Extremely nasty, rapidly mutating Windows exploit!

An extremely nasty (probably the worst yet) Windows exploit has recently been discovered on the internet. (think rapidly mutating Bird Flu for the PC)

“The part that's different about this attack is that it's designed to generate slightly different program code each time the exploit is run -- creating a new threat with a random file size, non-WMF file extension (like .jpeg) and other variable tricks.â€
http://blogs.washingtonpost.com/securityfi...xploit_for.html

Infection rate
McAfee announced on the radio yesterday they saw 6% of their customer having been infected with the previous generation of the WMF exploits. 6% of their customer base is a huge number.
http://isc.sans.org/diary.php?storyid=992

Why is this issue so important?
The WMF vulnerability uses images (WMF images) to execute arbitrary code. It will execute just by viewing the image. In most cases, you don't have click anything. Even images stored on your system may cause the exploit to be triggered if it is indexed by some indexing software. Viewing a directory in Explorer with 'Icon size' images will cause the exploit to be triggered as well.

Is it better to use Firefox or Internet Explorer?
Internet Explorer will view the image and trigger the exploit without warning. New versions of Firefox will prompt you before opening the image. However, in most environments this offers little protection given that these are images and are thus considered 'safe'.

What versions of Windows are affected?
All. Windows 2000, Windows XP, (SP1 and SP2), Windows 2003. All are affected to some extent.
Mac OS-X, Unix or BSD is not affected.

Note: If you're still running on Win98/ME, this is a watershed moment: we believe (untested) that your system is vulnerable and there will be no patch from MS. Your mitigation options are very limited. You really need to upgrade.</span>
<a href=\'http://isc.sans.org/diary.php?storyid=994\' target=\'_blank\'>http://isc.sans.org/diary.php?storyid=994</a>

"This is a first: the Internet Storm Center is recommending trustworthy computing. They want you to trust that the unofficial patch for the Windows Metafile Volunerability that is currently being exploited by an IM worm. No patch from Microsoft at this time, and the exploit is arranged in such a manner that it cannot be detected by most intrusion detection systems (the snort rule will peg the CPU on your router) nor filtered by packet-inspecting firewalls (it spans two or more ethernet frames). Not really a whole lot of choice about this one."
<a href=\'http://it.slashdot.org/it/06/01/02/1153244.shtml?tid=201&tid=218\' target=\'_blank\'>http://it.slashdot.org/it/06/01/02/1153244...tid=201&tid=218</a>

OMG!!! ISC is saying trust a third party patch to patch the Windows operating system and not to wait for Microsoft.
If that doesn’t give you an idea of how serious the situation is . . . then just go right ahead and blindly surf away with Internet Explorer and an "it won't happen to me" ignorance. Porn site computer STD anyone???

If you are running an AMD 64 processor with Windows XP SP2, your computer is immune from all of these buffer overflow threats.

<span style=\'color:green\'>" * What is DEP (Data Execution Protection) and how does it help me?
With Windows XP SP2, Microsoft introduced DEP. It protects against a wide range of exploits, by preventing the execution of 'data segements '. However, to work well, it requires hardware support. Some CPUs, like AMD's 64 Bit CPUs, will provide full DEP protection and will prevent the exploit."
http://isc.sans.org/diary.php?storyid=994

Protect yourselves folks!!! This can get nasty.

 

Update coming today!!!!</span>

Yep, it's that serious that Microsoft is pushing this update a quick as they can.
UPDATE YOUR WINDOWS BOX NOW!!!

<span style=\'color:green\'>Microsoft Security Bulletin Advance Notification
Updated: January 5, 2005
Security Bulletin Advance Notification

Important Information for Thursday 5 January 2006

Microsoft announced that it would release a security update to help protect customers from exploitations of a vulnerability in the Windows Meta File (WMF) area of code in the Windows operating system on Tuesday, January 2, 2006, in response to malicious and criminal attacks on computer users that were discovered last week.

Microsoft will release the update today on Thursday, January 5, 2006, earlier than planned.
http://www.microsoft.com/technet/security/...in/advance.mspx

 

1) My bad. I equated this to being associated with a buffer overflow because the of the AMD64 with Win SP2 being immune. :mellow:

4) It should be on by default . . . but it doesn't hurt to check.
http://support.microsoft.com/kb/875352

 

Sorry if you find it objectionable, but the green color helps differentiate pasted information from my writings. That is why there is also a link below the green words.

Not bolding the green makes the green too pale - light green on white or light blue backgrounds, yuck!

Apparently you are not colorblind. :huh:

 

That, and my anti-virus program, Avast, did a program update today, not just a daily virus def update.

For security groups to be recommending a third party fix to the OS . . my guess is the threat is huge and not just theoretical.

I forced the Windows Update. So far so good.