 pcdebbRIP dadkinsPremium
join:2000-12-03
Brandon, FL
kudos:4 | reply to redxii
Re: Windows MetaFiles still vulnerable good work guys. can i assume at this early stage there isnt a patch/fix for this? this might be one that I may have to fix on someone's computer soon
--
babbling | How's the weather? |
|
|
|
ShadyePremium
join:2004-10-21
Fallbrook, CA
1 edit | Yeah, turn on DEP.
Spoke too soon. There's a workaround out.
REGSVR32 /U SHIMGVW.DLL
That will stop WMF from being automatically displayed in IE, but you can still open the file and get infected. |
|
 gracie7Geek GoddessPremium
join:2003-07-15
confusion
2 edits | reply to pcdebb
said by pcdebb:can i assume at this early stage there isnt a patch/fix for this? well, the unregistration hack described above (using "regsvr32 /u shimgvw.dll" ) seems to work for now...
LATE EDIT: wait. does this require a restart? we've done the unreg on all the xp machines, but can still open a .wmf file ok.
is only ms picture viewer vulnerable? we have wmf associated with psp... |
|
| said by gracie7:...LATE EDIT: wait. does this require a restart? we've done the unreg on all the xp machines, but can still open a .wmf file ok. I needed to restart for the fix to work. |
|
gracie7Geek GoddessPremium
join:2003-07-15
confusion | reply to gracie7
WARNING about using the regsvr hack: it totally disables ms picture viewer, not just for .wmf files. i now can't use "preview" in the right click menu for ANY files---jpg, gif, etc. double clicking them still opens them in psp, as that is the association, but you can't "preview" using picture and fax viewer anymore.
this may be obvious to most; i didn't realize the hack was to disable picture viewer altogether, somehow i thought it was just to disable picture viewer rendering .wmf files. boo.
--
graciella! "not tonight dear, I have DSL."
Creating SuperOrganizations Worldwide
Creating & Hosting SuperSites Worldwide |
|
jp10558Premium
join:2005-06-24
Willseyville, NY | Interesting question - won't most security software catch this anyway? Say your firewall asking if foo.exe can open an FTP connection to someplace you've never been?
If that fails, I'm betting that teatimer and processguard will catch the registry and executions respectively.
--
Opera 8.5(Build 7700); Windows XP Pro SP2;Athlon 64 3400+; 1GB PC3200 DDR; 1M/128k DSL; NOD32(Version 2.5.25); Outpost Pro 3;Proxomitron 4.5j Grypen 12/2/05(Opera mod),GPG ID:0x0A1C6EE3 |
|
 hpguruCurb Your DogmaPremium
join:2002-04-12 | reply to gracie7
said by gracie7:WARNING about using the regsvr hack: it totally disables ms picture viewer, not just for .wmf files. i now can't use "preview" in the right click menu for ANY files---jpg, gif, etc. double clicking them still opens them in psp, as that is the association, but you can't "preview" using picture and fax viewer anymore. this may be obvious to most; i didn't realize the hack was to disable picture viewer altogether, somehow i thought it was just to disable picture viewer rendering .wmf files. boo. I havn't applied the hack myself but just skimming through related registry classes it appears there is a lot of functionality which would be broken.
I am wondering if we could narrow it down to a particular CLSID code we could set the kill on instead?
--
Get hpHOSTS! Member ASAP
George Bush is lying to you. |
|
gracie7Geek GoddessPremium
join:2003-07-15
confusion | said by hpguru:skimming through related registry classes it appears there is a lot of functionality which would be broken. indeed...i just had a problem with my ocr program saving a file it scanned in notepad. was able to copy and paste the text, open notepad on my own, and save the file fine. suspect it's related.
hopefully, you gurus will come up with a better workaround, or ms will patch quickly.
--
graciella! "not tonight dear, I have DSL."
Creating SuperOrganizations Worldwide
Creating & Hosting SuperSites Worldwide |
|
 NerdtalkerWorking Hard, Or Hardly Working?Premium,MVM
join:2003-02-18
Tucson, AZ | reply to jp10558
said by jp10558:Interesting question - won't most security software catch this anyway? Say your firewall asking if foo.exe can open an FTP connection to someplace you've never been? I'd assume that all firewalls that provide outbound protection would prompt the user, unless they've already created a rule allowing all FTP traffic from the windows FTP client program.
What you're assuming here is that people do have a good firewall. Nine tenths of them don't.
--
"Some people never see the light till it shines thru bullet holes." -Bruce Cockburn
I'm testing Gmail's spam filters: Broadbandreports1@gmail.com
Spam: 12900+ messages currently using 406 MB. |
|
 jbobReach Out and Touch SomeonePremium
join:2004-04-26
Little Rock, AR | reply to jp10558
That would seem likely but who knows. I have read that BOClean already had this trojan covered over a month ago. If it all starts with a simple trojan being downloaded then that would seem simple enough to take care of but I'm not so sure that is all that is happening. Does the exploit cause the trojan download to be attempted using ftp or is the exploit code opening up another hole?
I am reading this from a user on GRC: The question was asked, "Now all we need to find out if the action of right clicking it can infect the system?"
"Said by Not John Lennon"
It appears it can. On my test system so far, all I can get it to do is crash & restart the shell. (Explorer.exe) It doesn't seem to actually infect the system & it's doing it (restarting explorer) just by pointing at the file. No chance to right click, left click, swear at it or anything else. Explorer immediately crashes & restarts. Weird. On another system, it infected it when the file was right clicked. Both systems XP Pro.
I didn't quite understand Reds response to my suggestion about trying it with InfranView as the default viewer for wmf files.
|
|
 redxiiPremium,Mod
join:2001-02-26
Sherwood, MI
1 edit | reply to hpguru
Control Panel -> Folder Options -> File Types. Find and delete EMF and WMF.
Edit: Ok that will keep it from downloading automagically but it will still execute when browsing to a folder with the files ... |
|
redxiiPremium,Mod
join:2001-02-26
Sherwood, MI Reviews:
 ·Clear Wireless
 ·Suddenlink
·Sprint Mobile Br..
Host:
Broadband Tweaks
Suddenlink
ISDN
Fiber Optic
AOL Broadband
2 edits | reply to jbob
said by jbob:I didn't quite understand Reds response to my suggestion about trying it with InfranView as the default viewer for wmf files. Ok in short unless one unregisters shimgvw.dll (doing so, I didn't require a restart) it is going to execute code. I told Irfanview to register WMF and EMF and they were still able to execute code even outside of Irfanview.
Again, it only runs with the same privileges as the user.
--
Open Source -> Close Minded
Microsoft Windows 2000/XP Security: Some Assembly Required.
Excessive use of "$" as in "M$" may make you look like a fool. |
|
prana
join:2005-03-22
Australia | reply to jbob
Right click infected my sandbox.
I have posted all samples and related DLLs to an AV vendor for signatures.
|
|
LibraPremium
join:2003-08-06
USA
kudos:1 | reply to redxii
said by redxii:Again, it only runs with the same privileges as the user.
REDxII1234, If you don't unregister shimgvw.dll, but are running in a limited user account, will you be okay? Also, should I unregister shimgvw.dll in Windows 98se? Thank you. Sincerely, Libra |
|
redxiiPremium,Mod
join:2001-02-26
Sherwood, MI Reviews:
·Clear Wireless
·Suddenlink
·Sprint Mobile Br..
Host:
Broadband Tweaks
Suddenlink
ISDN
Fiber Optic
AOL Broadband
1 edit | said by Libra:REDxII1234, If you don't unregister shimgvw.dll, but are running in a limited user account, will you be okay? Also, should I unregister shimgvw.dll in Windows 98se? Thank you. Sincerely, Libra You should be fine, but explorer will keep crashing and you wouldn't want to risk accidently running it in the admin account. unregister it anyway until it is fixed
The reason I mentioned that is because Security Focus claims that it will run with SYSTEM privileges, regardless of the logged on user's privileges. However, I am unable to find such behavior. It always runs with the user's privs.
Can't comment on 98SE. I don't have a virtual machine for that even though I have the install CD.
Windows 2000 SP4 didn't seem to have any WMF/EMF associations or the picture viewer that XP/2003 has.. so it is safe from automagic execution in explorer or on the web. |
|
LibraPremium
join:2003-08-06
USA
kudos:1 | REDXII1234,
Thank you very much. I unregistered shimgvw.dll in the XP computer.
I checked file types in 98se and I didn't see any WMF or EMF types. I also searched for the shimgvw.dll and nothing came up.
I imagine when MS makes a fix we should first register the file and then get the update - does it matter?
I appreciate your help.
Sincerely, Libra |
|
| reply to noway1
said by noway1:said by gracie7:...LATE EDIT: wait. does this require a restart? we've done the unreg on all the xp machines, but can still open a .wmf file ok. I needed to restart for the fix to work. I didn't, with XP Home SP2. Go figure.
--
O
o
p!
I fell off the edge of the island again! |
|
Mele20Premium
join:2001-06-05
Hilo, HI
kudos:4 | said by CyberSchnook1:said by noway1:said by gracie7:...LATE EDIT: wait. does this require a restart? we've done the unreg on all the xp machines, but can still open a .wmf file ok. I needed to restart for the fix to work. I didn't, with XP Home SP2. Go figure. Ilfak and Steve Gibson say that it is UNnecessary to unregister the dll and recommend that you do not do so. Microsoft, on the other hand, says you should if you don't have Windows One Care. Naturally, MS would recommend unregistering the dll because they do not recognize or approve of anyone using the unofficial patch.
»castlecops.com/t143199-Is_it_sti···dll.html
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions" |
|
