Posted on 12/28/2005 2:55:03 PM PST by Ernest_at_the_Beach
This alert is a follow-up to a post made yesterday on our blog: http://www.websensesecuritylabs.com/blog/
Websense® Security Labs has discovered numerous websites exploiting an unpatched Windows vulnerability in the handling of .WMF image files. The websites which have been uncovered at this point are using the exploit to distribute Spyware applications and other Potentially Unwanted Soware. The user's desktop background is replaced with a message warning of a spyware infection and a "spyware cleaning" application is launched. This application prompts the user to enter credit card information in order to remove the detected spyware. The background image used and the "spyware cleaning" application vary between instances. In addition, a mail relay is installed on the infected computer and it will begin sending thousands of SPAM messages.
We are currently tracking thousands of websites distributing exploit code from iFrameCASH BIZ. A similar zero-day vulnerability being exploited by this entity was discussed earlier this month:http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=364
There is currently no patch available. Visiting an infected webpage with Internet Explorer on a fully-patched XP Service Pack 2 computer causes immediate infection. Earlier Firefox users are vulnerable but they are first prompted to display the WMF image. If a filesystem indexing service (such as Google Desktop) is installed, users of Firefox and even text-based browsers can become infected.
(Excerpt) Read more at websensesecuritylabs.com ...
This one is a really nasty one. One could get infected by just visiting a website with .WMF files.
How about including Microsoft management?
"'m beginning to think that the best option for most people would be a dual-boot system with Windows and Linux. Run Windows for the gaming and the applications that aren't available on Linux and run Linux for internet browsing, e-mail, etc."
I'm running Linux, and Windows XP Pro in VMWare. No web surfing in Windows - office, etc. only. All data is saved to a Samba share on Linux. If Windows takes a dump, I replace the VMware image I'm using with a fresh copy.
ping
Suggestions to change it to?
I can find the file type and all but don't comprehend the extended information that's displayed under "Advanced" tab where it's set to open with, etc.
I have Norton AV 2006 and have it selected to disable all ActiveX and Java. Can't see some content on the internet but that's the least of my worries.
When I NEED to interact with a TRUSTED, knowntobereliable site, I modify as necessary, but for general internet use, everyone should just disable those functions. And use "High" Internet security setting, AND use a few other trusted, reliable programs like Spybot Search & Destroy (which blocks a lot of spyware and malware and hacking attempts and will actually close down your browser if anything very terrible attempts to correspond)...
Most people are just far too available on the internet and that's why they have so many of these bugs. And their bugs become bugs for everyone else, so it's important for everyone to try to take control over security on their desktops.
Better yet, save the five hundred and d/l a copy of Mepis Linux or Kubuntu. Both are idiot proof to install on every machine I have tried and easy enough to run that my technophobe wife has no problems at all with them. She now prefers linux to windows.
What if you turn off your spyware detection alert?
That's good advice, on the Internet zone I always keep Javascript/ActiveX disabled, not only does it help protect users somewhat against exploits but you don't get popups either.
But this is a different exploit.....I don't think that helps with this one!
From Cicero's posting # 38 above......and see Company Man posting at #25.
***********************************************
A new exploit has been discovered in the wild that affects fully patched Windows XP SP2 systems, according to reports by security firms F-Secure and Sunbelt. The malicious code takes advantage of a vulnerability in the WMF graphics rendering engine to automatically download and install malware.
WMF, or Windows Metafile, is a vector based image format used by Microsoft's operating systems. SHIMGVW.DLL is loaded to render the images and contains a flaw that opens the door for a malformed WMF image to cause remote code execution and potentially allow for a full system compromise.
Microsoft previously fixed a vulnerability affecting WMF and EMF files in November. That problem affected Windows 2000, XP and Windows Server 2003.
Why would you do that?
This is a new exploit....see above!
That's what I was looking for and didn't see. Microsoft will probably patch it by their next release so the safest course in XP till then would be to unregister the shimgvw.dll file and do all surfing in a restricted account.
See #50 for some additional detail.
********************************************
From the Websense Security Labs Website:
December 24, 2005
Phishing Alert: Lansing Automakers Federal Credit Union
Ping to those who haven't discovered it yet.
Yup, a jail sentence of about 20 years ought to do it.
Yes, I realize that this latest is a different exploit than in reference to the Java/ActiveX disablement mentioned earlier -- but I was (earlier, Java/AX) including a tangential security helps, that's all, that it's wise to have those two capabilities turned off, both in the browser and set to be suppressed by your firewall.
Your browser setup sounds intriguing and yet, I don't understand most of it! Ha...you lost me after Windows XP Pro.
~;-D
I'll go look into "VMWare" and see if I can learn sumthin'.
Question: How, if I wanted to, would I undo that command?
VMWare is system virtualization software. In a nutshell, I have Windows XP running as a program INSIDE Linux. The entire Windows "filesystem" is just a few files inside Linux.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.