Senor_Smoke
SENATOR BABYHEAD  Posts: 306 Registered: 9/9/2004 Offline
|
1/4/2006 at 10:52 |
Since MS hasn`t released a patch yet,you can get it Here
The guy who wrote the patch had his site suspended because people
were blowin his shit up trying to DL the patch.
For those who don`t like to click and read shit for yourself,you can
Test your vulnerability or Just download the friggin patch
____________________
Look Out for #1
Dont Step in #2
|
| |
Lefen
I think Clavis wins my heart <3   SSHOLEPosts: 897 Registered: 9/16/2003 Offline
|
1/4/2006 at 12:05 |
Thanks. Also, FF 1.5 will prompt you before downloading the .wmf file so you can deny it if you're not stupid.
____________________
< barfass> hey, fuck your crumpets, postman pat |
| |
SexNinja
the illest nigga  SSHOLEPosts: 1524 Registered: 10/28/2007 Offline
|
1/4/2006 at 13:59 |
Lefen: Thanks. Also, FF 1.5 will prompt you before downloading the .wmf file so you can deny it if you're not stupid.
From what I've read on this thing, you're vulnerable to this whether you use FF or not. It's a windows problem first and foremost. I installed the patch right after it came out and then spent the weekend running virus/spyware scans.
____________________
HAMFIGHTER> He shrugged, and started finishing himself off, on my breasts, while I was crying. |
| |
Lefen
I think Clavis wins my heart <3 SSHOLEPosts: 897 Registered: 9/16/2003 Offline
|
1/4/2006 at 14:16 |
From F-Secure's Blog:
http://www.f-secure.com/weblog/archives/archive-122005.html
Note that you can get infected if you visit a web site that has an image file containing the exploit. Internet Explorer users might automatically get infected. Firefox users can get infected if they decide to run or download the image file.
In our tests (under XP SP2) older versions of Firefox (1.0.4) defaulted to open WMF files with "Windows Picture and Fax Viewer", which is vulnerable. Newer versions (1.5) defaulted to open them with Windows Media Player, which is not vulnerable...but then again, Windows Media Player is not able to show WMF files at all so this might be a bug in Firefox. Opera 8.51 defaults to open WMF files with "Windows Picture and Fax Viewer" too. However, all versions of Firefox and Opera prompt the user first.
F-Secure say you should use Ilfak Guilfanov's patch until the official Microsoft one comes out, then uninstall and switch.
From what I read on Digg today, the official patch should be available on or around the 10th of January.
edit:
SexNinjaMcDeath:
It's a windows problem first and foremost.
You're absolutely right, but my point was that FF users can at least avoid having the thing automatically installed just by visiting a website; that is, they'd have to physically agree to dl/run it.
On 2006-01-04 at 08:22:08, Lefen enjoyed furrysex
____________________
< barfass> hey, fuck your crumpets, postman pat |
| |
vasudeva
Bad Taste in your Mouth  SSHOLEPosts: 4460 Registered: 3/8/2002 Offline
|
1/4/2006 at 14:25 |
I'm running Firefox 1.0.7 and I hit a prompt to run the WMF on some shitty porn site I stumbled on to.
That is, it didn't just run it blindly. Not sure how this contrasts to 1.5's handling.
____________________
slippedhole> I am on to you and your evil intentions. I am the true protector of this website and am willing to do battle with you. |
| |
SexNinja
the illest nigga SSHOLEPosts: 1524 Registered: 10/28/2007 Offline
|
1/5/2006 at 01:09 |
Lefen: SexNinjaMcDeath:
It's a windows problem first and foremost.
You're absolutely right, but my point was that FF users can at least avoid having the thing automatically installed just by visiting a website; that is, they'd have to physically agree to dl/run it.
On 2006-01-04 at 08:22:08, Lefen enjoyed ass-sex with a woodland creature
Something bothered me about this, so I went back and looked at the forum on SA (where I first saw this, btw) and found this:
Firefox, Internet Explorer, and any other browser that displayes or downloads the file into the cache on the local machine is one way the image can get onto your computer. Thus, USING FIREFOX DOES NOT ELIMINATE THE RISK as the file is still downloaded to your cache in most cases, but it does reduce your chances somewhat since the image is often not displayed in the browser. But if you then interact with the file in any way (thumbnail it, Google Desktop, hover over with the mouse) that causes it to be handled by the windows subsystem responsible for WMF then you will have problems. Once again, YOU CAN BE CAUGHT BY THIS EXPLOIT EVEN IF THE IMAGE DOES NOT SHOW IN THE BROWSER. If you use Windows, your system is vulnerable.
And this post was in a discussion of how safe (or not) you were using FF
---------------------------------------------------------
Messadiah posted:
What I wanted to test though was simply renaming it to a GIF and seeing if the browser displays it (since the report in the first post shows the virus detected in a GIF.)
---------------------------------------------------------
You can rename it to any image format you want and it will still get into the cache and have the possibility to infect you. The GIF in Blue Reptile's exploit was just a WMF file named with a different extension.
FF obviously does not prompt to DL .gif files.
____________________
HAMFIGHTER> He shrugged, and started finishing himself off, on my breasts, while I was crying. |
| |
IMBOLCPunxsutawneyPhil
SENATOR BABYHEAD  Posts: 244 Registered: 3/17/2005 Offline
|
1/5/2006 at 03:49 |
ok namby pambys...
Ilfak Guilfanov [the "guy"] reversed engineered the little dll responsible and fixed it. His site at hexblog.com is back up in a more trimmed down version.
Microsoft has a patch already--but are waiting to deploy it after testing it out and won't be pushing it out of cycle. January 10th is the customary date. This patch has been leaked.
MS's patch will play well with Ilfak Guilfanov's patch--they bothered to test it! hah, good for them.
The way windows handles WMF files is not by reading the file extension, it reads the file header and acts accordingly. The thing that firefux does differently is that it asks you about downloading a given unregistered file type, usually. But this is an OS vulnerability in a very embedded part [GDI] of the opperating system, so it's not going to be sucessfully filtered by any application--including your Antivirus, IDS, or what have you.
The good news is that there are fewer than about 200k infected systems in the wild maybe up to 1MM, which is still bad, but really nothing compared to a really nasty worm [blaster, sasser]. This vulnerability is only exploited when a user does something. Click a link, visit a shit site, etc--YOU HAVE TO ACT--and it only gets your level of permissions [admin of course you windowsers]...
Anyhow, I hate to agree with the redmond secuirty response team, but there is no current outbreak, no crisis of infection, no new vector of attack that will suddenly zap your machine because it's plugged into the internets.
keep updated: http://isc.sans.org/
http://blogs.technet.com/msrc/
and a good case for patching, even an executive could understand, with enough hand-holding:
http://www.section66.com/handlers/WMF.pdf
____________________
If you include a null character |
| |
Senor_Smoke
SENATOR BABYHEAD Posts: 306 Registered: 9/9/2004 Offline
|
1/5/2006 at 21:58 |
Released a lil bit early....
XP
XP x64
Or it`s available through regular old windows update.
Uninstall unofficial patches first.
____________________
Look Out for #1
Dont Step in #2 |
| |
IMBOLCPunxsutawneyPhil
SENATOR BABYHEAD Posts: 244 Registered: 3/17/2005 Offline
|
1/6/2006 at 00:31 |
I hear you don't need to.. [uninstall the reversed engineered one]
anyone too lazy to uninstall the unofficial ones yet?
--ooh look at the furrys!--
On 2006-01-05 at 18:32:31, IMBOLCPunxsutawneyPhil enjoyed furrysex
____________________
If you include a null character |
| |
