1.17.2006

[Security] Bad Windows Vulnerability, Very Bad

The latest Windows Metafile vulnerability is bad, very bad. Lots of things can go on without you knowing it. The Security Now podcast covered it quite well and Ilfak Guilfanov coded a patch that closes this vulnerability (Microsoft has not issued a patch yet). Read about the issue and get the patch from Ilfak here or from Ilfak's own page here.

From Security Now show notes here is a quick overview/background:


Quick Background:

The active exploitation of a very serious vulnerability in all versions of Windows was discovered in late December.

Word of this spread rapidly through the hacker community — many of whom where presumably on holiday vacation from school, bored, and looking for something to do.

So several days later nearly one hundred different instances of exploitation of this newly discovered vulnerability had been found.

Note that this is not a "new vulnerability" — it (and perhaps other similar bugs) have been lying unknown in Windows since 1991. What's "new" is the discovery of this long-present vulnerability in Windows' metafile processing.

Almost immediately there were reports of an MSN Messenger worm, and now F-Secure is reporting that "Happy New Year" SPAM eMail is carrying an exploit.

Anti-Virus vendors quickly updated and began pushing out their A-V signature files. These have been effective, but a new very flexible exploit generation tool has appeared that's able to create so many different variations of the exploit that A-V signatures are having trouble keeping up.

Microsoft responded with an acknowledgement of the problem which included a very weak workaround (the shimgvw.dll unregistration) that provides very little protection. Theirs is not a cure, and it is not known how long the Windows user community will now be waiting for a true patch from Microsoft.

Ilfak Guilfanov (see GREEN box below) produced a highly-effective true patch which successfully suppresses all known exploitable vulnerabilities for anyone using Windows 2000, XP, server 2003, or 64-bit XP. No patch is available for Windows 95, 98, ME or NT, and none is expected to be forthcoming. But anyone using Windows 2000, XP, server 2003, or 64-bit XP should IMMEDIATELY install Ilfak's exploit suppressor into all of their systems.

2 comments:

AllThingsSpring said...

Here

Microsoft's page on the problem, including patch downloads. They even released the patch early, a few days before their usual second Tuesday scheduled updates.

The more interesting story is that some users reported having the patch installed via Windows Update even though their settings and preferences for Windows Update were set to not automatically patch.

AllThingsSpring said...

I should add that the problem is not completely fixed yet