User Name
Password

Go Back   Planetarion Forums > Non Planetarion Discussions > General Discussions

Reply
Thread Tools Display Modes
Unread 28 Dec 2005, 21:01   #1
Phil^
Insomniac
 
Phil^'s Avatar
 
Join Date: May 2003
Posts: 3,583
Phil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus would
dont go opening them thar .wmf files now...

just so you lot know, theres a nasty new windows exploit going around
information from digg.com

information from sans
information from fsecure

basically, dont touch any .wmf file, or folder containing them with a bargepole.
and for the love of god DONT USE INTERNET EXPLORER , it infects you instantly.
Firefox and Opera both will still infect you, but they ask you if you really want to open it first, and in what
windows picture and fax viewer is what is vulnerable, or rather a componant of it which reads the file metadata from what i can gather

you can still get infected if you download it using a dos box and wget also, if you have something like google desktop which will notice it, and cache the file ( and in the process read the metadata which triggers this )



theres a video here if you want to watch it infect a (deliberately set up) machine, and turn into a rather slick scam.
__________________
Phil^
Phil^ is offline   Reply With Quote
Unread 28 Dec 2005, 21:23   #2
Demon Dave
Insanity Prawn Boy!
 
Demon Dave's Avatar
 
Join Date: Dec 2001
Location: In a bush where you can't find me
Posts: 2,474
Demon Dave needs a job and a girlfriendDemon Dave needs a job and a girlfriendDemon Dave needs a job and a girlfriendDemon Dave needs a job and a girlfriendDemon Dave needs a job and a girlfriendDemon Dave needs a job and a girlfriendDemon Dave needs a job and a girlfriendDemon Dave needs a job and a girlfriendDemon Dave needs a job and a girlfriendDemon Dave needs a job and a girlfriendDemon Dave needs a job and a girlfriend
Re: dont go opening them thar .wmf files now...

so, what, is it that Winhound thing that's the scam?
__________________
They shall not grow old, as we who are left grow old:
Age shall not weary them, nor the years condemn.
At the going down of the sun and in the morning
We shall remember them.
Demon Dave is offline   Reply With Quote
Unread 28 Dec 2005, 21:27   #3
Phil^
Insomniac
 
Phil^'s Avatar
 
Join Date: May 2003
Posts: 3,583
Phil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus would
Re: dont go opening them thar .wmf files now...

in the video example it is, the "register now, giv eus your cc details" part.
could be redirecting from a valid site to a scam site set up to harvest cc details

the exploit itself can ( and is ) being used to deliver anything though, from scam , through trojan, all the way (potentially) to rootkit
__________________
Phil^
Phil^ is offline   Reply With Quote
Unread 28 Dec 2005, 21:30   #4
Demon Dave
Insanity Prawn Boy!
 
Demon Dave's Avatar
 
Join Date: Dec 2001
Location: In a bush where you can't find me
Posts: 2,474
Demon Dave needs a job and a girlfriendDemon Dave needs a job and a girlfriendDemon Dave needs a job and a girlfriendDemon Dave needs a job and a girlfriendDemon Dave needs a job and a girlfriendDemon Dave needs a job and a girlfriendDemon Dave needs a job and a girlfriendDemon Dave needs a job and a girlfriendDemon Dave needs a job and a girlfriendDemon Dave needs a job and a girlfriendDemon Dave needs a job and a girlfriend
Re: dont go opening them thar .wmf files now...

fun. I'll be keeping an eye out for that then
__________________
They shall not grow old, as we who are left grow old:
Age shall not weary them, nor the years condemn.
At the going down of the sun and in the morning
We shall remember them.
Demon Dave is offline   Reply With Quote
Unread 28 Dec 2005, 21:30   #5
s|k
Caveat Lector
 
s|k's Avatar
 
Join Date: Feb 2003
Location: Tucson, Arizona
Posts: 3,038
s|k has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.s|k has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.s|k has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.s|k has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.s|k has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.s|k has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.s|k has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.s|k has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.s|k has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.s|k has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.s|k has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.
Re: dont go opening them thar .wmf files now...

I believe IE warns you before opening downloaded files too.
__________________
Diomedes IRC
Blog
s|k is offline   Reply With Quote
Unread 28 Dec 2005, 21:33   #6
Phil^
Insomniac
 
Phil^'s Avatar
 
Join Date: May 2003
Posts: 3,583
Phil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus would
Re: dont go opening them thar .wmf files now...

not wmf files - it opens those automatically , watch the video if you want proof
__________________
Phil^
Phil^ is offline   Reply With Quote
Unread 28 Dec 2005, 21:39   #7
s|k
Caveat Lector
 
s|k's Avatar
 
Join Date: Feb 2003
Location: Tucson, Arizona
Posts: 3,038
s|k has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.s|k has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.s|k has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.s|k has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.s|k has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.s|k has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.s|k has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.s|k has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.s|k has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.s|k has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.s|k has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.
Re: dont go opening them thar .wmf files now...

Oh.
__________________
Diomedes IRC
Blog
s|k is offline   Reply With Quote
Unread 28 Dec 2005, 21:53   #8
Cannon_Fodder
Registered User
 
Cannon_Fodder's Avatar
 
Join Date: Jan 2005
Posts: 3,174
Cannon_Fodder spreads love and joy to the forum in the same way Jesus wouldCannon_Fodder spreads love and joy to the forum in the same way Jesus wouldCannon_Fodder spreads love and joy to the forum in the same way Jesus wouldCannon_Fodder spreads love and joy to the forum in the same way Jesus wouldCannon_Fodder spreads love and joy to the forum in the same way Jesus wouldCannon_Fodder spreads love and joy to the forum in the same way Jesus wouldCannon_Fodder spreads love and joy to the forum in the same way Jesus wouldCannon_Fodder spreads love and joy to the forum in the same way Jesus wouldCannon_Fodder spreads love and joy to the forum in the same way Jesus wouldCannon_Fodder spreads love and joy to the forum in the same way Jesus wouldCannon_Fodder spreads love and joy to the forum in the same way Jesus would
Re: dont go opening them thar .wmf files now...

So it just installs a convincing looking AV program that harvests CC details. Is that all or can you just ignore it and remove it?
__________________
If one person is in delusion, they're called insane.
If many people are in delusion, it's called a religion.
Cannon_Fodder is offline   Reply With Quote
Unread 28 Dec 2005, 21:56   #9
Phil^
Insomniac
 
Phil^'s Avatar
 
Join Date: May 2003
Posts: 3,583
Phil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus would
Re: dont go opening them thar .wmf files now...

that variation of it does, but the point i was trying to make ( and seemingly failing ) is that its a new exploit, discovered literally within the last 24-48 hours and is already being abused.
this is just the tip of the iceberg imo, lots of other, and potentially nastier stuff will follow
__________________
Phil^
Phil^ is offline   Reply With Quote
Unread 28 Dec 2005, 23:05   #10
Ste
Bored
 
Ste's Avatar
 
Join Date: Apr 2001
Location: Nottm ->Shef ->Croydon ->Manc ->Durham ->Sheffield
Posts: 6,506
Ste has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Ste has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Ste has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Ste has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Ste has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Ste has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Ste has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Ste has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Ste has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Ste has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Ste has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.
Re: dont go opening them thar .wmf files now...

can you explain what a wmf file is actually used for?
__________________
Wise men write because they have something to write about; fools write because they have to write something. - Plato

yeh so Plastic Brilliance is now known as FOXYSTOAT - Come on by and check it out!
Ste is offline   Reply With Quote
Unread 28 Dec 2005, 23:06   #11
Emperor Rozenski
Generic funny comment.
 
Emperor Rozenski's Avatar
 
Join Date: May 2000
Location: Basingstoke, UK
Posts: 136
Emperor Rozenski is a name known to allEmperor Rozenski is a name known to allEmperor Rozenski is a name known to allEmperor Rozenski is a name known to allEmperor Rozenski is a name known to allEmperor Rozenski is a name known to all
Re: dont go opening them thar .wmf files now...

Thanks for the warning. I've now set Windows to ask before opening .wmf files (Folder Options > File Types > Select WMF, click 'Advanced' button > check 'Confirm open after download' checkbox > 'OK' > 'OK'). Hopefully having done that will keep me safe until MS put out a patch.
__________________
- GlimmerMan

Kick the Baby! - did we rock your world?
Emperor Rozenski is offline   Reply With Quote
Unread 28 Dec 2005, 23:07   #12
NEWSBOT3
NEWSBOT
 
Join Date: Dec 2000
Location: The enby cave!
Posts: 4,872
NEWSBOT3 needs a job and a girlfriendNEWSBOT3 needs a job and a girlfriendNEWSBOT3 needs a job and a girlfriendNEWSBOT3 needs a job and a girlfriendNEWSBOT3 needs a job and a girlfriendNEWSBOT3 needs a job and a girlfriendNEWSBOT3 needs a job and a girlfriendNEWSBOT3 needs a job and a girlfriendNEWSBOT3 needs a job and a girlfriendNEWSBOT3 needs a job and a girlfriendNEWSBOT3 needs a job and a girlfriend
Re: dont go opening them thar .wmf files now...

windows meta file, can be used for graphics iirc.

edit : filext.com
__________________
[20:27:47] <nodrog-aawy> **** i think my housemate just caught me masturbating
[11:25:32] <idimmu> you are a little piggy arent you
[13:17:00] <KaneED> i'm so closet i'm like narnia
__________________
Pretty parks and funky scrap metal things here
NEWSBOT3 is offline   Reply With Quote
Unread 28 Dec 2005, 23:28   #13
skiddy
wild one
 
skiddy's Avatar
 
Join Date: Feb 2001
Location: River Edge, NJ
Posts: 3,312
skiddy contributes so much and asks for so littleskiddy contributes so much and asks for so littleskiddy contributes so much and asks for so littleskiddy contributes so much and asks for so littleskiddy contributes so much and asks for so littleskiddy contributes so much and asks for so littleskiddy contributes so much and asks for so littleskiddy contributes so much and asks for so littleskiddy contributes so much and asks for so littleskiddy contributes so much and asks for so littleskiddy contributes so much and asks for so little
Re: dont go opening them thar .wmf files now...

...as he sits here quite comfortably on OS 10.4.3.
skiddy is offline   Reply With Quote
Unread 28 Dec 2005, 23:47   #14
Obliterate
:cool:
 
Obliterate's Avatar
 
Join Date: Jul 2001
Location: Here, there and everywhere
Posts: 791
Obliterate has a brilliant futureObliterate has a brilliant futureObliterate has a brilliant futureObliterate has a brilliant futureObliterate has a brilliant futureObliterate has a brilliant futureObliterate has a brilliant futureObliterate has a brilliant futureObliterate has a brilliant futureObliterate has a brilliant futureObliterate has a brilliant future
Re: dont go opening them thar .wmf files now...

Quote:
Originally Posted by skiddy
...as he sits here quite comfortably on OS 10.4.3.
Me too!

__________________
Danger gleams like sunshine to a brave man's eyes.
Obliterate is offline   Reply With Quote
Unread 29 Dec 2005, 02:25   #15
Phil^
Insomniac
 
Phil^'s Avatar
 
Join Date: May 2003
Posts: 3,583
Phil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus would
Re: dont go opening them thar .wmf files now...

quick update : http://blogs.washingtonpost.com/secu...t_release.html

basically you can disable the vulnerable dll by doing :
1. Click on the Start button on the taskbar.
2. Click on Run...
3. Type "regsvr32 /u shimgvw.dll" to disable.
4. Click ok when the change dialog appears

once microsoft have released a patch for this, you can re-enable it by :
1. Click on the Start button on the taskbar.
2. Click on Run...
3. Type "regsvr32 shimgvw.dll" to enable.
__________________
Phil^
Phil^ is offline   Reply With Quote
Unread 29 Dec 2005, 11:01   #16
Flavius
 
Join Date: Jan 2002
Posts: 421
Flavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet society
Re: dont go opening them thar .wmf files now...

oh why do i bother

you're wrong, most of you at least

http://forums.somethingawful.com/sho...readid=1759573

that should give you enough info, along with a patch to the problem by R1CH
Flavius is offline   Reply With Quote
Unread 29 Dec 2005, 15:38   #17
Phil^
Insomniac
 
Phil^'s Avatar
 
Join Date: May 2003
Posts: 3,583
Phil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus would
Re: dont go opening them thar .wmf files now...

gdi32.dll isnt the file which has the flaw so why thats the one being patched i dunno.

edit : according to cert now, it could be too. : http://www.kb.cert.org/vuls/id/181038


personally i wouldnt touch that patch - no telling of what it will or wont do. would much prefer to see the source for it, see a diff for what modifications were done, and compile it myself before i use it
maybe im just paranoid but there you go

ive done the regsvr workaround for now, and will use any ms patch when they eventually get off their arses and make one

as for the DEP , its worked in some cases, it hasnt in others from what ive seen on sites like fsecures blog, sans, etc.
__________________
Phil^

Last edited by Phil^; 29 Dec 2005 at 15:53.
Phil^ is offline   Reply With Quote
Unread 29 Dec 2005, 15:42   #18
Flavius
 
Join Date: Jan 2002
Posts: 421
Flavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet society
Re: dont go opening them thar .wmf files now...

try using the sample .wmf file he posted before and after applying his patch

you will see the difference
Flavius is offline   Reply With Quote
Unread 29 Dec 2005, 19:44   #19
Hicks
Raaaaaaaah!
 
Hicks's Avatar
 
Join Date: Apr 2000
Location: United Kingdom
Posts: 2,296
Hicks is an inspiration to us all and we should try to be more like himHicks is an inspiration to us all and we should try to be more like himHicks is an inspiration to us all and we should try to be more like himHicks is an inspiration to us all and we should try to be more like himHicks is an inspiration to us all and we should try to be more like himHicks is an inspiration to us all and we should try to be more like himHicks is an inspiration to us all and we should try to be more like himHicks is an inspiration to us all and we should try to be more like himHicks is an inspiration to us all and we should try to be more like himHicks is an inspiration to us all and we should try to be more like himHicks is an inspiration to us all and we should try to be more like him
Re: dont go opening them thar .wmf files now...

I think this sums up all the advice DONT USE INTERNET EXPLORER. Not only does using something else offer more protection you can safely lord it over all those poor IE users,
__________________
Hicks
Mercury & Solace
Always [Fury]
Hicks is offline   Reply With Quote
Unread 29 Dec 2005, 20:20   #20
Cannon_Fodder
Registered User
 
Cannon_Fodder's Avatar
 
Join Date: Jan 2005
Posts: 3,174
Cannon_Fodder spreads love and joy to the forum in the same way Jesus wouldCannon_Fodder spreads love and joy to the forum in the same way Jesus wouldCannon_Fodder spreads love and joy to the forum in the same way Jesus wouldCannon_Fodder spreads love and joy to the forum in the same way Jesus wouldCannon_Fodder spreads love and joy to the forum in the same way Jesus wouldCannon_Fodder spreads love and joy to the forum in the same way Jesus wouldCannon_Fodder spreads love and joy to the forum in the same way Jesus wouldCannon_Fodder spreads love and joy to the forum in the same way Jesus wouldCannon_Fodder spreads love and joy to the forum in the same way Jesus wouldCannon_Fodder spreads love and joy to the forum in the same way Jesus wouldCannon_Fodder spreads love and joy to the forum in the same way Jesus would
Re: dont go opening them thar .wmf files now...

I've never had a problem with IE, is there some Coolness Internet Memo I didn't get?
__________________
If one person is in delusion, they're called insane.
If many people are in delusion, it's called a religion.
Cannon_Fodder is offline   Reply With Quote
Unread 29 Dec 2005, 22:35   #21
Emperor Rozenski
Generic funny comment.
 
Emperor Rozenski's Avatar
 
Join Date: May 2000
Location: Basingstoke, UK
Posts: 136
Emperor Rozenski is a name known to allEmperor Rozenski is a name known to allEmperor Rozenski is a name known to allEmperor Rozenski is a name known to allEmperor Rozenski is a name known to allEmperor Rozenski is a name known to all
Re: dont go opening them thar .wmf files now...

I read on Norton's site late last night that the AV definitions update released yesterday already detects and prevents this exploit. The BBC has a story on it too and MS have also acknowledged the threat

http://securityresponse.symantec.com...xploit.56.html
http://news.bbc.co.uk/1/hi/technology/4566504.stm
http://www.microsoft.com/technet/sec...ry/912840.mspx
__________________
- GlimmerMan

Kick the Baby! - did we rock your world?
Emperor Rozenski is offline   Reply With Quote
Unread 29 Dec 2005, 22:41   #22
Phil^
Insomniac
 
Phil^'s Avatar
 
Join Date: May 2003
Posts: 3,583
Phil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus would
Re: dont go opening them thar .wmf files now...

it prevents the individual trojans/etc which use the exploit at present im sure but it wont plug the hole the exploit sails in though. it'll be a cat-and-mouse game with all anti-virus companies and virus writers until the actual exploit hole is fixed, and people patch up.
__________________
Phil^
Phil^ is offline   Reply With Quote
Unread 29 Dec 2005, 23:13   #23
Leshy
Mr. Blobby
 
Leshy's Avatar
 
Join Date: Nov 2000
Location: Belgium
Posts: 8,271
Leshy has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Leshy has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Leshy has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Leshy has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Leshy has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Leshy has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Leshy has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Leshy has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Leshy has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Leshy has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Leshy has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.
Re: dont go opening them thar .wmf files now...

Quote:
Originally Posted by sniborp
I've never had a problem with IE, is there some Coolness Internet Memo I didn't get?
I've never had an accident while drunk driving, so I don't know what everyone's complaining about as it's perfectly fine!
__________________
http://www.leshy.net
Leshy is offline   Reply With Quote
Unread 30 Dec 2005, 02:17   #24
Flavius
 
Join Date: Jan 2002
Posts: 421
Flavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet society
Re: dont go opening them thar .wmf files now...

Quote:
Originally Posted by Hicks
I think this sums up all the advice DONT USE INTERNET EXPLORER. Not only does using something else offer more protection you can safely lord it over all those poor IE users,
again, wrong

had you said "dont use windows ME, 2000, XP or 2003" I would have agreed but unfortunately it is not the browser that is vulnerable, but the image previewing, which is also used by any other browser (opera, firefox). even google desktop search uses the preview to cache the pictures, so that makes you vulnerable as well.
Flavius is offline   Reply With Quote
Unread 30 Dec 2005, 02:24   #25
Leshy
Mr. Blobby
 
Leshy's Avatar
 
Join Date: Nov 2000
Location: Belgium
Posts: 8,271
Leshy has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Leshy has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Leshy has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Leshy has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Leshy has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Leshy has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Leshy has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Leshy has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Leshy has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Leshy has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Leshy has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.
Re: dont go opening them thar .wmf files now...

Quote:
Originally Posted by Flavius
had you said "dont use windows ME, 2000, XP or 2003" I would have agreed but unfortunately it is not the browser that is vulnerable, but the image previewing, which is also used by any other browser (opera, firefox). even google desktop search uses the preview to cache the pictures, so that makes you vulnerable as well.
The main issue, however, is that at least Opera and Firefox ask you whether you wish to open the file, whereas Internet Explorer simply does so.

While this doesn't make Firefox or Opera immune or immensely more safe, it does show that in situations like these they provide an extra layer of security that Internet Explorer does not. And with the main source of security still being the end user, that is not a layer that should be easily overlooked.
__________________
http://www.leshy.net
Leshy is offline   Reply With Quote
Unread 30 Dec 2005, 02:42   #26
Flavius
 
Join Date: Jan 2002
Posts: 421
Flavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet society
Re: dont go opening them thar .wmf files now...

Quote:
Originally Posted by Leshy
The main issue, however, is that at least Opera and Firefox ask you whether you wish to open the file, whereas Internet Explorer simply does so.

While this doesn't make Firefox or Opera immune or immensely more safe, it does show that in situations like these they provide an extra layer of security that Internet Explorer does not. And with the main source of security still being the end user, that is not a layer that should be easily overlooked.
an extra layer of security? how often do you suspect of a .gif or .jpg file?

anyone can make his own .wmf file, rename it to .gif and place it as an avatar

firefox won't ask you to open it, it will simply display it.

firefox asks if you want to open a .wmf since it's not registered internally as a picture file format
Flavius is offline   Reply With Quote
Unread 30 Dec 2005, 03:05   #27
Leshy
Mr. Blobby
 
Leshy's Avatar
 
Join Date: Nov 2000
Location: Belgium
Posts: 8,271
Leshy has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Leshy has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Leshy has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Leshy has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Leshy has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Leshy has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Leshy has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Leshy has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Leshy has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Leshy has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Leshy has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.
Re: dont go opening them thar .wmf files now...

Quote:
Originally Posted by Flavius
how often do you suspect of a .gif or .jpg file?

[...]

firefox asks if you want to open a .wmf
And this is exactly why that question, which arouses suspicion, is pretty effective.
__________________
http://www.leshy.net
Leshy is offline   Reply With Quote
Unread 30 Dec 2005, 03:07   #28
Flavius
 
Join Date: Jan 2002
Posts: 421
Flavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet society
Re: dont go opening them thar .wmf files now...

Quote:
Originally Posted by Leshy
Does not compute.
ok .. the infected file is blah.wmf
Internet Explorer opens it without questions. Opera/Firefox doesn't.

Take the infected file, rename it to blah.gif
All browsers will open it automatically since they assume it to be a picture.
Flavius is offline   Reply With Quote
Unread 30 Dec 2005, 03:08   #29
Flavius
 
Join Date: Jan 2002
Posts: 421
Flavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet society
Re: dont go opening them thar .wmf files now...

Quote:
Originally Posted by Leshy
And this is exactly why that question, which arouses suspicion, is pretty effective.
you can rename a .wmf to .gif, which escapes that added "layer of protection" you claim firefox/opera have.
Flavius is offline   Reply With Quote
Unread 30 Dec 2005, 04:09   #30
Leshy
Mr. Blobby
 
Leshy's Avatar
 
Join Date: Nov 2000
Location: Belgium
Posts: 8,271
Leshy has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Leshy has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Leshy has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Leshy has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Leshy has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Leshy has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Leshy has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Leshy has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Leshy has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Leshy has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Leshy has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.
Re: dont go opening them thar .wmf files now...

Isn't it the case that as soon as you rename it to a .gif or whatever, the browser will attempt to open the file itself, realise that the file is either unreadable or corrupted and thus be unable to display it, rather than sending it on to the vulnerable Windows Image Viewer component?

I seem to recall a .jpeg vulnerability issue a while back that was a problem caused by a faulty Windows component as well, which Opera was not affected by because it uses it's own programming to handle the viewing of .jpeg images.
__________________
http://www.leshy.net
Leshy is offline   Reply With Quote
Unread 30 Dec 2005, 04:15   #31
Flavius
 
Join Date: Jan 2002
Posts: 421
Flavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet society
Re: dont go opening them thar .wmf files now...

Quote:
Originally Posted by Leshy
Isn't it the case that as soon as you rename it to a .gif or whatever, the browser will attempt to open the file itself, rather than send it on to the vulnerable Windows part? That is, if it fails to realise that the file's type doesn't match it's extension.

I seem to recall a .jpeg vulnerability issue a while back that was a problem caused by a faulty Windows component as well, which Opera was not affected by because it uses it's own programming to handle that stuff.
Ok I take back part of what I said before regarding the rendering of the picture within the browser.

Here's a short summary: "IE automatically opens the fax/image viewer when directly accessing a .wmf. Firefox does not (in later versions). If you viewed it as an embedded image on a page it would not have displayed properly, but it would not have executed any exploit code.

You can't run the code directly simply by browsing (browsing can indirectly lead to the code being executed if something like google desktop indexes/touches the cached copy of the file in your temp internet files or you browse to the folder in explorer and the autopreview/thumbnail generation kicks in). You have to click a link directly to the infected file so that the fax and picture viewer runs."

So this is not a browser vs browser argument, and browsing generally should not be a problem. The problem lies in the fax/picture viewer and any other program that uses the same image processing libraries to open .wmf files (such as Google Desktop).
Flavius is offline   Reply With Quote
Unread 30 Dec 2005, 15:36   #32
djbass
mmm.. pills
 
djbass's Avatar
 
Join Date: Apr 2000
Location: Australia
Posts: 2,152
djbass has a reputation beyond reputedjbass has a reputation beyond reputedjbass has a reputation beyond reputedjbass has a reputation beyond reputedjbass has a reputation beyond reputedjbass has a reputation beyond reputedjbass has a reputation beyond reputedjbass has a reputation beyond reputedjbass has a reputation beyond reputedjbass has a reputation beyond reputedjbass has a reputation beyond repute
Re: dont go opening them thar .wmf files now...

It's a pity I didn't see this earlier, my PC fell victom to this attack yesterday. A nasty one it is too, despite having popup blockers a page launched that contained a infected WMF file. Even when I saw the file open I instantly suspected it was an exploit but didn't have time to stop the file from opening.

Within 5 seconds I had a symptoms very much like those demonstrated in the video, my desktop was filled with links, that fake malware message appeared in my tasktray and the desktop background changed to the infected warning. It was a completly different fraudulant anti-spyware proggy though, Spysheriff installed itself on my machine along with a host of other malware. Fortunately I've already had dealings with this particular program having removed it from a couple of customers machines, it changes group policies in the registry in an attempt to prevent you from undoing the damage and even loads in safe mode. After 5 hours I'm reasonably certain my PC is free of everything, but I'll be monitoring it over the next 48 hours for anything I may have missed.
__________________
CSS : the result of letting artists design something only an engineer should touch.
djbass is offline   Reply With Quote
Unread 30 Dec 2005, 15:59   #33
Phang
Aardvark is a funny word
 
Phang's Avatar
 
Join Date: Sep 2002
Location: I'm No Nino Rota
Posts: 5,923
Phang has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Phang has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Phang has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Phang has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Phang has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Phang has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Phang has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Phang has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Phang has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Phang has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Phang has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.
Re: dont go opening them thar .wmf files now...

good old internet explorer eh
__________________
Efficiency, efficiency they say
Get to know the date and tell the time of day
As the crowds begin complaining
How the Beaujolais is raining
Down on darkened meetings on the Champs Élysées
Phang is offline   Reply With Quote
Unread 30 Dec 2005, 16:25   #34
Ste
Bored
 
Ste's Avatar
 
Join Date: Apr 2001
Location: Nottm ->Shef ->Croydon ->Manc ->Durham ->Sheffield
Posts: 6,506
Ste has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Ste has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Ste has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Ste has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Ste has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Ste has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Ste has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Ste has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Ste has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Ste has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.Ste has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.
Re: dont go opening them thar .wmf files now...

what kind of sites are doing this? (and no - links aren't good)

btw I upgraded to firefox a few days ago anyway
__________________
Wise men write because they have something to write about; fools write because they have to write something. - Plato

yeh so Plastic Brilliance is now known as FOXYSTOAT - Come on by and check it out!
Ste is offline   Reply With Quote
Unread 30 Dec 2005, 16:41   #35
Phil^
Insomniac
 
Phil^'s Avatar
 
Join Date: May 2003
Posts: 3,583
Phil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus would
Re: dont go opening them thar .wmf files now...

theres a list of some sites which have been caught doing it on the fsecure link i believe, ( not clickable ones for obvious reason )
thing is, the exploit code which makes this work has been public ever since the first ones started rolling off the 'assembly line', so you can imagine every scriptkiddie/virus writer/malware author from here to timbuctoo now having it and churning out something to use it
__________________
Phil^
Phil^ is offline   Reply With Quote
Unread 30 Dec 2005, 16:44   #36
Phil^
Insomniac
 
Phil^'s Avatar
 
Join Date: May 2003
Posts: 3,583
Phil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus would
Re: dont go opening them thar .wmf files now...

djbass, you might want to post detailed removal instructions in this thread incase anyone else gets infected since youve already dealt with this thing before btw.
__________________
Phil^
Phil^ is offline   Reply With Quote
Unread 30 Dec 2005, 17:13   #37
Cannon_Fodder
Registered User
 
Cannon_Fodder's Avatar
 
Join Date: Jan 2005
Posts: 3,174
Cannon_Fodder spreads love and joy to the forum in the same way Jesus wouldCannon_Fodder spreads love and joy to the forum in the same way Jesus wouldCannon_Fodder spreads love and joy to the forum in the same way Jesus wouldCannon_Fodder spreads love and joy to the forum in the same way Jesus wouldCannon_Fodder spreads love and joy to the forum in the same way Jesus wouldCannon_Fodder spreads love and joy to the forum in the same way Jesus wouldCannon_Fodder spreads love and joy to the forum in the same way Jesus wouldCannon_Fodder spreads love and joy to the forum in the same way Jesus wouldCannon_Fodder spreads love and joy to the forum in the same way Jesus wouldCannon_Fodder spreads love and joy to the forum in the same way Jesus wouldCannon_Fodder spreads love and joy to the forum in the same way Jesus would
Re: dont go opening them thar .wmf files now...

Quote:
Originally Posted by Phil^
djbass, you might want to post detailed removal instructions in this thread incase anyone else gets infected since youve already dealt with this thing before btw.
[comedy option]
Nortons?
[/comedy option]
__________________
If one person is in delusion, they're called insane.
If many people are in delusion, it's called a religion.
Cannon_Fodder is offline   Reply With Quote
Unread 30 Dec 2005, 18:29   #38
1-X
overtired
 
1-X's Avatar
 
Join Date: Aug 2003
Posts: 5,900
1-X has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.1-X has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.1-X has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.1-X has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.1-X has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.1-X has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.1-X has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.1-X has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.1-X has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.1-X has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.1-X has ascended to a higher existance and no longer needs rep points to prove the size of his e-penis.
Re: dont go opening them thar .wmf files now...

I've just seen one... but on opera it appeared as a download dialog (filename was xpl.wmf) to which I simply pressed 'cancel'
1-X is offline   Reply With Quote
Unread 31 Dec 2005, 01:24   #39
Flavius
 
Join Date: Jan 2002
Posts: 421
Flavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet societyFlavius is a pillar of this Internet society
Re: dont go opening them thar .wmf files now...

Imagine someone adds an infected picture inline on a .html page. You open that page and the file stays in your cache. If you have Google Desktop Search and the indexing is turned on, you're infected.
Flavius is offline   Reply With Quote
Reply


Thread Tools
Display Modes

Forum Jump


All times are GMT +1. The time now is 18:08.


Powered by vBulletin® Version 3.8.1
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright ©2002 - 2018