wmf rupa

Highlander · 15.1.2006, 18:29

Za one koji nisu znali, prenosim vam vesti o otkrivenoj rupi u Windowsu, koja može da se iskoristi za instaliranje virusa i kojekakvih mallware-a!
WHAT IS IT?
There is a new exploit out that uses WMF (windows metafile format) files to infect a computer. All you have to do to get infected is view a webpage that has the image on it. That means the forums can be a vector for infection tool
WHAT DOES IT AFFECT?
The exploit affects Firefox, Internet Explorer, and any other browser that downloads the file into the cache on the local machine. The file could also be a WMF renamed to any other image, or even a text filetype. Anything that puts the image exploit onto your computer or opens it up in windows fax viewer or the part of windows that generates thumbnails of WMF files is a vulnerability. This means any vector that puts the image onto your computer (wget, browser, email, IM, etc) can potentially cause the problem.
This affects anyone on Windows (98, 98SE, ME, 2000, XP, 2003). USING FIREFOX DOES NOT ELIMINATE THE RISK as the file is still downloaded to your cache in most cases, but it does reduce your chances somewhat since the image is often not displayed in the browser. But if you then interact with the file in any way (thumbnail it, Google Desktop) that causes it to be handled by the windows GDI responsible for WMF then you will have problems. Once again, YOU CAN BE CAUGHT BY THIS EXPLOIT EVEN IF THE IMAGE DOES NOT SHOW IN THE BROWSER. If you use Windows, your system is vulnerable.
WHAT DOES IT DO?
The exploit can be used to drop viruses, trojans, installers etc onto your computer when the exploit is activated (when the file is parsed by the part of windows with the problem). There have been several reports of trojans being downloaded, which then download other things, other spyware, etc. Some of these are "SpyAxe", "AYL" trojan downloader, "ASC" trojan, and other stuff.

Highlander · 15.1.2006, 18:30

WHAT YOU CAN DO TO HELP PROTECT YOURSELF
1. SCAN YOUR COMPUTER - NOD32 TRIAL VERSION (update definitions right away after installing - they auto-update but you want to be sure you have the latest)
Even if you think you are safe, scan your Windows computer anyway. ClamWin appears to catch this, but it doesn't have a realtime scanner. SAV Corporate 10.2 does not catch it (yet) and Symantec's own site says that it never may due to something about how the virus works. AVG, McAfee, Trend are unknowns at this point. I have personally tested NOD32 and found that it's AMON on-access scanner stopped the image as soon as it was saved to the cache. NOTE: SCAN ALL FILES. Some AV solutions only scan "infectable" files and do not scan image files because the program thinks they are safe. Check for an option to scan all file types and make sure that is enabled.
2. USE AN ALTERNATIVE BROWSER - Using Firefox or an alternative browser will reduce your risk because it does not display the image. However the image is still downloaded to your cache, and some browsers prompt you to open the file - which you should not do!
3. TURN OFF SALR's feature that makes text links into images. If you have that feature turned on, someone could make just a text link that displays the infected image in your browser.
4. TURN OFF GOOGLE DESKTOP or anything else that does indexing of files on your computer.
5. THE GENERAL STUFF - Don't go to links you don't trust, don't open files you aren't expecting, including suspicious email or IM's, etc.
6. KEEP ON TOP OF WINDOWS UPDATES - Hopefully they can fix this one quickly, but you really should be up-to-date on everything else anyway.
7. You can try unhooking the part of Windows that views those image files. To do this, click Start -> Run and type regsvr32 -u shimgvw.dll then press OK. You will get a confirmation message. To undo this, repeat but type regsvr32 shimgvw.dll instead. Note: This only has a minimal benefit - it only disables the image viewer itself. It doesn't prevent against viewing the exploit image in Internet Explorer, for example.

Ima ovde neki patch:
http://www.grc.com/sn/notes-020.htm

Nisam video da je bilo! Ako jeste brišite!

ZoNi · 15.1.2006, 20:26

ah... to je novost???

pa, pre nedelju dana je sam Win (preko automatic update-a) skinuo ispravku za to...

Highlander · 16.1.2006, 10:25

Da, ali je interesantno znati!

A možda ima dial-upovaca koji ne mogu tako lako da apdejtuju win!

ZoNi · 16.1.2006, 12:13

Citat:

Highlander kaže:

možda ima dial-upovaca koji ne mogu tako lako da apdejtuju win!

ja sam na dial-upu i VRLO LAKO apdejtujem Win!

15.1.2006, 18:29	#1
Highlander information junkie Član od: 3.11.2005. Lokacija: MAX Highlands Poruke: 2.160 Zahvalnice: 616 Zahvaljeno 686 puta na 401 poruka	wmf rupa Za one koji nisu znali, prenosim vam vesti o otkrivenoj rupi u Windowsu, koja može da se iskoristi za instaliranje virusa i kojekakvih mallware-a! WHAT IS IT? There is a new exploit out that uses WMF (windows metafile format) files to infect a computer. All you have to do to get infected is view a webpage that has the image on it. That means the forums can be a vector for infection tool WHAT DOES IT AFFECT? The exploit affects Firefox, Internet Explorer, and any other browser that downloads the file into the cache on the local machine. The file could also be a WMF renamed to any other image, or even a text filetype. Anything that puts the image exploit onto your computer or opens it up in windows fax viewer or the part of windows that generates thumbnails of WMF files is a vulnerability. This means any vector that puts the image onto your computer (wget, browser, email, IM, etc) can potentially cause the problem. This affects anyone on Windows (98, 98SE, ME, 2000, XP, 2003). USING FIREFOX DOES NOT ELIMINATE THE RISK as the file is still downloaded to your cache in most cases, but it does reduce your chances somewhat since the image is often not displayed in the browser. But if you then interact with the file in any way (thumbnail it, Google Desktop) that causes it to be handled by the windows GDI responsible for WMF then you will have problems. Once again, YOU CAN BE CAUGHT BY THIS EXPLOIT EVEN IF THE IMAGE DOES NOT SHOW IN THE BROWSER. If you use Windows, your system is vulnerable. WHAT DOES IT DO? The exploit can be used to drop viruses, trojans, installers etc onto your computer when the exploit is activated (when the file is parsed by the part of windows with the problem). There have been several reports of trojans being downloaded, which then download other things, other spyware, etc. Some of these are "SpyAxe", "AYL" trojan downloader, "ASC" trojan, and other stuff. Poslednja ispravka: Highlander (16.1.2006 u 10:25)

15.1.2006, 18:30	#2
Highlander information junkie Član od: 3.11.2005. Lokacija: MAX Highlands Poruke: 2.160 Zahvalnice: 616 Zahvaljeno 686 puta na 401 poruka	Re: wmf rupa WHAT YOU CAN DO TO HELP PROTECT YOURSELF 1. SCAN YOUR COMPUTER - NOD32 TRIAL VERSION (update definitions right away after installing - they auto-update but you want to be sure you have the latest) Even if you think you are safe, scan your Windows computer anyway. ClamWin appears to catch this, but it doesn't have a realtime scanner. SAV Corporate 10.2 does not catch it (yet) and Symantec's own site says that it never may due to something about how the virus works. AVG, McAfee, Trend are unknowns at this point. I have personally tested NOD32 and found that it's AMON on-access scanner stopped the image as soon as it was saved to the cache. NOTE: SCAN ALL FILES. Some AV solutions only scan "infectable" files and do not scan image files because the program thinks they are safe. Check for an option to scan all file types and make sure that is enabled. 2. USE AN ALTERNATIVE BROWSER - Using Firefox or an alternative browser will reduce your risk because it does not display the image. However the image is still downloaded to your cache, and some browsers prompt you to open the file - which you should not do! 3. TURN OFF SALR's feature that makes text links into images. If you have that feature turned on, someone could make just a text link that displays the infected image in your browser. 4. TURN OFF GOOGLE DESKTOP or anything else that does indexing of files on your computer. 5. THE GENERAL STUFF - Don't go to links you don't trust, don't open files you aren't expecting, including suspicious email or IM's, etc. 6. KEEP ON TOP OF WINDOWS UPDATES - Hopefully they can fix this one quickly, but you really should be up-to-date on everything else anyway. 7. You can try unhooking the part of Windows that views those image files. To do this, click Start -> Run and type regsvr32 -u shimgvw.dll then press OK. You will get a confirmation message. To undo this, repeat but type regsvr32 shimgvw.dll instead. Note: This only has a minimal benefit - it only disables the image viewer itself. It doesn't prevent against viewing the exploit image in Internet Explorer, for example. Ima ovde neki patch: http://www.grc.com/sn/notes-020.htm Nisam video da je bilo! Ako jeste brišite!

15.1.2006, 20:26	#3
ZoNi Deo inventara foruma Član od: 24.10.2005. Lokacija: ÷÷÷÷÷ Poruke: 8.826 Zahvalnice: 2.402 Zahvaljeno 1.946 puta na 1.424 poruka	Re: wmf rupa ah... to je novost??? pa, pre nedelju dana je sam Win (preko automatic update-a) skinuo ispravku za to...

16.1.2006, 10:25	#4
Highlander information junkie Član od: 3.11.2005. Lokacija: MAX Highlands Poruke: 2.160 Zahvalnice: 616 Zahvaljeno 686 puta na 401 poruka	Re: wmf rupa Da, ali je interesantno znati! A možda ima dial-upovaca koji ne mogu tako lako da apdejtuju win!