Windows PCs face 'huge' virus threat
By Kevin Allison in San Francisco
Published: January 2 2006 18:18
Last updated: January 2 2006 22:19
Computer security experts were grappling with the threat of a
newweakness in Microsoft's Windows operating system that could put
hundreds of millions of PCs at risk of infection by spyware or
viruses.
The news marks the latest security setback for Microsoft, the world's
biggest software company, whose Windows operating system is a
favourite target for hackers.
"The potential [security threat] is huge," said Mikko Hyppönen, chief
research officer at F-Secure, an antivirus company. "It's probably
bigger than for any other vulnerability we've seen. Any version of
Windows is vulnerable right now." The flaw, which allows hackers to
infect computers using programs maliciously inserted into seemingly
innocuous image files, was first discovered last week. But the
potential for damaging attacks increased dramatically at the weekend
after a group of computer hackers published the source code they used
to exploit it. Unlike most attacks, which require victims to download
or execute a suspect file, the new vulnerability makes it possible for
users to infect their computers with spyware or a virus simply by
viewing a web page, e-mail or instant message that contains a
contaminated image.
"We haven't seen anything that bad yet, but multiple individuals and
groups are exploiting this vulnerability," Mr Hyppönen said. He said
that every Windows system shipped since 1990 contained the flaw.
Microsoft said in a security bulletin on its website that it was aware
that the vulnerability was being actively exploited. But by early
yesterday, it had not yet released an official patch to correct the
flaw. "We are working closely with our antivirus partners and aiding
law enforcement in its investigation," the company said. In the
meantime, Microsoft said it was urging customers to be careful opening
e-mail or following web links from untrusted sources.
Meanwhile, some security experts were urging system administrators to
take the unusual step of installing an unofficial patch created at the
weekend by Ilfak Guilfanov, a Russian computer programmer.
Concerns remain that without an official patch, many corporate
information technology systems could remain vulnerable as employees
trickle back to work after the holiday weekend.
"We've received many e-mails from people saying that no one in a
corporate environment will find using an unofficial patch acceptable,"
wrote Tom Liston, a researcher at the Internet Storm Center, an
antivirus research group. Both ISC and F-Secure have endorsed the
unofficial fix.
Microsoft routinely identifies or receives reports of security
weaknesses but most such vulnerabilities are limited to a particular
version of the Windows operating system or other piece of Microsoft
software. In recent weeks, the company has been touting its progress
in combating security threats.
The company could not be reached on Monday for comment.
http://news.ft.com/cms/s/0d644d5e-7bb3-11da-ab8e-0000779e2340.html
"Jim Wilson" <[email protected]> wrote in message
news:[email protected]...
: Pop wrote...(in part)
: > Just don't mess with windows metafiles from a site and
: > you should be OK.
:
: If windows metafiles had to have a specific extension to be
recognized,
: you might have more control over whether you view or download
one.
: However, windows metafiles don't have to have a WMF extension.
:
: Internet Explorer on Windows XP, in particular, detects and
plays
: most windows metafiles automatically by examining the header
information
: at the beginning of the file. It doesn't care what the file
extension is.
: You can test this for yourself:
:
: 1. Find a safe WMF on your local machine. (If you use MS Office
and
: installed any clipart with it, you'll find a bunch.)
:
: 2. Copy the file to your desktop.
:
: 3. Use Rename to change the file extension to something other
than WMF,
: e.g., <filename>.blah
: (Ignore the warning that the file may become unusable if
you change
: the extension.)
:
: 4. Open an IE window.
:
: 5. Drag and drop the renamed file onto the IE window.
:
: 6. Observe that IE opens and plays the WMF.
:
: I said "plays" instead of "displays" because a WMF stores
vector data as
: a series of windows GDI commands. Essentially, that portion of
the WMF is
: a script.
:
: By the way, there are several flavors of windows metafiles and
IE doesn't
: automatically play all of them. So, if when you run the test,
IE asks if
: you want to save the file, click cancel or no and try a
different file.
: Again, the MS Office clip art is a good source for the types
that "work."
:
: Not trying to fan the flames or anything. Just wanted to point
out that
: the vulnerability is greater than an interested party might
like to
: admit.
:
: Cheers,
:
: Jim
Didn't mean to minimize it so much; sorry if that's what it
sounded like, and your advice is good too. Guess I was reacting
to the end of the world post preceding.
Pop
"DC" <[email protected]> wrote in message
news:[email protected]...
> todd wrote:
> > "Andy" <[email protected]> wrote in message
> > news:[email protected]...
> >> Windows PCs face 'huge' virus threat
> >> By Kevin Allison in San Francisco
> >> Published: January 2 2006 18:18
> >> Last updated: January 2 2006 22:19
>
> >> Computer security experts were grappling with the threat of a
> >> newweakness in Microsoft's Windows operating system that could put
> >> hundreds of millions of PCs at risk of infection by spyware or
> >> viruses.
>
> > <SNIP>
>
> > FYI, here is the relevant link on Microsoft's site.
> > http://www.microsoft.com/technet/security/advisory/912840.mspx
>
> Todd, that would be the "irrelevant" link. Notice how Microsoft is
> *rushing* to issue a patch by the 10th of January. Trustworthy
> Computing, indeed.
>
> *This* is a relevant link: http://isc.sans.org/diary.php
>
> (Read through -- actual fix to mitigate are contained within.)
>
> --
> DC Linux RU #1000111011000111001
>
> The word 'politics' is derived from the word 'poly', meaning 'many'
> and the word 'ticks', meaning 'blood sucking parasites'.
I think you need to look up the definition of "relevant". Here, I'll do it
for you.
http://dictionary.reference.com/search?q=relevant
todd
"Andy" <[email protected]> wrote in message
news:[email protected]...
> Windows PCs face 'huge' virus threat
> By Kevin Allison in San Francisco
> Published: January 2 2006 18:18
> Last updated: January 2 2006 22:19
>
> Computer security experts were grappling with the threat of a
> newweakness in Microsoft's Windows operating system that could put
> hundreds of millions of PCs at risk of infection by spyware or
> viruses.
<SNIP>
FYI, here is the relevant link on Microsoft's site.
http://www.microsoft.com/technet/security/advisory/912840.mspx
todd
Pop wrote...(in part)
> Just don't mess with windows metafiles from a site and
> you should be OK.
If windows metafiles had to have a specific extension to be recognized,
you might have more control over whether you view or download one.
However, windows metafiles don't have to have a WMF extension.
Internet Explorer on Windows XP, in particular, detects and plays
most windows metafiles automatically by examining the header information
at the beginning of the file. It doesn't care what the file extension is.
You can test this for yourself:
1. Find a safe WMF on your local machine. (If you use MS Office and
installed any clipart with it, you'll find a bunch.)
2. Copy the file to your desktop.
3. Use Rename to change the file extension to something other than WMF,
e.g., <filename>.blah
(Ignore the warning that the file may become unusable if you change
the extension.)
4. Open an IE window.
5. Drag and drop the renamed file onto the IE window.
6. Observe that IE opens and plays the WMF.
I said "plays" instead of "displays" because a WMF stores vector data as
a series of windows GDI commands. Essentially, that portion of the WMF is
a script.
By the way, there are several flavors of windows metafiles and IE doesn't
automatically play all of them. So, if when you run the test, IE asks if
you want to save the file, click cancel or no and try a different file.
Again, the MS Office clip art is a good source for the types that "work."
Not trying to fan the flames or anything. Just wanted to point out that
the vulnerability is greater than an interested party might like to
admit.
Cheers,
Jim
Pop wrote...
> Didn't mean to minimize it so much; sorry if that's what it
> sounded like, and your advice is good too. Guess I was reacting
> to the end of the world post preceding.
You're reaction was well reasoned (I share it), and I agree that it's
"not the impending doom" that it's been portrayed. Jeez, we've heard so
much over-reaching gloom about computer viruses and the like -- remember
Y2K? -- that it's only natural and right to downplay the latest.
I only wanted to point out that many folks wouldn't be able to avoid
infection from a maliciously designed web page simply by avoiding WMFs.
However, I seriously doubt many will be hit by such pages, for a number
of reasons we don't need to go into here. So, not so easy to avoid if
encountered, but not much of a threat, either.
Jim
"Andy" <[email protected]> wrote in message
news:[email protected]...
:I found a place that has the fix for the problem.
: It is free and is on Steve Gibson's website.
: Here is the link to it.
:
: http://www.grc.com/sn/notes-020.htm
:
Yup, and MS expects their response to be out shortly too, but
people shouldn't panic over it. It's a rather mundane bug
actually, especially if a person surfs with a reasonably safe
attitude. Just don't mess with windows metafiles from a site and
you should be OK.
MS's link given in an earlier thread also does a pretty fair
job of explaining it, along with symantec, mdavee, avg and all
the rest. It is not impending doom as the one poster tried to
make it sound.
"DC" wrote in message
> Todd, that would be the "irrelevant" link. Notice how Microsoft is
> *rushing* to issue a patch by the 10th of January. Trustworthy
> Computing, indeed.
After applying countless MS patches/SP's in the early days, and then having
to rebuild servers that no longer worked, I'd just as soon take my chances
with the "threat", than with a MS "update" rushed to press.
--
www.e-woodshop.net
Last update: 12/13/05
The [email protected] entity posted thusly:
>I am running w/98 and I got a WMF the other day that wouldn't play. It
>said the file was corrupt. I am guessing this was the virus.
To paraphrase an old expression...
Never attribute to malice, that which can be explained by the
weaknesses of Microsoft.
Larry
---
There are 10 kinds of people --
those who understand binary, and those who don't.
-- Uncle Phil
On Thu, 5 Jan 2006 06:25:39 -0700, Jim Wilson
<[email protected]> wrote:
>Pop wrote...
>
>> Didn't mean to minimize it so much; sorry if that's what it
>> sounded like, and your advice is good too. Guess I was reacting
>> to the end of the world post preceding.
>
>You're reaction was well reasoned (I share it), and I agree that it's
>"not the impending doom" that it's been portrayed. Jeez, we've heard so
>much over-reaching gloom about computer viruses and the like -- remember
>Y2K? -- that it's only natural and right to downplay the latest.
>
>I only wanted to point out that many folks wouldn't be able to avoid
>infection from a maliciously designed web page simply by avoiding WMFs.
>However, I seriously doubt many will be hit by such pages, for a number
>of reasons we don't need to go into here. So, not so easy to avoid if
>encountered, but not much of a threat, either.
>
>Jim
I am running w/98 and I got a WMF the other day that wouldn't play. It
said the file was corrupt. I am guessing this was the virus.
todd wrote:
> "Andy" <[email protected]> wrote in message
> news:[email protected]...
>> Windows PCs face 'huge' virus threat
>> By Kevin Allison in San Francisco
>> Published: January 2 2006 18:18
>> Last updated: January 2 2006 22:19
>> Computer security experts were grappling with the threat of a
>> newweakness in Microsoft's Windows operating system that could put
>> hundreds of millions of PCs at risk of infection by spyware or
>> viruses.
> <SNIP>
> FYI, here is the relevant link on Microsoft's site.
> http://www.microsoft.com/technet/security/advisory/912840.mspx
Todd, that would be the "irrelevant" link. Notice how Microsoft is
*rushing* to issue a patch by the 10th of January. Trustworthy
Computing, indeed.
*This* is a relevant link: http://isc.sans.org/diary.php
(Read through -- actual fix to mitigate are contained within.)
--
DC Linux RU #1000111011000111001
The word 'politics' is derived from the word 'poly', meaning 'many'
and the word 'ticks', meaning 'blood sucking parasites'.
DC wrote:
> Todd, that would be the "irrelevant" link. Notice how Microsoft is
> *rushing* to issue a patch by the 10th of January. Trustworthy
> Computing, indeed.
I wouldn't call 10 days a rush to fix. The patch will probably only open new
holes. Meanwhile, Norton Anti Virus stock goes up again, probably the one
who put out the virus in the first place. "Trustworthy Computing" you have
to be kidding! There is nothing Trustworthy about MicroCrap! The only thing
they trust is PROFIT!
Good Luck Microsoft users.
RV
--
"you can lead them to LINUX
but you can't make them THINK"