|
 |
|
 |
| Tuesday, February 07, 2012
|
| Register Login |
 |
|
|
|
|
Users currently online
|
 |
|
|
|
 |
Membership: |
 |
Latest:
kevin |
 |
New Today:
0 |
 |
New Yesterday:
0 |
 |
Overall:
56 |
 |
People Online: |
 |
Visitors:
7 |
 |
Members:
0 |
 |
Total:
7 |
Online Now:
|
|
|
|
|
|
|
|
|
|
Welcome to the Viruswarning forums. All your original content has been ported to the new forums as well as new content and additional opportunities to interact with the authors of Viruswarn.com. You can always access old content at www.leedrake.com/forum . You may find some formatting was lost in the conversion and the older versions of the posts to be more readable....
But at least it's all here.
Enjoy!
|
|
|
|
|
|
Viruswarn Forums
|
|
|
|
|
| You are not authorized to post a reply.
|
|
| Author |
Messages |
|
Lee Drake
Posts:238
 |
| 01/04/2006 10:59 PM |
|
What it is
A vulnerability in the built-in Windows software that displays files such as .JPG and .WMF (windows media files). These typically are pictures - not files normally associated with executables, or worried about by users. At the time of this publication we have a dangerous combination - the vulnerability has been announced, and exploit has been published, there are now viruses in the wild that exploit the vulnerability, and finally - Microsoft has not yet had time to release a patch. The vulnerability is in a DLL that is used by Internet Explorer, the windows picture and fax viewer, and may be used by other 3rd party software.
The vulnerability affects All versions of Windows 9X, Windows ME, all versions of Windows server 2003 (and x64 edition), All versions of Windows XP, All versions of Windows 2000.
There is currently a virus circulating that exploits the vulnerability via email and has the subject title "Happy New Year".
What you should do
You have two options - you can be very, very careful about opening any picture files that are attached to emails or sent over the internet - pretty difficult to do - or you can temporarily unregister the DLL file that displays these pictures. Note that disabling the DLL may well affect several applications which rely on it to display images. Images may not display or the product may fail to start or initialize when it searches for the DLL. This should only be a temporary solution until the patch is released by Microsoft on January 10th.
To unregister the DLL and remove the vulnerability you should do the following:- Click START
- Click RUN
- Type the following line into the box that appears:
regsvr32 -u %windir%\system32\shimgvw.dll
- Choose OK
- A dialog should appear saying that the dll has been unregistered - click OK
If you wish to re-enable the DLL temporarily you can do so in the following manner:- Click START
- Click RUN
- Type the following line into the box that appears:
regsvr32 %windir%\system32\shimgvw.dll
- Choose OK
- A dialog should appear saying the DLL has been registered - click OK
Be sure to disable it again after you are done using the component - only enable it if you are absolutely sure of the provenance of the graphics file you're trying to view. Depending on how the patch is implemented you may need to re-register the DLL once the patch is released. Note that there a number of non-official patches to this vulnerability. WE DO NOT RECOMMEND applying these unofficial patches, as they may cause more problems than they solve.
Further references:
Microsoft security advisory: http://www.microsoft.com/technet/security/advisory/912840.mspx
CVE Reference: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4560
CERT Reference: http://www.kb.cert.org/vuls/id/181038
Microsoft KB article: http://support.microsoft.com/kb/912840
Lee Drake
OS-Cubed, Inc.
274 North Goodman St. Suite A401
Rochester, NY 14607
http://www.os-cubed.com
ldrake@os-cubed.com
--------------------------------------------------------------------------------
Main: 585-756-2444
Cell: 585-509-0284
Fax: 585-756-2443
|
|
|
|
|
David Gray
Posts:22
|
| 01/09/2006 5:36 PM |
|
| What Is It?
A vulnerability in the built-in Windows software that displays files such as .JPG and .WMF (windows media files). These typically are pictures - not files normally associated with executables, or worried about by users. At the time of this publication we have a dangerous combination - the vulnerability has been announced, and exploit has been published, there are now viruses in the wild that exploit the vulnerability, and finally - Microsoft has not yet had time to release a patch. The vulnerability is in a DLL that is used by Internet Explorer, the windows picture and fax viewer, and may be used by other 3rd party software.
The vulnerability affects All versions of Windows 9X, Windows ME, all versions of Windows server 2003 (and x64 edition), All versions of Windows XP, All versions of Windows 2000.
There is currently a virus circulating that exploits the vulnerability via email and has the subject title "Happy New Year".
What You Should Do
Visit the Microsoft Update Web site, http://update.microsoft.com/ for the update, which was posted today. Due to the seriousness of this matter, you may not want to wait for Automatic Update to find and apply it.
Acknowledgement
My thanks to long time friend and list subscriber Trevor D. Ford for calling to my attention that Microsoft released this bulletin and update early.
References
New Microsoft Security Bulletin MS06-001, http://www.microsoft.com/technet/security/bulletin/ms06-001.mspx
Microsoft security advisory: http://www.microsoft.com/technet/security/advisory/912840.mspx
CVE Reference: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4560
CERT Reference: http://www.kb.cert.org/vuls/id/181038
Microsoft KB article: http://support.microsoft.com/kb/912840
|
|
|
|
|
Lee Drake
Posts:238
|
| 01/11/2006 3:56 PM |
|
| What it is
There is now active and widespread in the field exploitation of the WMF vulnerability by spyware vendors to install spy software on people's machines. The spyware vendor EXFOL which provides banner ads to sites is using the WMF exploit to install pop-up and other software onto the workstations of people who visit sites which use EXFOL or freecat.biz banners. The site author may not even know that infected banners are being displayed on their site.
What to do
If you haven't already updated and applied the patches do so as soon as possible. Such flagrant use of the exploit means there are probably going to be worms, trojans and additional spyware installation attempts.
Further references
Microsoft update: http://update.microsoft.com
Update about EXFOL: http://blogs.zdnet.com/Spyware/?p=737
Websense article on EXFOL and FREECAT.BIZ: http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=387 |
|
|
|
|
|
| You are not authorized to post a reply. |
|
|
|
ActiveForums 3.6
|
|
|
|
|
|
|
|
|
|
|
|