Jump to content

WinXP exploit and fix


Papa6

Recommended Posts

*** PLEASE READ THIS CAREFULLY****

I've come across some info about an exploit in windowsXP.You will have to unregister your windows picture/fax viewer. see the details below on microsofts way to fix this exploit until MS can come up with a permanent fix;

Microsoft has issued a Security Advisory (912840) concerning the recent WMF vulnerability exploit. Microsoft also confirmed the REGSVR32 workaround as a viable solution to protect your PC until they have had time to fully research the vulnerability and issue a patch. The following is a quote from the Microsoft Security Advisory.

Un-register the Windows Picture and Fax Viewer (Shimgvw.dll)

1. Click Start, click Run, type " regsvr32 -u %windir%/system32/shimgvw.dll" (without the quotation marks), and then click OK.

2. A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer. To undo this change, re-register Shimgvw.dll by following the above steps. Replace the text in Step 1 with “regsvr32 %windir%/system32/shimgvw.dll†(without the quotation marks).

The above information was taken from www.neowin.net
Link to comment
Share on other sites

This is more info on this exploit.

Exploits are spreading rapidly that take advantage of a vulnerability in Microsoft's Graphics Rendering Engine. The exploits typically use specially crafted metafiles (.wmf) to run arbitrary code on vulnerable systems.

Complicating matters is the fact that

Internet Explorer users need only visit a site with a malicious metafile to become infected. Infection might also occur by simply clicking on an infected file while using Windows Explorer.

The vulnerability was first made known December 27 in an anonymous post to the Bugtraq mailing list where someone allegedly came across the vulnerability on a Web site. Secunia quickly posted an advisory about the problem, labeling the vulnerability as extremely critical.

Microsoft confirmed that the problem affects Windows 98, Windows Millennium Edition (ME), Windows 2000, Windows XP, Windows Server 2003 -- each with the latest service packs and patches installed.

Microsoft has not released a patch to correct the problem, however the company will undoubtedly produce one in the near future. The company did however release an advisory, " Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution ," which explains the problem in some amount of detail. The article offers a simple workaround that can protect systems until a patch is available.

The workaround involves unregistering a DLL where the impact of doing so is that the Windows Picture and Fax Viewer will not starting, thus protecting a system from exploits. In a DOS command Window, enter the following command:

regsvr32 -u %windir%\system32\shimgvw.dll

Later when a patch becomes available you can re-register the DLL with the following command:

regsvr32 %windir%\system32\shimgvw.dll

The number of exploits is sure to arise while Microsoft works to produce a patch. Simple filtering based on the .WMF file extension doesn't work as a method of protection. At least one person reported that even if an infected .WMF file is renamed to have a different extension (such as BMP, DIB, EMF, GIF, ICO, JPG, JPEG, JPE, JFIF, PNG, RLE, TIF, or TIFF) an affected system will still parse the file and launch an exploit -- unless the DLL mentioned above is unregistered.

According to Microsoft an alternative method of protection on Windows XP systems is to use Data Execution Prevention (DEP). Microsoft's article, "How to Configure Memory Protection in Windows XP SP2," describes how to enable the protection.

Security vendors moved fast to integrate protection into their products. One company, Websense claims that they are tracking thousands of sites that are currently distributing exploits. Example screen capture images on the company's Web site show that at least two exploits change a user's desktop background image to an alert stating that the computer has been infected with spyware.

A prompt then tries to coax the person into entering credit card information in order to obtain a method of removing the alleged spyware. The company also posted a video that shows a machine becoming infected.

F-Secure warned that systems might become infected through other methods. For example, infection could occur by using a text-based Web browser or tools such as WGET and CURL, which are designed to download Web content from a DOS command shell. Infection through those methods might occur if other tools, such as file indexing engines, are active on the desktop. Some search tools, such as Google Desktop, index files in realtime, which means that when an infected file is downloaded then Google Desktop will immediately index the file, thereby launching any exploit code contained in the infected file. Your best defense in any case is to unregister the DLL or enable DEP, as recommended by Microsoft.

All info here is Microsoft.

Thanks Papa6 for finding this its a nasty exploit.

Colin

Link to comment
Share on other sites

Security vendors moved fast to integrate protection into their products. One company, Websense claims that they are tracking thousands of sites that are currently distributing exploits. Example screen capture images on the company's Web site show that at least two exploits change a user's desktop background image to an alert stating that the computer has been infected with spyware.

A prompt then tries to coax the person into entering credit card information in order to obtain a method of removing the alleged spyware. The company also posted a video that shows a machine becoming infected.

F-Secure warned that systems might become infected through other methods. For example, infection could occur by using a text-based Web browser or tools such as WGET and CURL, which are designed to download Web content from a DOS command shell. Infection through those methods might occur if other tools, such as file indexing engines, are active on the desktop. Some search tools, such as Google Desktop, index files in realtime, which means that when an infected file is downloaded then Google Desktop will immediately index the file, thereby launching any exploit code contained in the infected file. Your best defense in any case is to unregister the DLL or enable DEP, as recommended by Microsoft.

Colin

YUp its a nasty one all right i got it googling random images the other day...was hellish to get rid of as the "spy sherif" auto installed GRRRRRRL...it was only the trackback option in XP that let me get AVG on it :o=:o= hackers :o=:o=

Link to comment
Share on other sites

Source link:

http://www.microsoft.com/technet/security/...ory/912840.mspx

Articles:

http://news.yahoo.com/s/zd/20051229/tc_zd/168243

http://blogs.washingtonpost.com/securityfi...e_on_the_c.html

Looks like this works too

1. Click on the Start button on the taskbar.

2. Click on Run...

3. Type "regsvr32 /u shimgvw.dll" to disable.

4. Click ok when the change dialog appears.

Link to comment
Share on other sites

Microsoft will have a patch fix for this by the 10th Jan.

Good news. I was hoping they'd have a patch soon (they usually release patches on the second Tues of the month). With little warning of this exploit, the M$ folks must be working lots of overtime to test and deploy this patch with such a short turnaround time. Unfortunately next week might still be a little late as there's malicious code popping up - first worm on MSN Messenger:

http://news.com.com/Windows+flaw+spawns+do...ml?tag=nefd.top

Interesting fix that won't disable your thumbnails:

http://www.f-secure.com/weblog/archives/ar...5.html#00000756

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...