Windows PCs face ‘huge’ virus threat

Discussion in 'Current Events' started by MacDawg, Jan 2, 2006.

  1. MacDawg macrumors Core


    Mar 20, 2004
    "Between the Hedges"
    Just FYI, new security threat for MS and Windows

    Link to Financial Times full story

    Woof, Woof - Dawg [​IMG]
  2. stoid macrumors 601


    Feb 17, 2002
    So long, and thanks for all the fish!
    Ouch. I really hope that they get their act together with Vista. I just don't even understand how a computer loading an image can think it reasonable to execute code therein. I mean under what circumstances would such a capability be used in normal use? It's like unpacking a new set of multimedia speakers and being thrilled that they threw in a 'pack of salt'.

    Here's your sign.
  3. bousozoku Moderator emeritus

    Jun 25, 2002
    Gone but not forgotten.
    I've read other articles about the Windows Metafile issue and it's odd to me since I can't imagine there are that many of the files available, so people might treat them all as viruses.

    However, it's been said that the anti-virus developers are having some trouble with this one and the solutions are only having some success.

    I wish Windows users luck. Some problems, like the holes in ActiveX, won't be fixed because they're design problems.
  4. cgratti macrumors 6502a


    Dec 28, 2004
    Central Pennsylvania, USA
  5. iBlue macrumors Core


    Mar 17, 2005
    London, England
    i hope my windows machine doesn't catch that. i refuse to ever buy another windows heap again so i am trying to keep that steaming pile working... it's no easy task. (man that thing is high maintenance) it sure makes you appreciate your mac though doesn't it?
    <hugs iMac and PowerBook)
  6. Abstract macrumors Penryn


    Dec 27, 2002
    Location Location Location
    Well good luck to everyone who uses Windows. I do use it sometimes as well, so lets hope someone provides a quick fix.
  7. noaccess macrumors 6502

    Jun 11, 2005
    Heh, thank God I've managed to switch. :)
    I'll follow: <Hugs iBook>
    iLove my iBook!

    BTW, I hope MS turns Vista into a good operating system. XP is causing too many problems, I feel your pain, PC users...
  8. Counterfit macrumors G3


    Aug 20, 2003
    sitting on your shoulder
    There was a vulnerability earlier this year, er, last year (may-ish I think) where OS X, Linux, and their cousins would execute code contained in either a JPEG or PNG. It was fixed faster though.
  9. maya macrumors 68040


    Oct 7, 2004
    somewhere between here and there.
    Work is going to be rather interesting in the coming week(s), with this thing open in the wild. ;) :)
  10. dornoforpyros macrumors 68040


    Oct 19, 2004
    Calgary, AB
    I hope my work PC dies and I have no other option than to work at home on my happy mac :)
  11. After G macrumors 68000

    After G

    Aug 27, 2003
    I've read that it can pose as ANY image file. If you got an email from someone faking to be someone you know, with some pretext like vacation pictures or something, you might fall for this stuff too. And you can't trust the extension, because Windows Metafiles are recognized by a special header, and not file extension.
    Best/worst story ever: I told my roommate about this; it seemed like the right thing to do. And he says "I have antivirus software, I should be fine." I tried to convince him that it wasn't enough, but he wouldn't have any of it ... :(
    Saddest part is that this flaw is in the interface drawing library, from what I've read.
  12. redAPPLE macrumors 68030


    May 7, 2002
    2 Much Infinite Loops
    so lets all go worship the house of jobs again, will we?
  13. XFreak macrumors newbie

    Sep 7, 2005
    Fix has been available for ages...

    Im quite surprised by this... as the image format vulnerability has been known for a long time, and a patch has been available for some time also (if you auto-update, you should have this defence built in).

    You can download a tool from the MS site, that hunts through your images and identifies any possible problems...
  14. greatdevourer macrumors 68000

    Aug 5, 2005
    You know what adds more hilarity to this? According to an M$ press release a while back, the abilty to run arbitrary code just by viewing a picture is a special feature, not a hole :confused:
  15. 840quadra Moderator


    Staff Member

    Feb 1, 2005
    Twin Cities Minnesota
    I am so glad I am going to a shared network with members of media from around the world with my ibook, as opposed to my Dell this year :eek:

    I am going to lock all ports, deny UDP traffic, and go to stealth mode just for that trip ;) .

    You would never guess how many port scans I received from other laptops on the Wireless network at a press event for Automotive Media last NAIAS :eek:
  16. BornAgainMac macrumors 603


    Feb 4, 2004
    Florida Resident
    I wonder if the beta version of Vista is affected by this problem. If it is then perhaps Microsoft is pushing out XP with a new gui to save time.

    If Vista is stable and not affected then maybe it is time to ship it even if it is still beta and patch it with service packs. Mac OSX at 10.0 was buggy and shipping it early worked in the long run.
  17. mad jew Moderator emeritus

    mad jew

    Apr 3, 2004
    Adelaide, Australia
  18. greatdevourer macrumors 68000

    Aug 5, 2005
    Yes, it is, and the only way Vista won't be affected will be if they cut this feature out all together, which pretty much means dropping WMF support. This problem affects almost all versions of Windows from 95 onwards
  19. 840quadra Moderator


    Staff Member

    Feb 1, 2005
    Twin Cities Minnesota
    Patch the living brownstuff out of it! ;)

    You can also load Linux :) .

    I am so glad that I have this week off from work starting Wednesday. Patching ~1000 servers for this type of issue (even with deployment tools) is never fun :( .
  20. Les Kern macrumors 68040

    Les Kern

    Apr 26, 2002
    Twist the knife as it goes in dude. People spend more time deciding on their haircut than they do investigating a major computer purchase.
    Screw them and the 30 bucks a year they spend on definitions updates.
    Too cruel? Nope. Just tired of the whole crap-storm of folks moaning about how their PC "is slow now", "won't boot", "won't connect to the internet", "too many porn pop ups", and the like. So tired.
    My favorite reply to the moans and groans as of late:
    "Gee, that's too bad. Don't bother asking me later if I still don't give a crap. I still won't." I don't even MENTION Apple. Don't have to.
  21. Les Kern macrumors 68040

    Les Kern

    Apr 26, 2002

  22. 0098386 Suspended


    Jan 18, 2005
    "you better watch out... you better not cry..."


    Wont be long until I'll never have to touch a PC again. soon as my game is done then my computer life will be my PowerBook.

    silly viruses. silly windows. I feel like posting this around my PC forums just to get everyone all riled up like.

    You, sir, are the greatest human ever :D
  23. Les Kern macrumors 68040

    Les Kern

    Apr 26, 2002
    Such Choices WIN users have!!!!

    HA HA HA HA......

    Please send the following to every Windows user in the world. Make sure you tell them the "fix" is ONLY temporary, will disable some parts of their computer, and STILL might not work, but that the alternative is massive infection and possible compromized data. Also tell them that it's unsure whether Vista will have the flaw, as this technology, if included, is legacy stuff.
    Note to self: Brag about my 25% increase in productivity with Tiger, and that ANY Windows help I give now costs $150.00 and hour. No exceptions, One hour's pay in advance thank you.

    * Why is this issue so important?

    The WMF vulnerability uses images (WMF images) to execute arbitrary code. It will execute just by viewing the image. In most cases, you don't have click anything. Even images stored on your system may cause the exploit to be triggered if it is indexed by some indexing software. Viewing a directory in Explorer with 'Icon size' images will cause the exploit to be triggered as well. Microsoft announced that an official patch will not be available before January 10th 2006 (next regular update cycle).

    * Is it better to use Firefox or Internet Explorer?

    Internet Explorer will view the image and trigger the exploit without warning. New versions of Firefox will prompt you before opening the image. However, in most environments this offers little protection given that these are images and are thus considered 'safe'.

    * What versions of Windows are affected?

    Windows XP, (SP1 and SP2), Windows 2003 are affected by the currently circulating exploits. Other versions may be affected to some extent. Mac OS-X, Unix or BSD is not affected.

    Note: If you're still running on Win98/ME, this is a watershed moment: we believe (untested) that your system is vulnerable and there will be no patch from MS. Your mitigation options are very limited. You really need to upgrade.

    * What can I do to protect myself?

    1. Microsoft has not yet released a patch. An unofficial patch was made available by Ilfak Guilfanov. Our own Tom Liston reviewed the patch and we tested it. The reviewed and tested version is available here (now at v1.4, MD5: 15f0a36ea33f39c1bcf5a98e51d4f4f6), PGP signature (signed with ISC key) here. THANKS to Ilfak Guilfanov for providing the patch!!
    2. You can unregister the related DLL.
    3. Virus checkers provide some protection.

    To unregister the DLL:

    * Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks... our editor keeps swallowing the backslashes... its %windir%(backslash)system32(backslash)shimgvw.dll), and then click OK.
    * A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

    Our current "best practice" recommendation is to both unregister the DLL and to use the unofficial patch.

    * How does the unofficial patch work?

    The wmfhotfix.dll is injected into any process loading user32.dll. The DLL then patches (in memory) gdi32.dll's Escape() function so that it ignores any call using the SETABORTPROC (ie. 0x09) parameter. This should allow Windows programs to display WMF files normally while still blocking the exploit. The version of the patch located here has been carefully checked against the source code provided as well as tested against all known versions of the exploit. It should work on WinXP (SP1 and SP2) and Win2K.

    * Will unregistering the DLL (without using the unofficial patch) protect me?

    It might help. But it is not foolproof. We want to be very clear on this: we have some very stong indications that simply unregistering the shimgvw.dll isn't always successful. The .dll can be re-registered by malicious processes or other installations, and there may be issues where re-registering the .dll on a running system that has had an exploit run against it allowing the exploit to succeed. In addition it might be possible for there to be other avenues of attack against the Escape() function in gdi32.dll. Until there is a patch available from MS, we recommend using the unofficial patch in addition to un-registering shimgvw.dll.

    * Should I just delete the DLL?

    It might not be a bad idea, but Windows File Protection will probably replace it. You'll need to turn off Windows File Protection first. Also, once an official patch is available you'll need to replace the DLL. (renaming, rather than deleting is probably better so it will still be handy).

    * Should I just block all .WMF images?

    This may help, but it is not sufficient. WMF files are recognized by a special header and the extension is not needed. The files could arrive using any extension, or embeded in Word or other documents.

    * What is DEP (Data Execution Protection) and how does it help me?

    With Windows XP SP2, Microsoft introduced DEP. It protects against a wide range of exploits, by preventing the execution of 'data segements'. However, to work well, it requires hardware support. Some CPUs, like AMD's 64 Bit CPUs, will provide full DEP protection and will prevent the exploit.

    * How good are Anti Virus products to prevent the exploit?

    At this point, we are aware of versions of the exploit that will not be detected by antivirus engines. We hope they will catch up soon. But it will be a hard battle to catch all versions of the exploit. Up to date AV systems are necessary but likely not sufficient.

    * How could a malicious WMF file enter my system?

    There are too many methods to mention them all. E-mail attachments, web sites, instant messaging are probably the most likely sources. Don't forget P2P file sharing and other sources.

    * Is it sufficient to tell my users not to visit untrusted web sites?

    No. It helps, but its likely not sufficient. We had at least one widely trusted web site ( which was compromissed. As part of the compromise, a frame was added to the site redirecting users to a corrupt WMF file. "Tursted" sites have been used like this in the past.

    * What is the actual problem with WMF images here?

    WMF images are a bit different then most other images. Instead of just containing simple 'this pixel has that color' information, WMF images can call external procedures. One of these procedure calls can be used to execute the code.

    * Should I use something like "dropmyrights" to lower the impact of an exploit.

    By all means yes. Also, do not run as an administrator level users for every day work. However, this will only limit the impact of the exploit, and not prevent it. Also: Web browsing is only one way to trigger the exploit. If the image is left behind on your system, and later viewed by an administrator, you may get 'hit'.

    * Are my servers vulnerable?

    Maybe... do you allow the uploading of images? email? Are these images indexed? Do you sometimes use a web browser on the server? In short: If someone can get a image to your server, and if the vulnerable DLL may look at it, your server may very well be vulnerable.

    * What can I do at my perimeter / firewall to protect my network?

    Not much. A proxy server that strips all images from web sites? Probably wont go over well with your users. At least block .WMF images (see above about extensions...). If your proxy has some kind of virus checker, it may catch it. Same for mail servers. The less you allow your users to initiate outbound connections, the better. Close monitoring of user workstations may provide a hint if a work station is infected.

    * Can I use an IDS to detect the exploit?

    Most IDS vendors are working on signatures. Contact your vendor for details. is providing some continuosly improving signatures for snort users. Recent releases of this exploit take advantage of http compression and randomization of the exploit to evade IDS signatures.

    * If I get hit by the exploit, what can I do?

    Not much :-(. It very much depends on the exact exploit you are hit with. Most of them will download additional components. It can be very hard, or even impossible, to find all the pieces. Microsoft offers free support for issues like that at 866-727-2389 (866 PC SAFETY).

    * Does Microsoft have information available?
    Microsoft announced that there will be a patch on January 10th, the next regular "black Tuesday".

    * What does CERT have to say?
  24. keysersoze macrumors 68000


    Jan 6, 2004
    I think the easiest and safest solution is to:

    1. Unplug the PC
    2. Stick it in the corner

    Just my 2 cents.

Share This Page