ot in WaPost: Unofficial Patch for Windows Flaw

[Guest guest]

Many links within articles on WaPost's url. Two articles herein, plus

text from patch-page url:

* * * *

Unofficial Patch for Windows Flaw

Krebs on Computer Security

Posted at 06:36 PM ET, 01/ 1/2006

http://blogs.washingtonpost.com/securityfix/

Security experts are urging Windows users to apply a

non-Microsoft-issued software patch to fix an extremely dangerous bug

that has exposed hundreds of millions of the operating system's users to

spyware and viruses.

The patch was developed by computer programmer Ilfak Guilfanov, perhaps

best known in security circles at the creator of the open source IDA Pro

disassembly tool used to design and deconstruct software and even malware.

Tom Liston, an Internet security consultant with Washington-based

Intelguardians and an incident handler with the SANS Internet Storm

Center, pleaded with Microsoft users to feel at ease installing the

patch, which he said SANS had reverse-engineered, reviewed and vetted to

ensure it fixes the problem and does nothing else.

" To the best of my knowledge, over the past 5 years, this rag-tag group

of volunteers hasn't asked for your trust: we've earned it, " Liston

wrote. " Now we're going to expend some of that hard-earned trust. This

is a bad situation that will only get worse. The very best response that

our collective wisdom can create is contained in this advice --

unregister shimgvw.dll and use the unofficial patch. You need to trust us. "

The folks over at Finnish antivirus company F-Secure also have been

chronicling the threats taking advantage of this new vulnerability, and

they also urge users to install the patch from Guilfanov.

It's a pretty remarkable statement about the security community's

assessment of the threat from this flaw that they would urge users to

install a non-Microsoft patch. Hardly a month goes by when we don't warn

about some virus or worm going around masquerading as a patch from Redmond.

I haven't seen any reports of this patch causing any trouble those

who've installed, but of course, use the patch at your own risk. You can

download it from here.

http://www.hexblog.com/2005/12/wmf_vuln.html

SANS's Liston said it doesn't appear that Microsoft Corp. will issue a

fix for this problem before Jan. 10, its next regular monthly patch

release date. SANS's recommendation comes hours after the emergence of

an instant-message worm that's now exploiting the Windows flaw.

It looks like this patch could be difficult to deploy over large

networks, as it must be applied manually at each machine. As a result,

Liston said SANS is working creating a different installer for the patch

that would offer the ability to install the patch remotely.

I have to say I'm surprised that Microsoft has not yet issued an

official fix for this. My guess is that if they wait until a week from

Tuesday to ship an update, it will cost them dearly in terms of current

and potential future customers.

* * * *

By Krebs

Posted at 05:38 PM ET, 12/31/2005

New Exploit for Unpatched Windows Flaw

It appears we will be ringing in the new year with a new and improved

exploit that online miscreants can use to attack an unpatched Microsoft

Windows flaw and install spyware, viruses and other dangerous digital

intruders.

The latest bit of malware takes advantage of the same Windows Metafile

(files ending in .wmf) security hole that Security Fix warned about

earlier this week, the one where Windows users can get infected just by

clicking on a specially crafted link in an e-mail or visiting a Web site

that hosts the malicious code.

The part that's different about this attack is that it's designed to

generate slightly different program code each time the exploit is run --

creating a new threat with a random file size, non-WMF file extension

(like .jpeg) and other variable tricks. The folks over at the SANS

Internet Storm Center have more detailed information about the new

exploit if you're interested.

This is a big deal because so far -- without a patch from Redmond to

remedy this problem -- the major antivirus vendors have been the first

lines of defense against this attack, and they have relied mainly on

adding new signatures to their software to detect the latest threats

each time a new one appears. But by changing the profile of the attack

slightly with each iteration, the new exploit's random attack code has a

far greater chance of slipping past software shields.

SANS said the random garbage added onto any attack code generated with

the new exploit could make it very hard for anti-virus companies to

develop signatures to detect the new threats.

Last week, I wrote about tests run by s Marx of AV-Test.org that

looked at the response time of various antivirus products to some of the

largest computer worm outbreaks of 2005. This morning, Marx sent me an

e-mail listing each of the products that now detect all 73 known

versions of the old WMF exploit: those products included AntiVir,

Avast!, BitDefender, ClamAV, Command, Dr Web, eSafe, eTrust-INO,

eTrust-VET, Ewido, F-Secure, Fortinet, Kaspersky, McAfee, Nod32, Norman,

Panda, Sophos, Symantec, Trend Micro, and VirusBuster.

But, Marx said, " It looks like that some of the 100% companies have

simply added detections for all of the files I've sent out, without

actually have a generic detection in place, but instead of this, 73

different signatures to detect all 73 different files. That's not good. "

Not good indeed, given the morphing abilities of this new exploit. I

suspect the 2006 work year will begin a bit too soon for many network

and computer defense professionals out there.

By Krebs

* * * *

Windows WMF Metafile Vulnerability HotFix

http://www.hexblog.com/2005/12/wmf_vuln.html

This week a new vulnerability was found in Windows:

http://www.microsoft.com/technet/security/advisory/912840.mspx

Browsing the web was not safe anymore, regardless of the browser.

Microsoft will certainly come up with a thouroughly tested fix for it in

the future, but meanwhile I developed a temporary fix - I badly needed it.

The fix does not remove any functionality from the system, all pictures

will continue to be visible. You can download it here:

http://www.hexblog.com/security/files/wmffix_hexblog13.exe

It should work for Windows 2000, XP 32-bit, XP 64-bit, and Windows

Server 2003.

Technical details: this is a DLL which gets injected to all processes

loading user32.dll.

It patches the Escape() function in gdi32.dll. The result of the patch

is that the SETABORT escape sequence is not accepted anymore.

I can imagine situations when this sequence is useful. My patch

completely disables this escape sequence, so please be careful. However,

with the fix installed, I can browse files, print them and do other things.

If for some reason the patch does not work for you, please uninstall it.

It will be in the list of installed programs as " Windows WMF Metafile

Vulnerability HotFix " . I'd like to know what programs are crippled by

the fix, please tell me.

I recommend you to uninstall this fix and use the official patch from

Microsoft as soon as it is available.

The usual software disclaimer applies...

File: wmffix_hexblog13.exe (the source code is included)

UPD: more error checking

UPD: Version 1.1 with Win2000 support

UPD: Version 1.2: if the hotfix has already been applied to the system,

inform the user at the second installation attempt.

UPD: Version 1.3: added support for Windows 2000 SP4

There is no need to reinstall anything!

Old hotfixes are perfectly ok.

Posted by Ilfak Guilfanov on December 31, 2005 06:53 AM

* * * *

The material in this post is distributed without profit to those who have

expressed a prior interest in receiving the included information for

research and educational purposes. For more information go to:

http://www4.law.cornell.edu/uscode/17/107.html

http://oregon.uoregon.edu/~csundt/documents.htm

If you wish to use copyrighted material from this email for purposes

that go beyond 'fair use', you must obtain permission from the copyright

owner.