited by malicious people to compromise a
vulnerable system.

The vulnerability is caused due to an error in the handling of Windows
Metafile files (".wmf") containing specially crafted SETABORTPROC
"Escape" records. Such records allow arbitrary user-defined function
to be executed when the rendering of a WMF file fails. This can be
exploited to execute arbitrary code by tricking a user into opening a
malicious ".wmf" file in "Windows Picture and Fax Viewer" or
previewing a malicious ".wmf" file in explorer (i.e. opening a folder
containing a malicious image file).

The vulnerability can also be exploited automatically when a user
visits a malicious web site using Microsoft Internet Explorer.

NOTE: Exploit code is publicly available. This is being exploited in
the wild. The vulnerability can also be triggered from explorer if the
malicious file has been saved to a folder and renamed to other image
file extensions like ".jpg", ".gif, ".tif", and ".png" etc.

The vulnerability has been confirmed on a fully patched system running
Microsoft Windows XP SP2. Microsoft Windows XP SP1 and Microsoft
Windows Server 2003 SP0 / SP1 are reportedly also affected. Other
platforms may also be affected.

Secunia Advisory here: http://secunia.com/advisories/18255/

[Wiz Feinberg]

If you have Google Desktop Search on your computer it will trigger the exploit if you download an image that contains WMF meta data headers containing hostile code.

From F-Secure's Blog after their DOS box got infected with something lurking in a WMF file:

"The test machine had Google Desktop installed. It seems that Google Desktop creates an index of the metadata of all images too, and it issues an API call to the vulnerable Windows component SHIMGVW.DLL to extract this info. This is enough to invoke the exploit and infect the machine. This all happens in realtime as Google Desktop contains a file system filter and will index new files in realtime."

"So, be careful out there. And disable indexing of media files (or get rid of Google Desktop) if you're handling infected files under Windows."

It is possible that other desktop search indexers will have the same capability to index meta data, so turn them off for the time being, until the official patches are released and installed and tested.

------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
<small>Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage</small>

[Wiz Feinberg]

From VirusList.com I found this about the WMF vulnerability being exploited via the MSN Messenger IM client (Other IM clients will be exploited very soon, if not already):

Analyst's Diary

More on WMF exploitation

Roel December 31, 2005 | 11:54 GMT

comment:

It was only a matter of time, the first IM-Worm exploiting the wmf vulnerability has been spotted.

We have received multiple reports from the Netherlands about an IM-Worm which spreads via MSN using a link to "ht*p://[snip]/xmas-2006 FUNNY.jpg".
This may well turn out to become a local epidemic(in NL), however so far it has not become big.(Not even 1000 bots at this moment)

The jpg is actually an HTML page with a (link to a) malicious wmf file which is heuristically detected as Exploit.Win32.IMG-WMF by Kaspersky Anti-Virus.
This wmf will download and execute a .vbs file which is detected as Trojan-Downloader.VBS.Psyme.br which in turn will download an Sdbot. The IRCBot is detected as Backdoor.Win32.SdBot.gen by KAV.

At the time of writing this SdBot is instructed to download an IM-Worm.Win32.Kelvir variant. As you will know Kelvir is responsible for spreading across MSN.
Looking at this IRCBot it's extremely likely that it has been made for cyber criminals.

Going back to the wmf vulnerability itself, we see number of sites mention that shimgvw.dll is the vulnerable file.
This doesn't seem correct as it's possible to exploit a system on which shimgvw.dll has been unregistered and deleted. The vulnerability seems to be in gdi32.dll.

So while unregistering shimgvw.dll may make you less vulnerable, several attack scenarios come to mind where the system can still be compromised.
It has to be noted that in this case the attack vector of web browsers seems significantly smaller than that of explorer+third party programs.

I'm afraid we have to end this year with the warning to watch out for any unknown imagefile. With the flurry of e-cards and Happy New Year messages this could get really messy, so be careful.

------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
<small>Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage</small>

[erik]

Can you explain what the result will be other than your system is infected? What is the great fear?

------------------
-johnson

[Bob Martin]

Hey Wiz, thanks for the headsup will a hardware firewall and a worm intrusion/active virus app catch this intrusion? Also is this only a problem if you use IE isn't firefox already patched to not allow this malware? I'm just wondering if I need to be concerned? Thanks

Bob

[winston]

I cannot find a fix for win98. winston

[Donny Hinson]

Apparently, this dangerous component (.dll file) isn't a part of the Windows 98 OS.

[Al Gershen]

Hi group:

Here's a link to the Microsoft Security Advisory on this matter.

The URL is:

http://www.microsoft.com/technet/security/advisory/912840.mspx

Notice that this advisory came out on December 28th and was revised on December 30th.

I expect that due to the holiday, Microsoft will come out with a fix on Tuesday, January 3rd.

If you decide not to do anything suggested in this subject thread, it's important to run your updated antivirus software and avoid opening emails that you're not familar with.

Good luck and Happy New Year!



------------------
Regards,
Al Gershen
Grants Pass, Oregon. USA
Fender 1000 (1957),
Fender PS 210 (1970) &
Gibson Electraharp EH-820 (1961)
Al's Photographs at http://www.alsphotographs.com

[Wiz Feinberg]

At this time it appears that Windows 98 users are being left to fend for themselves regarding this issue. You are vulnerable, but the workarounds listed in this thread do not apply to your antiquated OS. It is possible that Microsoft will release a patch for Windows 98 computers at risk, and if they do I will post that information here. Until then exercise extreme caution regarding emails and links to unknown websites, and avoid invitations to visit websites promoted via Instant Messenger clients.

BTW: Windows 98 has passed end of life at MS, but they have extended critical patch support for a few more months.<font size="1" color="#8e236b"><p align="center">[This message was edited by Wiz Feinberg on 01 January 2006 at 10:44 PM.]</p></FONT>

[Jack Stoner]

This apparently is an OS issue, not a browser issue as a warning on the Dell users forum notes that using something other than Internet Explorer won't help (e.g. firefox or opera).

[Jeff Agnew]

<SMALL>...avoid opening emails that you're not familar with</SMALL>

This won't help if your mail client is configured to use the preview pane. Unfortunately, this is default behavior for Outlook/Outlook Express, as is rendering HTML.

<SMALL> ...using something other than Internet Explorer won't help (e.g. firefox or opera)</SMALL>

Yes, it's an OS issue but alternative browsers will display a warning before downloading the malicious content, IE will not. Of course, if a user accepts the download it's a moot point.

[Wiz Feinberg]

Please read my suggestions listed under the heading Go To Red Alert; post #10 in this thread. Among them I describe the dangers of having the preview pane active in Outlook and Outlook Express, and even in browser-based email readers, along with instructions for disabling the preview pane.
<hr>
Now, I have more help courtesy of Ilfak Guilfanov, the author of Hex Blog, and the first person to write a fix for the WMF vulnerability (approved by SANS). This comes in the form of a vulnerability checker. You can download it from here.

Read the instructions on that web page, download either the .exe or .zip file, check for viruses, then run it. It will tell you if your computer is vulnerable to at least one exploit, but not all of them (yet). This tool and the companion patch, on the same website, are being updated daily.
<hr>
I am now looking into how Windows 98 is affected and what can be done for folks who are still using that OS. I will post information as soon as I find anything pertinent.


------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
<small>Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage</small>

[George Rozak]

Thanks for all the info Wiz.

<SMALL>If you do apply it be sure to remove it after Microsoft issues it's official patch (hopefully real soon!)</SMALL>

Do you recommend we turn off Windows auto update after installing the above referenced temp patch? I'm wondering what would happen if the patch gets applied thru the auto update function before the temp patch gets removed.

Thanks again...

George



------------------
Sho-Bud: Professional & Fingertip