Microsoft Security Advisory (912840): Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution

X-post to Security, Security.Homeusers, IE6 & WinXP General newsgroups.
Followup set to microsoft.public.security.

Microsoft Security Advisory (912840): Vulnerability in Graphics
Rendering Engine Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/912840.mspx

Welcome to the Microsoft Security Response Center Blog!
New Security Advisory for Possible Windows Vulnerability
http://blogs.technet.com/msrc/archive/2005/12/29/416569.aspx
--
~PA Bear

Trax
Thu Dec 29 00:07:53 CST 2005

"PA Bear" <PABearMVP@gmail.com> wrote:

|>X-post to Security, Security.Homeusers, IE6 & WinXP General newsgroups.
|>Followup set to microsoft.public.security.
|>
|>Microsoft Security Advisory (912840): Vulnerability in Graphics
|>Rendering Engine Could Allow Remote Code Execution
|>http://www.microsoft.com/technet/security/advisory/912840.mspx
|>
|>Welcome to the Microsoft Security Response Center Blog!
|>New Security Advisory for Possible Windows Vulnerability
|>http://blogs.technet.com/msrc/archive/2005/12/29/416569.aspx

Digg.com has an article on this, few of the posters have been bit by
this one.
http://digg.com/technology/New_exploit_blows_by_fully_patched_Windows_XP_systems
Shorter link http://tinyurl.com/cb3x9

I'm not vulnerable to this one <VBG> One of the first things I do
after a XP installation is disable the "Windows Picture and Fax
Viewer"
http://www.annoyances.org/exec/show/article03-201


--
Puzzle break.
http://219.101.39.52/~nanahiro/main.html

Lorin
Thu Dec 29 08:16:04 CST 2005

Here's a way to avoid the risk altogether:

http://geekswithblogs.net/lorint



"PA Bear" wrote:

> X-post to Security, Security.Homeusers, IE6 & WinXP General newsgroups.
> Followup set to microsoft.public.security.
>
> Microsoft Security Advisory (912840): Vulnerability in Graphics
> Rendering Engine Could Allow Remote Code Execution
> http://www.microsoft.com/technet/security/advisory/912840.mspx
>
> Welcome to the Microsoft Security Response Center Blog!
> New Security Advisory for Possible Windows Vulnerability
> http://blogs.technet.com/msrc/archive/2005/12/29/416569.aspx
> --
> ~PA Bear
>
>

Tom
Thu Dec 29 08:33:14 CST 2005

The work-around is also posted on the MS security advisory that PA Bear
posted.

Tom
"Lorin Thwaits" <Lorin Thwaits@discussions.microsoft.com> wrote in message
news:0D495E47-39D5-44B9-A58D-263DC3367C69@microsoft.com...
| Here's a way to avoid the risk altogether:
|
| http://geekswithblogs.net/lorint
|
|
|
| "PA Bear" wrote:
|
| > X-post to Security, Security.Homeusers, IE6 & WinXP General newsgroups.
| > Followup set to microsoft.public.security.
| >
| > Microsoft Security Advisory (912840): Vulnerability in Graphics
| > Rendering Engine Could Allow Remote Code Execution
| > http://www.microsoft.com/technet/security/advisory/912840.mspx
| >
| > Welcome to the Microsoft Security Response Center Blog!
| > New Security Advisory for Possible Windows Vulnerability
| > http://blogs.technet.com/msrc/archive/2005/12/29/416569.aspx
| > --
| > ~PA Bear
| >
| >

Stephen
Thu Dec 29 08:36:43 CST 2005

> Microsoft Security Advisory (912840): Vulnerability in Graphics
> Rendering Engine Could Allow Remote Code Execution
> http://www.microsoft.com/technet/security/advisory/912840.mspx

Aaaahhh, I wonder if all those recent SpyTrooper, SpyAxe and Winfixer
outbreaks are using this method to get in? Would explain a lot.

Stephen

Lorin
Thu Dec 29 08:39:01 CST 2005

Hmmm, if it was out there before then it isn't there anymore. The strongest
protection I see mentioned is to enable Enhanced Security Configuration. I
still recommend this solution:

http://geekswithblogs.net/lorint


"Tom [Pepper] Willett" wrote:

> The work-around is also posted on the MS security advisory that PA Bear
> posted.
>
> Tom
> "Lorin Thwaits" <Lorin Thwaits@discussions.microsoft.com> wrote in message
> news:0D495E47-39D5-44B9-A58D-263DC3367C69@microsoft.com...
> | Here's a way to avoid the risk altogether:
> |
> | http://geekswithblogs.net/lorint
> |
> |
> |
> | "PA Bear" wrote:
> |
> | > X-post to Security, Security.Homeusers, IE6 & WinXP General newsgroups.
> | > Followup set to microsoft.public.security.
> | >
> | > Microsoft Security Advisory (912840): Vulnerability in Graphics
> | > Rendering Engine Could Allow Remote Code Execution
> | > http://www.microsoft.com/technet/security/advisory/912840.mspx
> | >
> | > Welcome to the Microsoft Security Response Center Blog!
> | > New Security Advisory for Possible Windows Vulnerability
> | > http://blogs.technet.com/msrc/archive/2005/12/29/416569.aspx
> | > --
> | > ~PA Bear
> | >
> | >
>
>
>

Stephen
Thu Dec 29 08:39:05 CST 2005

> The work-around is also posted on the MS security advisory that PA Bear
> posted.

Is it? I dont see any workaround on
http://www.microsoft.com/technet/security/advisory/912840.mspx

SH

Tom
Thu Dec 29 09:00:13 CST 2005

It's under "Suggested Actions"

Tom
"Stephen Howe" <stephenPOINThoweATtns-globalPOINTcom> wrote in message
news:%23PDxfWIDGHA.3876@tk2msftngp13.phx.gbl...
|> The work-around is also posted on the MS security advisory that PA Bear
| > posted.
|
| Is it? I dont see any workaround on
| http://www.microsoft.com/technet/security/advisory/912840.mspx
|
| SH
|
|

Tom
Thu Dec 29 09:00:34 CST 2005

It's under "Suggested Actions"

Tom
"Lorin Thwaits" <Lorin Thwaits@discussions.microsoft.com> wrote in message
news:98B0BB9C-AAFB-4DD5-935D-335E23C2C130@microsoft.com...
| Hmmm, if it was out there before then it isn't there anymore. The
strongest
| protection I see mentioned is to enable Enhanced Security Configuration.
I
| still recommend this solution:
|
| http://geekswithblogs.net/lorint
|
|
| "Tom [Pepper] Willett" wrote:
|
| > The work-around is also posted on the MS security advisory that PA Bear
| > posted.
| >
| > Tom
| > "Lorin Thwaits" <Lorin Thwaits@discussions.microsoft.com> wrote in
message
| > news:0D495E47-39D5-44B9-A58D-263DC3367C69@microsoft.com...
| > | Here's a way to avoid the risk altogether:
| > |
| > | http://geekswithblogs.net/lorint
| > |
| > |
| > |
| > | "PA Bear" wrote:
| > |
| > | > X-post to Security, Security.Homeusers, IE6 & WinXP General
newsgroups.
| > | > Followup set to microsoft.public.security.
| > | >
| > | > Microsoft Security Advisory (912840): Vulnerability in Graphics
| > | > Rendering Engine Could Allow Remote Code Execution
| > | > http://www.microsoft.com/technet/security/advisory/912840.mspx
| > | >
| > | > Welcome to the Microsoft Security Response Center Blog!
| > | > New Security Advisory for Possible Windows Vulnerability
| > | > http://blogs.technet.com/msrc/archive/2005/12/29/416569.aspx
| > | > --
| > | > ~PA Bear
| > | >
| > | >
| >
| >
| >

alun
Thu Dec 29 09:01:04 CST 2005

In article <43v6r1dmruu6vgmsm9ke9uming26o591rc@4ax.com>,
pennywise.852@gmail.com wrote:
>I'm not vulnerable to this one <VBG> One of the first things I do
>after a XP installation is disable the "Windows Picture and Fax
>Viewer"
>http://www.annoyances.org/exec/show/article03-201

Don't be too sure - the way I read it, this flaw affects any program that uses
the usual libraries to display WMF files.

Windows Picture and Fax Viewer is only the one that comes up by default if
you've installed no other image viewer, and you double-click on an image file.

If you have any program that displays WMF files, you are probably vulnerable.

Alun.
~~~~

[Please don't email posters, if a Usenet response is appropriate.]
--
Texas Imperial Software | Find us at http://www.wftpd.com or email
23921 57th Ave SE | alun@wftpd.com.
Washington WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.

Stephen
Thu Dec 29 09:08:42 CST 2005

> It's under "Suggested Actions"

No it is not. Those, in the strictest sense, do not prevent you getting
inadvertently infected. None of them do. A "workaround" would prevent you
getting infected. That is the normal meaning of the word "workaround".

Here is a workaround:

Run
regsvr32 /u shimgvw.dll

Stephen Howe

Tom
Thu Dec 29 09:17:12 CST 2005


Suggested Actions
Workarounds

Microsoft has tested the following workaround. While this workaround will
not correct the underlying vulnerability, it will help block known attack
vectors. When a workaround reduces functionality, it is identified in the
following section.

Un-register the Windows Picture and Fax Viewer (Shimgvw.dll) on Windows
XP Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and
Windows Server 2003 Service Pack 1

From the MS Advisory:



To un-register Shimgvw.dll, follow these steps:

1.
Click Start, click Run, type "regsvr32 -u
%windir%\system32\shimgvw.dll" (without the quotation marks), and then click
OK.

2.
A dialog box appears to confirm that the un-registration process has
succeeded. Click OK to close the dialog box.


Impact of Workaround: The Windows Picture and Fax Viewer will no longer be
started when users click on a link to an image type that is associated with
the Windows Picture and Fax Viewer.

To undo this change, re-register Shimgvw.dll by following the above steps.
Replace the text in Step 1 with ?regsvr32 %windir%\system32\shimgvw.dll?
(without the quotation marks).



Tom

"Stephen Howe" <stephenPOINThoweATtns-globalPOINTcom> wrote in message
news:umNfEnIDGHA.1180@TK2MSFTNGP09.phx.gbl...
|> It's under "Suggested Actions"
|
| No it is not. Those, in the strictest sense, do not prevent you getting
| inadvertently infected. None of them do. A "workaround" would prevent you
| getting infected. That is the normal meaning of the word "workaround".
|
| Here is a workaround:
|
| Run
| regsvr32 /u shimgvw.dll
|
| Stephen Howe
|
|
|
|
|


begin 666 minus.gif
M1TE&.#EA"P`+`( ``````/___R'Y! ``````+ `````+``L```(4A(\6RZS=
0'EQROD3!='J'"H%10A8`.P``
`
end

Kerry
Thu Dec 29 09:23:51 CST 2005

Stephen Howe wrote:
>> It's under "Suggested Actions"
>
> No it is not. Those, in the strictest sense, do not prevent you
> getting inadvertently infected. None of them do. A "workaround" would
> prevent you getting infected. That is the normal meaning of the word
> "workaround".
>
> Here is a workaround:
>
> Run
> regsvr32 /u shimgvw.dll
>
> Stephen Howe

Click on the plus sign beside Suggested Actions, then click on the plus sign
beside Workarounds. It is there.

Kerry

Lem
Thu Dec 29 09:25:31 CST 2005

Stephen Howe wrote:

> > It's under "Suggested Actions"
>
> No it is not. Those, in the strictest sense, do not prevent you getting
> inadvertently infected. None of them do. A "workaround" would prevent you
> getting infected. That is the normal meaning of the word "workaround".
>
> Here is a workaround:
>
> Run
> regsvr32 /u shimgvw.dll
>
> Stephen Howe

The advice to unregister shimgvw.dll is indeed in the originally-posted MS
article. However, in true MS fashion, it is hidden several layers deep. You
have to click on the + to expand "Suggested Actions," then click on the +
next to "Workarounds" and finally, click on the + next to "Un-register the
Windows Picture and Fax Viewer (Shimgvw.dll) on Windows XP Service Pack 1;
Windows XP Service Pack 2; Windows Server 2003 and Windows Server 2003
Service Pack 1"



--
p

Kerry
Thu Dec 29 10:11:33 CST 2005

PA Bear wrote:
> X-post to Security, Security.Homeusers, IE6 & WinXP General
> newsgroups. Followup set to microsoft.public.security.
>
> Microsoft Security Advisory (912840): Vulnerability in Graphics
> Rendering Engine Could Allow Remote Code Execution
> http://www.microsoft.com/technet/security/advisory/912840.mspx
>
> Welcome to the Microsoft Security Response Center Blog!
> New Security Advisory for Possible Windows Vulnerability
> http://blogs.technet.com/msrc/archive/2005/12/29/416569.aspx

As an addendum. This exploit is being used right now. I just received a
customer's computer that was infected with Spy Sherriff by this method. The
exploit was in a spam email. Turn off the preview pane in OE (always a good
idea) and turn off the Windows picture and fax viewer until Microsoft has a
fix.

Kerry

Stephen
Thu Dec 29 10:17:12 CST 2005

> The advice to unregister shimgvw.dll is indeed in the originally-posted MS
> article. However, in true MS fashion, it is hidden several layers deep.
You
> have to click on the + to expand "Suggested Actions," then click on the +
> next to "Workarounds" and finally, click on the + next to "Un-register the
> Windows Picture and Fax Viewer (Shimgvw.dll) on Windows XP Service Pack 1;
> Windows XP Service Pack 2; Windows Server 2003 and Windows Server 2003
> Service Pack 1"

Yeah your right. Sorry. I missed all those level of +'s

Stephen Howe

PA
Thu Dec 29 12:32:48 CST 2005

Stephen Howe wrote:
> > Microsoft Security Advisory (912840): Vulnerability in Graphics
> > Rendering Engine Could Allow Remote Code Execution
> > http://www.microsoft.com/technet/security/advisory/912840.mspx
>
> Aaaahhh, I wonder if all those recent SpyTrooper, SpyAxe and Winfixer
> outbreaks are using this method to get in? Would explain a lot.

There is in fact anecdotal evidence to suggest that this might indeed be the
case.
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE, Shell/User, Security), Aumha.org VSOP, DTS-L.org

PA
Thu Dec 29 12:34:31 CST 2005

[<gripe/mutter/bitch> Why doesn't Followup-To work in the web-interface?]

Lorin Thwaits wrote:
> Here's a way to avoid the risk altogether:
>
> http://geekswithblogs.net/lorint
>
> "PA Bear" wrote:
> > X-post to Security, Security.Homeusers, IE6 & WinXP General newsgroups.
> > Followup set to microsoft.public.security.
> >
> > Microsoft Security Advisory (912840): Vulnerability in Graphics
> > Rendering Engine Could Allow Remote Code Execution
> > http://www.microsoft.com/technet/security/advisory/912840.mspx
> >
> > Welcome to the Microsoft Security Response Center Blog!
> > New Security Advisory for Possible Windows Vulnerability
> > http://blogs.technet.com/msrc/archive/2005/12/29/416569.aspx
> > --
> > ~PA Bear

PA
Thu Dec 29 13:15:45 CST 2005

X-posted to OE General, OE6, Security & Security.Homeusers NGs.
Followup-to: WinXP General

Kerry Brown wrote:
> > X-post to Security, Security.Homeusers, IE6 & WinXP General
> > newsgroups. Followup set to microsoft.public.security.
> >
> > Microsoft Security Advisory (912840): Vulnerability in Graphics
> > Rendering Engine Could Allow Remote Code Execution
> > http://www.microsoft.com/technet/security/advisory/912840.mspx
> >
> > Welcome to the Microsoft Security Response Center Blog!
> > New Security Advisory for Possible Windows Vulnerability
> > http://blogs.technet.com/msrc/archive/2005/12/29/416569.aspx
>
> As an addendum. This exploit is being used right now. I just received a
> customer's computer that was infected with Spy Sherriff by this method.
> The exploit was in a spam email. Turn off the preview pane in OE (always
> a good idea) and turn off the Windows picture and fax viewer until
> Microsoft has a fix.

Preview Pane should be OK if...

OE: Tools > Options > Read > Read all messages in Plain Text (check)

OE: Tools>Options>Security>Download images... (check)

See
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2email.mspx
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE, Shell/User, Security), Aumha.org VSOP, DTS-L.org

David
Thu Dec 29 13:21:43 CST 2005

From: "PA Bear" <PABearMVP@gmail.com>

| X-post to Security, Security.Homeusers, IE6 & WinXP General newsgroups.
| Followup set to microsoft.public.security.
|
| Microsoft Security Advisory (912840): Vulnerability in Graphics
| Rendering Engine Could Allow Remote Code Execution
| http://www.microsoft.com/technet/security/advisory/912840.mspx
|
| Welcome to the Microsoft Security Response Center Blog!
| New Security Advisory for Possible Windows Vulnerability
| http://blogs.technet.com/msrc/archive/2005/12/29/416569.aspx

I received a a sample. the following is a report.

Note that Microsoft's AV solution ( is it really one ? ) doesn't recognize this as a threat.

AntiVir 6.33.0.70 12.29.2005 TR/Dldr.WMF.Agent.D
Avast 4.6.695.0 12.29.2005 Win32:Exdown
AVG 718 12.29.2005 Downloader.Agent.13.AI
Avira 6.33.0.70 12.29.2005 TR/Dldr.WMF.Agent.D
BitDefender 7.2 12.29.2005 Exploit.Win32.WMF-PFV.C
CAT-QuickHeal 8.00 12.29.2005 WMF.Exploit
ClamAV devel-20051123 12.29.2005 Exploit.WMF.A
DrWeb 4.33 12.29.2005 Exploit.MS05-053
eTrust-Iris 7.1.194.0 12.29.2005 Win32/Worfo.C!Trojan
eTrust-Vet 12.4.1.0 12.29.2005 Win32/Worfo
Ewido 3.5 12.29.2005 Downloader.Agent.acd
Fortinet 2.54.0.0 12.29.2005 W32/WMF-exploit
F-Prot 3.16c 12.29.2005 security risk or a "backdoor" program
Ikarus 0.2.59.0 12.29.2005 Trojan-Downloader.Win32.Agent.ACD
Kaspersky 4.0.2.24 12.29.2005 Trojan-Downloader.Win32.Agent.acd
McAfee 4662 12.29.2005 Exploit-WMF
Microsoft ?? 12.29.2005 no virus found
NOD32v2 1.1343 12.28.2005 Win32/TrojanDownloader.Wmfex
Norman 5.70.10 12.29.2005 no virus found
Panda 9.0.0.4 12.28.2005 Exploit/Metafile
Sophos 4.01.0 12.29.2005 Troj/DownLdr-NK
Symantec 8.0 12.29.2005 Download.Trojan
TheHacker 5.9.1.064 12.28.2005 Exploit/WMF
Trend Micro 135 12.29.2005 TROJ_NASCENE.D
UNA 1.83 12.29.2005 no virus found
VBA32 3.10.5 12.28.2005 no virus found




--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

jacecarter
Thu Dec 29 13:45:03 CST 2005

Data Execution Prevention?
What happened to DEP in XP SP2?

If this is a buffer overflow exploit, why then isn't DEP in XP SP2
shutting down the malicious code before it can run?

I would think that an image file would be marked as "data" in memory,
not as an executable image, although WMF might be different than say a
jpg or bmp, does anyone know for sure?

I keep my DEP setting on "Turn on DEP for all programs and services
except those I select"

http://www.microsoft.com/technet/security/prodtech/windowsxp/depcnfxp.mspx

"Microsoft Windows XP Service Pack 2 (SP2) helps protect your computer
against the insertion of malicious code into areas of computer memory
reserved for non-executable code by implementing a set of hardware and
software-enforced technologies called Data Execution Prevention (DEP).
Hardware-enforced DEP is a feature of certain processors that prevents
the execution of code in memory regions that are marked as data
storage. This feature is also known as No-Execute and Execution
Protection. Windows XP SP2 also includes software-enforced DEP that is
designed to reduce exploits of exception handling mechanisms in
Windows.

Unlike an antivirus program, hardware and software-enforced DEP
technologies are not designed to prevent harmful programs from being
installed on your computer. Instead, they monitor your installed
programs to help determine if they are using system memory safely. To
monitor your programs, hardware-enforced DEP tracks memory locations
declared as "non-executable". To help prevent malicious code, when
memory is declared "non-executable" and a program tries to execute code
from the memory, Windows will close that program. This occurs whether
the code is malicious or not."

PA
Thu Dec 29 14:47:55 CST 2005

In fact, there are various recent posts elsewhere stating that DEP blocked
the exploit. YMMV.
--
~PA Bear

jacecarter@gmail.com wrote:
> Data Execution Prevention?
> What happened to DEP in XP SP2?
>
> If this is a buffer overflow exploit, why then isn't DEP in XP SP2
> shutting down the malicious code before it can run?
>
> I would think that an image file would be marked as "data" in memory,
> not as an executable image, although WMF might be different than say a
> jpg or bmp, does anyone know for sure?
>
> I keep my DEP setting on "Turn on DEP for all programs and services
> except those I select"
>
> http://www.microsoft.com/technet/security/prodtech/windowsxp/depcnfxp.mspx
>
> "Microsoft Windows XP Service Pack 2 (SP2) helps protect your computer
> against the insertion of malicious code into areas of computer memory
> reserved for non-executable code by implementing a set of hardware and
> software-enforced technologies called Data Execution Prevention (DEP).
> Hardware-enforced DEP is a feature of certain processors that prevents
> the execution of code in memory regions that are marked as data
> storage. This feature is also known as No-Execute and Execution
> Protection. Windows XP SP2 also includes software-enforced DEP that is
> designed to reduce exploits of exception handling mechanisms in
> Windows.
>
> Unlike an antivirus program, hardware and software-enforced DEP
> technologies are not designed to prevent harmful programs from being
> installed on your computer. Instead, they monitor your installed
> programs to help determine if they are using system memory safely. To
> monitor your programs, hardware-enforced DEP tracks memory locations
> declared as "non-executable". To help prevent malicious code, when
> memory is declared "non-executable" and a program tries to execute code
> from the memory, Windows will close that program. This occurs whether
> the code is malicious or not."

Tom
Thu Dec 29 17:31:56 CST 2005

~Robear: Are you using DEP for ALL programs?

Tom
"PA Bear" <PABearMVP@gmail.com> wrote in message
news:ePRDdkLDGHA.2704@TK2MSFTNGP15.phx.gbl...
| In fact, there are various recent posts elsewhere stating that DEP blocked
| the exploit. YMMV.
| --
| ~PA Bear
|
| jacecarter@gmail.com wrote:
| > Data Execution Prevention?
| > What happened to DEP in XP SP2?
| >
| > If this is a buffer overflow exploit, why then isn't DEP in XP SP2
| > shutting down the malicious code before it can run?
| >
| > I would think that an image file would be marked as "data" in memory,
| > not as an executable image, although WMF might be different than say a
| > jpg or bmp, does anyone know for sure?
| >
| > I keep my DEP setting on "Turn on DEP for all programs and services
| > except those I select"
| >
| >
http://www.microsoft.com/technet/security/prodtech/windowsxp/depcnfxp.mspx
| >
| > "Microsoft Windows XP Service Pack 2 (SP2) helps protect your computer
| > against the insertion of malicious code into areas of computer memory
| > reserved for non-executable code by implementing a set of hardware and
| > software-enforced technologies called Data Execution Prevention (DEP).
| > Hardware-enforced DEP is a feature of certain processors that prevents
| > the execution of code in memory regions that are marked as data
| > storage. This feature is also known as No-Execute and Execution
| > Protection. Windows XP SP2 also includes software-enforced DEP that is
| > designed to reduce exploits of exception handling mechanisms in
| > Windows.
| >
| > Unlike an antivirus program, hardware and software-enforced DEP
| > technologies are not designed to prevent harmful programs from being
| > installed on your computer. Instead, they monitor your installed
| > programs to help determine if they are using system memory safely. To
| > monitor your programs, hardware-enforced DEP tracks memory locations
| > declared as "non-executable". To help prevent malicious code, when
| > memory is declared "non-executable" and a program tries to execute code
| > from the memory, Windows will close that program. This occurs whether
| > the code is malicious or not."
|

Stephen
Thu Dec 29 18:30:46 CST 2005

> As an addendum. This exploit is being used right now. I just received a
> customer's computer that was infected with Spy Sherriff by this method.
> The exploit was in a spam email. Turn off the preview pane in OE (always a
> good idea) and turn off the Windows picture and fax viewer until Microsoft
> has a fix.

It certainly is. I watched it in action. One inadvertent web site visit, a
popup box where I observed "WMF" in title and it closed in 1/2 second, and
yup, mscornet.exe and a tmp file in the windows system32 directory. 1 second
later, ZoneAlarm kicked in asking whether I should allow an unknown program
to send packets over the Internet (denied).

Time to reboot in Safe mode and disinfect and kick in with that temp fix.
I have been here before.

Stephen Howe

Matt
Thu Dec 29 19:52:44 CST 2005

Hardware DEP computers will have DEP on for everything and the exploit will
be stopped.
Windows 2003 Server defaults for hardware or software DEP to be on for all
software, but can be changed.
Windows XP defaults to having DEP on just system services, which does not
protect against this threat.

McAfee VirusScan 8.0i and Entercept Buffer Overflow protection also stop
this threat.

"Tom [Pepper] Willett" <tompepper@mvps.invalid> wrote in message
news:%235p9FANDGHA.312@TK2MSFTNGP09.phx.gbl...
> ~Robear: Are you using DEP for ALL programs?
>
> Tom
> "PA Bear" <PABearMVP@gmail.com> wrote in message
> news:ePRDdkLDGHA.2704@TK2MSFTNGP15.phx.gbl...
> | In fact, there are various recent posts elsewhere stating that DEP
> blocked
> | the exploit. YMMV.
> | --
> | ~PA Bear
> |
> | jacecarter@gmail.com wrote:
> | > Data Execution Prevention?
> | > What happened to DEP in XP SP2?
> | >
> | > If this is a buffer overflow exploit, why then isn't DEP in XP SP2
> | > shutting down the malicious code before it can run?
> | >
> | > I would think that an image file would be marked as "data" in memory,
> | > not as an executable image, although WMF might be different than say a
> | > jpg or bmp, does anyone know for sure?
> | >
> | > I keep my DEP setting on "Turn on DEP for all programs and services
> | > except those I select"
> | >
> | >
> http://www.microsoft.com/technet/security/prodtech/windowsxp/depcnfxp.mspx
> | >
> | > "Microsoft Windows XP Service Pack 2 (SP2) helps protect your computer
> | > against the insertion of malicious code into areas of computer memory
> | > reserved for non-executable code by implementing a set of hardware and
> | > software-enforced technologies called Data Execution Prevention (DEP).
> | > Hardware-enforced DEP is a feature of certain processors that prevents
> | > the execution of code in memory regions that are marked as data
> | > storage. This feature is also known as No-Execute and Execution
> | > Protection. Windows XP SP2 also includes software-enforced DEP that is
> | > designed to reduce exploits of exception handling mechanisms in
> | > Windows.
> | >
> | > Unlike an antivirus program, hardware and software-enforced DEP
> | > technologies are not designed to prevent harmful programs from being
> | > installed on your computer. Instead, they monitor your installed
> | > programs to help determine if they are using system memory safely. To
> | > monitor your programs, hardware-enforced DEP tracks memory locations
> | > declared as "non-executable". To help prevent malicious code, when
> | > memory is declared "non-executable" and a program tries to execute
> code
> | > from the memory, Windows will close that program. This occurs whether
> | > the code is malicious or not."
> |
>
>

Karl
Thu Dec 29 20:16:21 CST 2005


"Lem" <lemp40@hotmail.com> wrote in message
news:43B3FFEB.297EEB3D@hotmail.com...

> > Here is a workaround:
> >
> > Run
> > regsvr32 /u shimgvw.dll
> >
> > Stephen Howe
>
> The advice to unregister shimgvw.dll is indeed in the originally-posted MS
> article. However, in true MS fashion, it is hidden several layers deep.
You
> have to click on the + to expand "Suggested Actions," then click on the +
> next to "Workarounds"

I have to agree. I read those security articles religiously, and I missed
the workaround as well. Apparently I'm far from the only one that missed
this. This could be done better.

PA
Thu Dec 29 23:50:55 CST 2005

X-post to Security, Security.Homeusers, IE6 & WinXP General newsgroups.
Followup-to set for microsoft.public.security.

The FAQ section of
http://www.microsoft.com/technet/security/advisory/912840.mspx has been
updated.

Fully expand Suggest Actions > Workarounds subsection to see steps you can
take to "help block known attack vectors".

Additional Resources:

Protect Your PC
http://www.microsoft.com/athome/security/protect/

Microsoft Security Home Page
http://www.microsoft.com/security/default.mspx
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE, Shell/User, Security), Aumha.org VSOP, DTS-L.org


PA Bear wrote:
> Microsoft Security Advisory (912840): Vulnerability in Graphics
> Rendering Engine Could Allow Remote Code Execution
> http://www.microsoft.com/technet/security/advisory/912840.mspx
> Welcome to the Microsoft Security Response Center Blog!
> New Security Advisory for Possible Windows Vulnerability
> http://blogs.technet.com/msrc/archive/2005/12/29/416569.aspx

Stephen
Fri Dec 30 06:43:59 CST 2005

This is bloody nuisance. I have now seen it twice in action. 2nd time
McAfees intercepted and killed it.
(sorry: XP Professional, SP2, all mods, McAfees latest, ZoneAlarm, MS
Anti-Spyware Beta, SpyBot 1.4, 2nd recent MVP HOSTS, Ad-Aware SE 1.06).

It is evident that the Malware writers have known about this exploit for
sometime.

Stephen Howe

MAP
Fri Dec 30 07:55:28 CST 2005

jacecarter@gmail.com wrote:
> Data Execution Prevention?
> What happened to DEP in XP SP2?
>
> If this is a buffer overflow exploit, why then isn't DEP in XP SP2
> shutting down the malicious code before it can run?
>
> I would think that an image file would be marked as "data" in memory,
> not as an executable image, although WMF might be different than say a
> jpg or bmp, does anyone know for sure?
>
> I keep my DEP setting on "Turn on DEP for all programs and services
> except those I select"
>
> http://www.microsoft.com/technet/security/prodtech/windowsxp/depcnfxp.mspx
>
> "Microsoft Windows XP Service Pack 2 (SP2) helps protect your computer
> against the insertion of malicious code into areas of computer memory
> reserved for non-executable code by implementing a set of hardware and
> software-enforced technologies called Data Execution Prevention (DEP).
> Hardware-enforced DEP is a feature of certain processors that prevents
> the execution of code in memory regions that are marked as data
> storage. This feature is also known as No-Execute and Execution
> Protection. Windows XP SP2 also includes software-enforced DEP that is
> designed to reduce exploits of exception handling mechanisms in
> Windows.
>
> Unlike an antivirus program, hardware and software-enforced DEP
> technologies are not designed to prevent harmful programs from being
> installed on your computer. Instead, they monitor your installed
> programs to help determine if they are using system memory safely. To
> monitor your programs, hardware-enforced DEP tracks memory locations
> declared as "non-executable". To help prevent malicious code, when
> memory is declared "non-executable" and a program tries to execute
> code from the memory, Windows will close that program. This occurs
> whether the code is malicious or not."

Here is a good article about this.
http://www.updatexp.com/wmf-exploit.html

I geuss I should get off my behind and install SP2

--
Mike Pawlak

Stephen
Fri Dec 30 08:36:37 CST 2005

> The FAQ section of
> http://www.microsoft.com/technet/security/advisory/912840.mspx has been
> updated.
>
> Fully expand Suggest Actions > Workarounds subsection to see steps you can
> take to "help block known attack vectors".

What about Windows 2000 Professional SP4?
Running that at work and that has

07/12/1999 12:00 52,496 shimgvw.dll

Is the workaround useless for Windows 2000?

According to here
http://www.updatexp.com/wmf-exploit.html
ME & 2000 are vulnerable

Cheers

Stephen Howe

David
Fri Dec 30 11:09:02 CST 2005

Fr