Friday, December 30, 2005

Windows Security flaw - serious

In case you haven't heard, there is a new Windows Security exploit out on the web. It's a nasty bug that takes advantage of a hole in Windows via a Windows Meta File (WMF). Basically, it exploits a hole in Windows Picture and Fax viewer which renders images on the Windows-based PC. This bug (and it currently has over 50 variants) can be exploited through IE, Firefox, Opera, Mozilla, Netscape, Outlook, Outlook Express, Lotus Notes and, presumably, Thunderbird. Current reports also note that a new version exists that will install rogue spyware that masquerades as anti-spyware. This exploit is an autoinstall, meaning users who are infected don't get an option to opt out of the infection (there are reports that Firefox will ask first, but those are not confirmed). Ugh.

Bottom line: this is a Windows flaw and Microsoft and various security companies are working on it. Users of Macs and Linux-based PCs are not affected.

For more info, see Security Fix, Sunbelt Blog, and Spyware Confidential. Warning: Not all fixes listed will actually "fix" the problem. Particularly, unregistering the "shimgvw.dll" as mentioned in the articles will not only NOT fix the problem, but it will cause you to not view most images on the web. As mentioned in that last link above:

Folks, unregistering the SHIMGVW.DLL is not a foolproof solution.
More from Techweb:
The SANS Institute's Internet Storm Center also tossed in its two cents of bad news.

Although some security firms on Wednesday advised enterprises to block WMF files at the network edge, that may not be a decent defense for long.

"Windows XP will detect and process a WMF file based on its content, and not rely on the extension alone," wrote analyst Chris Carboni on the center's blog. "[That] means a WMF sailing in disguise with a different extension might still be able to get you."

Hackers could simply rename a malicious WMF file with, say, a .gif or .jpg file extension, attach it to an e-mail message, and assuming a user opens the file, infect a system.

At the moment, say the experts, exploits are "only" installing spyware and/or fake anti-spyware software. That's bad enough, said two security firms, including one that specializes in combating spyware.

"Now we're seeing many more using this to install bad stuff," said Alex Eckelberry, president of anti-spyware developer Sunbelt Software. "This is a really bad exploit. Be careful out there."

Here's a video (Windows Media File) of the virus infecting a machine.

No comments: