Re: ***Computer Security Risk*** (Valid Warning)

[Guest guest]

http://www.news.com/

Antivirus makers catch up to Windows bug

By Joris Evers

http://news.com.com/Antivirus+makers+catch+up+to+Windows+bug/2100-1002_3-6018696\

..html

Story last modified Wed Jan 04 18:00:00 PST 2006

While users wait for a Microsoft fix, many antivirus

products will protect PCs against attacks that exploit

a recently disclosed Windows flaw, but not all.

According to a test of a range of antivirus products

published on Wednesday, Trend Micro was the only major

antivirus vendor that failed to catch a number of

malicious files that exploit the new Windows

vulnerability.

In the test, administered by independent testing

organization AV-Test, 206 malicious files were pushed

through virus shields from a number of vendors. Of the

top three antivirus companies, Symantec and McAfee

caught all bad files, while Trend Micro missed 63,

according to the test results, which were e-mailed to

CNET News.com.

Test results

AV-Test took a range of antivirus products and ran 206

malicious files that exploit the unpatched WMF flaw

through them. Some of the products have holes, it

turned out.

These products detected all the malicious files:

BitDefender

Computer Associates eTrust-VET

F-Secure

Kaspersky Lab

McAfee

Eset Nod32

Microsoft OneCare

Sophos

Symantec

These missed just one file:

Alwil Avast

Clam AntiVirus

Aladdin eSafe

These tools missed a number of samples (total in

parentheses):

Fortinet (18)

AntiVir (24)

eTrust-INO (25)

Panda (25)

Ikarus (26)

Norman (26)

Ewido (47)

AVG (59)

VirusBuster (61)

QuickHeal (63)

Trend Micro (63)

Dr Web (93)

VBA32 (110)

Authentium Command (119)

F-Prot (119)

Source: AV-Test

Several smaller providers of antivirus products also

caught all the examples of malicious code, including

Sophos, Kaspersky, Computer Associates International,

F-Secure and BitDefender. Microsoft's new Windows

OneCare, currently available as a test version, also

protects against all the attacks, according to

AV-Test.

Trend Micro is working to update its product to

improve detection, said Raimund Genes, chief

technologist for Trend Micro in Europe. " We have the

luxury to have some of the biggest customers in the

world, but this is also a burden because this means

that we have to do very careful quality assurance, " he

said.

Still, Genes contends that Trend Micro's product

offers good protection. It might not catch all the

files used in the test, but it does catch all the

malicious files currently found " in the wild " on the

Internet, he said.

The Windows flaw is atypical, making it more

complicated for most makers of antivirus software to

provide protection, said s Marx, an antivirus

software specialist at the University of Magdeburg in

Germany and head of the AV-Test.

The flaw lies in the way Windows renders Windows Meta

File images. The bug was discovered last week and is

being exploited in attacks that compromise a

vulnerable PC if the user visits a Web site with a

malicious image file.

" Antivirus companies have the problem that the attacks

involve a file format that was not used for previous

attacks, " Marx said in an interview via e-mail. " The

researchers had to dig through the file format, and

detection routines had to be carefully tested in order

to avoid false positives. "

Some providers of antivirus software are still working

on proper detection routines and may offer protection

against only the most widespread exploits, Marx said.

" All antivirus tools are developed in a different

way, " he said. " Depending on the code, it might be

rather easy for some companies to add detection of the

exploit codes by simply adding a new signature. In

other cases, engine or even program changes need to be

made. "

In Trend Micro's case, the company is working on

fine-tuning detection capabilities, Genes said. The

challenge is finding a balance between detection

capabilities of the new file type and speed of the

scan engine, he said.

In other news:

CES 2006: Gadget glitz in Vegas (Complete show

coverage)

Capitol cookie caper

iPod rivals ready for prime time at last?

AV-Test also tested free antivirus products, including

Clam AntiVirus and AVG. While Clam AntiVirus stopped

all but one file, AVG let through 59 malicious files,

according to the test.

The detection in Clam AntiVirus works well, but will

result in many false positives and stop almost all WMF

files, Marx said. That's not a big problem because

Clam AntiVirus is used mostly as a gateway scanner,

not on the desktop, he said.

" AVG, on the other hand, is mainly used on PCs. The

company has to avoid false positives, " Marx said. " I

know that the AVG team is working day and night on a

solution. "

Meanwhile, experts have warned that thousands of

malicious Web sites as well as Trojan horses and at

least one instant messaging worm that use the WMF flaw

as a conduit have surfaced.

Microsoft, however, says it has not seen many attacks

on its customers. It plans to deliver a fix on Tuesday

as part of its monthly patch cycle. Until then

customers can protect themselves using a workaround

and by following standard security guidelines, which

includes the use of updates antivirus software,

Microsoft said in a security advisory.

Copyright ©1995-2006 CNET Networks, Inc. All rights

reserved.

FAIR USE NOTICE

This email contains copyrighted material the use of

which has not

always been specifically authorized by the copyright

owner. I am making such material available in my

efforts to advance understanding of environmental,

political, human rights, economic, democracy,

scientific, and social justice issues, etc.

I believe this constitutes a 'fair use' of any such

copyrighted

material as provided for in section 107 of the US

Copyright Law. In

accordance with Title 17 U.S.C. Section 107, the

material in this email is distributed without profit

to those who have expressed a prior interest in

receiving the included information

for research and educational purposes. For more

information go to:

http://www.law.cornell.edu/uscode/17/107.shtml

If you wish to use copyrighted material from this

update for purposes

of your own that go beyond 'fair use', you must obtain

permission from the copyright owner.

_______________________________________________

--- Cassandra Casey <israelswarrior@...>

wrote:

> This is from my sister, an electronics tech who

> works for a large

> laboratory. Always something... Be careful out

> there

>

> Cassie

>

>

> From: " Jayne "

> Subject: FW: ***Computer Security Risk***

> Date: Thu, 5 Jan 2006 07:12:45 -0700

>

> Thought I might share this with you.

>

> ________________________________

>

> From: Limb, Bryce

> Sent: Wednesday, January 04, 2006 4:15 PM

> Everyone at ARUP

> Subject: ***Computer Security Risk***

>

>

>

> There is a new vulnerability that has the potential

> for creating issues

> on Windows based systems. This message should be

> read and remember that

> this could potentially affect your system here at

> ARUP and has a much

> higher risk of impacting your home system.

>

>

>

> Threat:

>

> The new vulnerability is with the Microsoft Windows

> WMF graphics engine

> that is part of the Windows operating system. The

> WMF components are

> used to present graphic images that are found on

> websites, e-mails

> messages, etc. There is the possibility that

> malicious code can be

> contained within the graphics and when they are

> opened or viewed the

> code is executed and your system will become

> infected without your

> knowledge. The code could have the potential to use

> your system to

> attack others, monitor or log your key strokes (this

> could be capture

> sensitive information like usernames and passwords

> that could be used)

> or other malicious actions.

>

>

>

> Microsoft does not currently have a correction for

> this vulnerability

> but says they are working on a release.

>

>

>

> What you should do:

>

> I would like to ask that if you are using outside

> e-mail or third party

> e-mail, like Xmission, , Earthlink, etc., here

> at ARUP that you

> stop this practice immediately. Please do not click

> on any links that

> are connected to any e-mail unless you know exactly

> what it is and

> completely trust the source and DO NOT OPEN ANY TYPE

> OF IMAGE FILES. I

> would like to ask that you limit your web surfing to

> those sites that

> are required to do your jobs, there is a risk of

> obtaining the malicious

> code just by viewing infected sites.

>

>

>

> For your home systems, I would insure that your

> anti-virus and Windows

> patches are up to date. I would also not open

> picture files or click on

> links that are attached to e-mails. I would also

> limit my surfing until

> a correction is released from Microsoft.

>

>

>

> If you have any questions please feel free to

> contact me at your

> convenience. We believe that with the current

> security measure we have

> in place at ARUP that we should be able to avoid an

> infection but we

> need your help to insure that we limit our

> vulnerability and risk.

> Thanks for your help.

>

>

>

>

********************************************************************

>

> Bryce R. Limb

>

> AVP, IT Systems & Support/Information Security

> Officer

>

> Information Technology

>

>

>

> ARUP Laboratories, Inc.

>

> 500 Chipeta Way, Salt Lake City, Utah 84108-1221

>

> Phone: (801)584-5224

>

> Fax: (801)583-2712

>

> E-Mail: limbbr@...

>

> Web: www.aruplab.com

>

>

>

>

> -

>

------------------------------------------------------------------

> The information transmitted by this e-mail and any

> included

> attachments are from ARUP Laboratories and are

> intended only for the

> recipient. The information contained in this message

> is confidential

> and may constitute inside or non-public information

> under

> international, federal, or state securities laws, or

> protected health

> information and is intended only for the use of the

> recipient.

> Unauthorized forwarding, printing, copying,

> distributing, or use of

> such information is strictly prohibited and may be

> unlawful. If you

> are not the intended recipient, please promptly

> delete this e-mail

> and notify the sender of the delivery error or you

> may call ARUP

> Laboratories Compliance Hot Line in Salt Lake City,

> Utah USA at (+1

> (800) 522-2787 ext. 2100

>

>

>

>

>