Zero-Day

[nvening]

Well looks like MS still cant get off its ass to fix another of its vunerabilitys, I just got this from Fsecure:

PRESS RELEASE

For release December 30, 2005

Zero-day vulnerability in Windows still unpatched

Hundreds of millions of PCs still at risk; F-Secure able to stop the
malicious files

December 30, 2005

The zero-day vulnerability related to Windows' WMF files first reported on
December 27 is still unpatched by Microsoft. At that time Trojan downloaders
were seen to actively exploit the vulnerability with fully patched Windows XP
SP2 machines.

Windows metafiles are image files used by popular applications such as
Microsoft Word. So far WMF exploits have been typically used to install
spyware and adware although the threat of virus and worm exploits remain.

Users can be infected simply by visiting a web site with an image file
containing the WMF exploit. Internet Explorer users are at the greatest risk
of automatic infection while Firefox and Opera browser users are prompted
with a question whether they'd like to open the WMF image or not. They get
infected too if they answer 'Yes'.

Microsoft and CERT.ORG issued bulletins on the Windows Metafile vulnerability
and also announced a workaround while Microsoft is creating a patch.
Microsoft's confirms that the vulnerability applies to all the main versions
of Windows: Windows ME, Windows 2000, Windows XP and Windows 2003. This means
there are hundreds of millions of vulnerable computers at the moment.

As a precaution, F-Secure recommends administrators to block access to all
WMF files at HTTP proxy and SMTP level. Consumers are also advised to enable
their Windows automatic update system, reject any emails sent to them with
WMF or other dubious-looking attachments and to ensure that their virus
protection is up to date.

F-Secure Anti-Virus detects the offending WMF files with generic detection
either as PFV-Exploit or Exploit.Win32.IMG-WMF.

Speaking about the case, Chief Research Officer at F-Secure, Mikko Hypponen
said: "So far, we've only seen this exploit being used to install spyware or
fake antispyware and antivirus software on the affected machines. I'm afraid
we'll see real viruses using this soon. We've seen 70 different versions of
malicious WMF files so far."

Hypponen pointed out that the WMF exploit has been used with a clear criminal
motivation to install spyware and to dupe ordinary consumers into purchasing
fake security products for their computers:

Until a patch is issued, Hypponen recommended administrators to filter the
following domains at corporate firewalls:

toolbarbiz[dot]biz
toolbarsite[dot]biz
toolbartraff[dot]biz
toolbarurl[dot]biz
buytoolbar[dot]biz
buytraff[dot]biz
iframebiz[dot]biz
iframecash[dot]biz
iframesite[dot]biz
iframetraff[dot]biz
iframeurl[dot]biz
freecat[dot]biz

For updates on the WMF vulnerability, please check the F-Secure Viruslab
blog, which broke the news on 28th of December:
http://www.f-secure.com/weblog/

About F-Secure Corporation

F-Secure Corporation protects consumers and businesses against computer
viruses and other threats from the Internet and mobile networks. We want to
be the most reliable provider of security services in the market. One way to
demonstrate this is the speed of our response. According to independent
studies in 2004 and 2005 our response time to new threats is significantly
faster than our major competitors. Our award-winning solutions are available
for workstations, gateways, servers and mobile phones. They include antivirus
and desktop firewall with intrusion prevention, antispam and antispyware
solutions, as well as network control solutions for Internet Service
Providers. Founded in 1988, F-Secure has been listed on the Helsinki
Exchanges since 1999, and has been consistently growing faster than all its
publicly listed competitors. F-Secure headquarters are in Helsinki, Finland,
and we have regional offices around the world. F-Secure protection is also
available as a service through major ISPs, such as France Telecom,
TeliaSonera, PCCW and Charter Communications. F-Secure is the global market
leader in mobile phone protection provided through mobile operators, such as
T-Mobile and Swisscom and mobile handset manufacturers such as Nokia.

For the latest information about the Windows vulnerability please visit the
F-Secure Data Security Lab weblog at: http://www.f-secure.com/weblog/

For further information, please contact:

F-Secure Corporation
Mikko Hypponen, Chief Research Officer
PL 24
FIN-00181 Helsinki
Gsm +358 400 648 180

http://www.F-Secure.com


For details about Microsoft's latest announcements about the Windows
vulnerability, please go to:
http://www.microsoft.com/technet/sec...ry/912840.mspx
http://www.kb.cert.org/vuls/id/181038

[peterb]

Non - windows users are safe from this one then! (boots his Linux machine...!)

[TheAnimus]

http://forums.hexus.net/showthread.php?t=63901

repost!

[peterb]

Don't disagree with any of that (http://forums.hexus.net/showpost.php...&postcount=42).

However just because the writer of some software chooses to publish the source code, or offer his writing under the GPL, doesn't mean that it hasn't undergone a development cycle just as rigorous (possibly more so as it will be open to peer review) as closed source software. Many open source software writers are professional developers as a full time job!

[peterb]

MS comment on the wmf vulnerability

http://www.microsoft.com/technet/sec...ry/912840.mspx

Again (as has been repeated on other threads) running with as few priviliges as possible (ie - NOT as administrator) will lessen the impact as the arbitrary code will only run as user (not root/superuser/admin). (and of course you have to visit a site where the specially designed file is lurking)

An interesting quote from an Sy site...

"One would think that after nearly two decades, Microsoft could find and
remove the buffer overflows in the code it distributes to tens of millions
of people."

True!

[TheAnimus]

From what i understand this isn't a standard buffer overflow, but i've not been bored enough to look at the bug properly!

As djkstra said, if debugging is the proccess of removing bugs, then surley programming is the proccess of adding them?

I'm not trying to justify sloppy coding thou, just judging them on bugs in the wild. Its all to easy to say "ah but look at this one bug" when there are millions of lines of code. Instead you need to analysise the whole code, and find the number of exploitable issues. But all too often this is thought of as simple bad programming, a lot of the time now adays its not. For instance the intel hyperthreading security bug, that took a brilliant brain wave to figure out how to steal a key via.

The views on Open Source are as i stated in the other thread a rant caused by an off topic read! (but none the less true, as community projects tend to have no formal design, direction or plan of any kind).

[badass]

From what i understand this isn't a standard buffer overflow, but i've not been bored enough to look at the bug properly!

Its not even a bug!
Its a feature that was included in the WMF standard that was designed to allow them to include code. Now malware writers have noticed this, they are using it.

[TheAnimus]

anything that can be used malicously is a bug in my book. (no signing, no restriction). The idea a WMF (or EMF, because we're 32bit here!) can combine metafiles, (do some simple instructions for the displaying of the image). Not execute arbitery code.

On the net there is a lot of confusion as to what a metafile actually is, i'm not going to try and give a defination, but no one has ever sugested a metafile as an attack vector any more so than postscript. This is why i'm not getting overly concerned about this one. How many PDF bugs have we seen which can allow code execution? Its the same concept, the format should never allow such interaction.

same reason i use the word "nastie" to describe spyware/malware/worms/viruses its a word that normally. (also you won't get sued for calling gator or what ever the peice of junk was, spyware (yes, some blogger got sued), because its not legally defined as spyware, but its easy to justify it as been "nastie" from my perspective).

[RedPutty]

anything that can be used malicously is a bug in my book.

Bugs are mistakes or more accurately called software defects. A feature that can be used maliciously is a vulnerability (though bugs can also be vulnerabilities).

i use the word "nastie" to describe spyware/malware/worms/viruses

Malware means all those things, it means malicious software hence covers the other things in your list.

[Paul Adams]

http://www.microsoft.com/technet/sec...ry/912840.mspx has been updated 3/1.

Text and the top has been updated, and the FAQ section:

Microsoft confirmed the technical details of the attack on December 28, 2005 and immediately began developing a security update for the WMF vulnerability on an expedited track.

Microsoft has completed development of the security update for the vulnerability. The security update is now being localized and tested to ensure quality and application compatibility. Microsoft’s goal is to release the update on Tuesday, January 10, 2006, as part of its monthly release of security bulletins. This release is predicated on successful completion of quality testing.

The update will be released worldwide simultaneously in 23 languages for all affected versions of Windows once it passes a series of rigorous testing procedures. It will be available on Microsoft’s Download Center, as well as through Microsoft Update and Windows Update. Customers who use Windows’ Automatic Updates feature will be delivered the fix automatically.

Based on strong customer feedback, all Microsoft’s security updates must pass a series of quality tests, including testing by third parties, to assure customers that they can be deployed effectively in all languages and for all versions of the Windows platform with minimum down time.

[TheAnimus]

Bugs are mistakes or more accurately called software defects. A feature that can be used maliciously is a vulnerability (though bugs can also be vulnerabilities).

i can never spell vulnerability.

Malware means all those things, it means malicious software hence covers the other things in your list.

You can get in trouble describing certain programs as malware.

Gator hit the headlines a short while back, for sueing bloggers, quick google turns up:

http://www.dslreports.com/shownews/34679
and
then: http://news.com.com/2100-1032_3-5095051.html

ouch!

so when i'm not writing something that has to be proffessional, i'll just use the word nasty. As nasty has a much wider definition, I can't get in trouble, how long before someone says malware isn't malicous, it clearly notifies the user in the EULA? Where as dictionary definitions of nasty are much more broad. Not to mention everyone can understand what your on about.