Author Topic: WMF exploit problem  (Read 20143 times)

0 Members and 1 Guest are viewing this topic.

Offline curious!

  • Avast Evangelist
  • Poster
  • ***
  • Posts: 531
Re: WMF exploit problem
« Reply #15 on: January 03, 2006, 06:58:00 PM »
:) The following was posted on the freedomlist.com
 antiSPYWARE forums yesterday :
"
There is one critical thing you need to do, however, and that is to install the temporary patch from Ilfak to protect your computer from the Microsoft Windows Media Format (WMF) Zero Day Exploit (See WMF FAQ here ).

FIX DIRECT DOWNLOAD LINK: http://www.hexblog.com/security/files/wmffix_hexblog13.exe
Fix Described Here: http://www.hexblog.com/2005/12/wmf_vuln.html

VULNERABILITY CHECKER DIRECT DOWNLOAD LINK: http://www.hexblog.com/security/files/wmf_checker_hexblog.exe
Checker Described here: http://www.hexblog.com/2006/01/wmf_vulnera....html#more

The temporary patch can be uininstalled via Add/Remove programs after Microsoft provides a solution to this exploit. "

 

There seem not to be a general consensus concerning what to do.

MS Security Advisory does not recommend this solution, but to use their dll unregister. The last version of the advisory(912840) says that an official patch is ready and that only testing remains. They hope it will be available in a week!

I have read a lot of the writings and decided not to run the unofficial patch.
No one knows what is the best thing to do, I think.

(Hexblog is now up to version 1.4 btw)

HL


Edited with link to Microsoft security advisory: 

www.microsoft.com/technet/security/advisory/912840.mspx

HL
« Last Edit: January 03, 2006, 07:05:30 PM by hlecter »

Offline Reiner

  • Jr. Member
  • **
  • Posts: 53
  • I'm a llama!
Re: WMF exploit problem
« Reply #16 on: January 03, 2006, 07:25:09 PM »
Quote
hlecter wrote:
I can confirm that both the webshield and standard shield on my machine gives me a warning on said page.

The malware is named WMF Exploit.

I have to turn off the webshield to test the standard shield!  Grin

The newest pattern did it for me. I hope, avast not just added the heise.de demo exploit to their pattern but have a more common approach in detecting variants of this exploit. There seems to be virus gernerators out in the wild who allow almost anybody to inject harming code in wmf-files.

Nice job done by avast having solved this issue fast.


Regarding the unoffical patch provided by Ilfak Guilfanov, I installed it on my system, having no problems at all. Of couse it is questinonable to install software from "unknown" sources, but this patch was examined by sans.org and if youdon't trust them, you could look at the source code yourself. Removing was painless and as far as I can tell it left nothing behind.

Reiner

Offline curious!

  • Avast Evangelist
  • Poster
  • ***
  • Posts: 531
Re: WMF exploit problem
« Reply #17 on: January 03, 2006, 07:45:57 PM »

Regarding the unoffical patch provided by Ilfak Guilfanov, I installed it on my system, having no problems at all. Of couse it is questinonable to install software from "unknown" sources, but this patch was examined by sans.org and if youdon't trust them, you could look at the source code yourself. Removing was painless and as far as I can tell it left nothing behind.

Reiner

Of course I Trust Sans.org.
But  MANY people have had problems with the unofficial patch.
So I was in doubt. But I decided to wait for the official patch.
I think about e.g. localication problems in my Norwegian version of XP.  MS are making patches for 20+ languages.  :)

Here is a bit from the advisory:

"
What’s Microsoft’s response to the availability of third party patches for the WMF vulnerability?

Microsoft recommends that customers download and deploy the security update for the WMF vulnerability that we are targeting for release on January 10, 2006.

As a general rule, it is a best practice to utilize security updates for software vulnerabilities from the original vendor of the software. With Microsoft software, Microsoft carefully reviews and tests security updates to ensure that they are of high quality and have been evaluated thoroughly for application compatibility. In addition, Microsoft’s security updates are offered in 23 languages for all affected versions of the software simultaneously.

Microsoft cannot provide similar assurance for independent third party security updates.
"

That made MY decision.

HL

Offline Reiner

  • Jr. Member
  • **
  • Posts: 53
  • I'm a llama!
Re: WMF exploit problem
« Reply #18 on: January 03, 2006, 08:28:58 PM »
You are the first one who reports problems with that patch. I run a german XP Pro version at home and in the office in an Novell environment (Yes! No AD!) and have so far not experienced any problems (2 days). My colleagues installed it as well -> no problems.

Of course MS recommends offical patches but waiting until the offical patch day next week to supply a patch for a real dangerous exploit is in my opinion more than irresponsible. The unoffical patch only shows, how fast a feasible solution can be accomplished by just ONE programmer! MS for sure has more than one experienced programmers. This unoffical path shines a bad light on MS, in my opinion.

Additional, this patch show how fast the free community can come up with solutions!

Just my opinion

Reiner

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11754
    • AVAST Software
Re: WMF exploit problem
« Reply #19 on: January 03, 2006, 09:05:48 PM »
The newest pattern did it for me. I hope, avast not just added the heise.de demo exploit to their pattern but have a more common approach in detecting variants of this exploit. There seems to be virus gernerators out in the wild who allow almost anybody to inject harming code in wmf-files.

No, this detection is really a generic detection of the "exploit" itself - the previous detections (Win32:Exdown) were removed from the database.

Regarding the unoffical patch provided by Ilfak Guilfanov, I installed it on my system, having no problems at all. Of couse it is questionable to install software from "unknown" sources, but this patch was examined by sans.org and if you don't trust them, you could look at the source code yourself.

I like that statement  ;D
I mean, the author's name is probably not very-well known to common public, but I, personally, would certainly trust Ilfak Guilfanov more than all the sans.org's in the world.

Offline curious!

  • Avast Evangelist
  • Poster
  • ***
  • Posts: 531
Re: WMF exploit problem
« Reply #20 on: January 03, 2006, 09:07:29 PM »
You are the first one who reports problems with that patch.

Well, I have not tried to install it myself. But I have read hundreds of different meanings about the WMF exploit and the different patches. At first the patch was meant for XP2 only, and I am on XP1...
Then it was extended to several variants of windows...
The problems I read about was either concerning installing the patch or difficulties uninstalling it.

One I read about destroyed his Windows.

Many repoted zero problems as you do.

I had decided to install the patch today after Ghosting my system first, but then I decided to wait for MS.

Everybody has to make up their own mind in this matter, but I think this thread
is more about security than Avast! so I will stop here.

Have a nice evening.  :)

Hannibal Lecter

Offline neal63

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1824
  • Whew! What a Load...
Re: WMF exploit problem
« Reply #21 on: January 03, 2006, 09:44:36 PM »
If this is the patch at GRC by this gentleman Mr. Guilfanov, then the patch he has was written for 64 bit WinXP. I don't know or think it would work for a 32 bit version of WinXP but I may be wrong?
"The problems that exist in the world today, cannot be solved by the level of thinking that created them." --Albert Einstein--"

Offline JimF

  • Jr. Member
  • **
  • Posts: 21
Re: WMF exploit problem
« Reply #22 on: January 03, 2006, 09:56:07 PM »
If this is the patch at GRC by this gentleman Mr. Guilfanov, then the patch he has was written for 64 bit WinXP. I don't know or think it would work for a 32 bit version of WinXP but I may be wrong?
I downloaded from GRC (http://www.grc.com/miscfiles/wmffix_hexblog14.exe) and it works fine on my 32 bit WinXP SP2 system.  But with avast! now having the generic signatures, I suppose it is safe enough to wait until the Microsoft patch comes out if that is what you want to do.

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11665
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: WMF exploit problem
« Reply #23 on: January 03, 2006, 10:01:38 PM »
I don't know but Igor actually reported that the patch  BROKE AVAST on one of our machines. I.e. the on-access scanner in avast stopped working. We didn't spend time analysing WHY was that happening, but if it broke avast, it could have broken other software as well...

I don't think it's necessary (or even desirable) to install the patch - avast with the latest definitions should guard you well.
If at first you don't succeed, then skydiving's not for you.

Offline neal63

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1824
  • Whew! What a Load...
Re: WMF exploit problem
« Reply #24 on: January 03, 2006, 10:06:23 PM »
I have read today that Microsoft is planning to come out with an official patch on Jan 10th. They are testing it now.
"The problems that exist in the world today, cannot be solved by the level of thinking that created them." --Albert Einstein--"

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11665
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: WMF exploit problem
« Reply #25 on: January 03, 2006, 10:10:11 PM »
Yes, Jan 10 = second Tuesday in month = usual "patch day". ;)
If at first you don't succeed, then skydiving's not for you.

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11754
    • AVAST Software
Re: WMF exploit problem
« Reply #26 on: January 03, 2006, 10:11:17 PM »
I don't know but Igor actually reported that the patch  BROKE AVAST on one of our machines. I.e. the on-access scanner in avast stopped working. We didn't spend time analysing WHY was that happening, but if it broke avast, it could have broken other software as well...

I also said that I thought it had been only an unrelated coincidence ;)
The patch doesn't really do much, I don't think it can have many negative effects (appart from very specific UI applications maybe).
« Last Edit: January 03, 2006, 10:22:50 PM by igor »

Offline CharleyO

  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 7087
  • Be alert for error code - ID 10T
Re: WMF exploit problem
« Reply #27 on: January 03, 2006, 10:47:23 PM »
***

For those interested, the below link has 6 pictures of 6 infected websites.

http://news.zdnet.com/2300-1009_22-6016439-1.html?tag=nl.e589


***
Self-built desktop (8 years old) - AMD64 3200+_Gigabyte GA-K8NS Ultra-939_4 gb RAM_GeForceFX 5800w/256 ram_XP/SP3_Avast 7_MBAM_ZA Free __and__ Toshiba Satellite Laptop_W7-64bit_ 4 gb Ram_Avast 8_MBAM

Offline artamangr

  • Jr. Member
  • **
  • Posts: 25
  • Arta forever!
Re: WMF exploit problem
« Reply #28 on: January 04, 2006, 12:50:16 AM »
Hi,
maybe a silly question this one...is it necessary to set the sensitivity of avast to high, in order to be
protected from the wmf exploit?
Piges ntip myalo!

Offline curious!

  • Avast Evangelist
  • Poster
  • ***
  • Posts: 531
Re: WMF exploit problem
« Reply #29 on: January 04, 2006, 12:52:57 AM »

Here is a bit from the advisory:

"
What’s Microsoft’s response to the availability of third party patches for the WMF vulnerability?

Microsoft recommends that customers download and deploy the security update for the WMF vulnerability that we are targeting for release on January 10, 2006.

As a general rule, it is a best practice to utilize security updates for software vulnerabilities from the original vendor of the software. With Microsoft software, Microsoft carefully reviews and tests security updates to ensure that they are of high quality and have been evaluated thoroughly for application compatibility. In addition, Microsoft’s security updates are offered in 23 languages for all affected versions of the software simultaneously.

Microsoft cannot provide similar assurance for independent third party security updates.
"

That made MY decision.



This I wrote some posts ago in this thread. Seems like not all read the whole thread before posting . >:(

I don't know but Igor actually reported that the patch BROKE AVAST on one of our machines. I.e. the on-access scanner in avast stopped working. We didn't spend time analysing WHY was that happening, but if it broke avast, it could have broken other software as well...

I don't think it's necessary (or even desirable) to install the patch - avast with the latest definitions should guard you well.

Thank you, VLK for supportive post.  ;D

HL