Page 1 of 3 123 LastLast
Results 1 to 10 of 29
  1. #1

    *** URGENT *** CRITICAL Windows XP SP1/SP2 Vulnerability

    Nothing to do with our 1st passion, but very important to read unless you want your computer system hacked...

    The reason this is so important is that you only need to visit ANY website that displays a certain type of picture and your computer security WILL be compromised!!

    *** URGENT *** CRITICAL Windows XP SP1/SP2 Vulnerability (maybe Win98/ME as well)

    A new vulnerability has been found, and exploits are out there NOW (so this is not an idle warning). Computers running Windows XP with SP2, Windows XP with SP1, and Microsoft Windows Server 2003 SP0/SP1 are affected by this vulnerability.

    EDIT: Windows2000 SP4, Windows98, Windows98 SE and Windows ME may also be affected.

    The vulnerability itself is regarded as extremely critical (the highest possible rating). As yet, there is no patch for this vulnerability.

    The vulnerability functions in Internet Explorer, and may function in Firefox and other browsers if certain conditions are met.

    Taken from Neowin:

    Antivirus and security experts F-Secure have issued a warning to users of Microsoft Windows XP that includes fully patched Service Pack 2 machines. The exploit is carried out via WMF files carrying a zero-day WMF exploit detected as W32/PFV-Exploit A, B, and C. According to F-Secure it is very easy to fall victim to this exploit, especially if you are using Internet Explorer. It's as simple as visiting an infected web site or viewing a folder with infected files with Windows Explorer. F-Secure has informed Microsoft and while a patch is expected to be issued quickly, they warn that Windows administrators and/or users may want to filter all WMF files until a patch is released.

    F-Secure state:

    Over the last 24 hours, we've seen three different WMF files carrying the zero-day WMF exploit. We currently detect them as W32/PFV-Exploit.A, .B and .C.

    Fellow researchers at Sunbelt have also blogged about this. They have discovered more sites that are carrying malicious WMF files. You might want to block these sites at your firewall while waiting for a Microsoft patch:

    Crackz [dot] ws
    unionseek [dot] com
    www.tfcco [dot] com
    Iframeurl [dot] biz
    beehappyy [dot] biz

    And funnily enough, according to WHOIS, domain beehappyy.biz is owned by a previous president of Soviet Union:

    Registrant Name: Mikhail Sergeevich Gorbachev
    Registrant Address1: Krasnaya ploshad, 1
    Registrant City: Moscow
    Registrant Postal Code: 176098
    Registrant Country: Russian Federation
    Registrant Country Code: RU

    "Krasnaya ploshad" is the Red Square in Moscow...

    Do note that it's really easy to get burned by this exploit if you're analysing it under Windows. All you need to do is to access an infected web site with IE or view a folder with infected files with the Windows Explorer.

    You can get burned even while working in a DOS box! This happened on one of our test machines where we simply used the WGET command-line tool to download a malicious WMF file. That's it, it was enough to download the file. So how on earth did it have a chance to execute?
    Google desktop
    The test machine had Google Desktop installed. It seems that Google Desktop creates an index of the metadata of all images too, and it issues an API call to the vulnerable Windows component SHIMGVW.DLL to extract this info. This is enough to invoke the exploit and infect the machine. This all happens in realtime as Google Desktop contains a file system filter and will index new files in realtime.

    So, be careful out there. And disable indexing of media files (or get rid of Google Desktop) if you're handling infected files under Windows.


  2. #2
    Microsoft now have an advisory notice

    http://www.microsoft.com/technet/se...ory/912840.mspx

    Microsoft detail a workaround:

    Microsoft has tested the following workaround. While this workaround will not correct the underlying vulnerability, it will help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.

    Un-register the Windows Picture and Fax Viewer (Shimgvw.dll) on Windows XP Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and Windows Server 2003 Service Pack 1

    To un-register Shimgvw.dll, follow these steps:

    1.
    Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK.

    2.
    A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

    Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.

    To undo this change, re-register Shimgvw.dll by following the above steps. Replace the text in Step 1 with “regsvr32 %windir%\system32\shimgvw.dll” (without the quotation marks).

    Of course, it goes without saying that you should have up to date AV, as well as spyware/adware detection programs. Also, don't be tempted to click on a link unless you are sure where it goes AND that the email/site containing that likn is trusted.

  3. #3
    Nonstop, all day, everyday. 01xdime's Avatar
    Join Date
    Aug 2005
    Location
    Pasadena, MD
    Posts
    3,682
    That link is bad Brainz.

  4. #4
    Denali44's Avatar
    Join Date
    Jul 2005
    Location
    Maine
    Posts
    125
    ahhh English please.

  5. #5
    Nonstop, all day, everyday. 01xdime's Avatar
    Join Date
    Aug 2005
    Location
    Pasadena, MD
    Posts
    3,682
    I think he's trying to tell us something. What is it boy? What? Little Timmy fell in the river?! just playing

  6. #6
    Whatever it is , it doesn`t sound good!? We have windows XP, service pack 1, I never installed service pack 2.

    Doesn`t the Norton anti virus internet security/firewall prevent this type of intrusion?...PR...

  7. #7

    Join Date
    Jul 2005
    Location
    Indianapolis, IN
    Posts
    176
    Quote Originally Posted by 01xdime
    I think he's trying to tell us something. What is it boy? What? Little Timmy fell in the river?! just playing


    I way 2 lazy to re read that in order to understand it

  8. #8
    R.I.P. 11's Avatar
    Join Date
    Apr 2005
    Location
    Santa Monika, People's Republik of Kalifornia...
    Posts
    1,571
    +1
    1
    Quote Originally Posted by Pale Rider
    Whatever it is , it doesn`t sound good!? We have windows XP, service pack 1, I never installed service pack 2.

    Doesn`t the Norton anti virus internet security/firewall prevent this type of intrusion?...PR...
    Norton is HORRIBLY intrusive, AVG and Adaware are much better.

    And instal SP2, it's well worth it.

  9. #9


    Love the replies... so, in plain English...

    Hackers have discovered a way to break YOUR systems, and worryingly it's incredibly easy for them to do it. By placing a simple picture on a website, all a user would have to do was to open the website and ANY software could then download/install/run on your system (think nasty virus here!).

    As this has only just been discovered, as yet Microsoft do not have a "fix" for it, and since MANY websites already have this "virus picture" on them, then you are likely to get caught out unless you are careful.

    The best (and easiest) way to protect yourself, as a quick temp fix until Microsoft/Norton etc sort out a more permanent solution, is to follow the instructions above.

    This does mean that your Microsoft Picture/Fax viewer won't work as normal... BUT it's a damn site better than catching a nasty virus!

    Was that better?

  10. #10
    I REALLY hope that you have all you can to protect your systems against this vulnerability. There are now some REALLY nasty virus using this exploit method. Don't say I didn't warn you!

    If you would like to see if your system is vulnerable, you can SAFELY check it here....

    http://www.hexblog.com/2006/01/wmf_v...y_checker.html

Page 1 of 3 123 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. still need urgent help!!!!!!!!!!!!! somebody has idea
    By amirmiz in forum 4-Tec Performance
    Replies: 14
    Last Post: 03-04-2006, 07:24 PM
  2. needs an urgent opinion .....13/19R or 14/19R for RXT
    By amirmiz in forum 4-Tec Performance
    Replies: 4
    Last Post: 12-21-2005, 11:57 AM
  3. NEED HELP URGENT(HULK) RXP DOWN
    By macattack in forum 4-Tec Performance
    Replies: 28
    Last Post: 11-22-2005, 02:39 PM
  4. RIVA SD Supercharger Blow-off Valve Kit an urgent question
    By amirmiz in forum 4-Tec Performance
    Replies: 2
    Last Post: 11-04-2005, 09:25 AM
  5. New Windows OS
    By Compwhiz82 in forum Sea Doo Open Discussion
    Replies: 14
    Last Post: 07-26-2005, 10:01 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •