New Windows exploit found - can infect your computer just by viewing an image

[Dubb]

I don't see how I could have gotten this, but I just tried to run windows update and got:

The site cannot continue because one or more of these Windows services is not running:

Automatic Updates (allows the site to find, download and install high-priority updates for your computer)
Background Intelligent Transfer Service (BITS) (helps updates download more quickly and without problems if the download process is interrupted)
Event Log (keeps a record of updating activities to help with troubleshooting, if needed)


I double checked and all those are on...hmmm. computer seems ok, norton automatically got the latest update ...but I'm starting to get suspicious.

 

[mechBgon]

Originally posted by: cbrsurfr
Heard about this at work. Tried it out on one of my builds and DEP stopped it everytime. That combined with SAV and Cisco security agent means I'm not worried.

The latest word is that software DEP doesn't work, but hardware DEP usually works. But not always. Your layered defense sounds great

I suspect this exploit will haunt the average home users for a long time to come... 3-year old Dell/eMachine/Compaq with no updates and a long-expired install of Norton Antivirus 2002, etc. ~ huh? I need to update it, why again...?

 

[BriGy86]

thanks for the info :thumbsup:

 

[BriGy86]

Originally posted by: mechBgon

Originally posted by: cbrsurfr
Heard about this at work. Tried it out on one of my builds and DEP stopped it everytime. That combined with SAV and Cisco security agent means I'm not worried.

The latest word is that software DEP doesn't work, but hardware DEP usually works. But not always. Your layered defense sounds great

I suspect this exploit will haunt the average home users for a long time to come... 3-year old Dell/eMachine/Compaq with no updates and a long-expired install of Norton Antivirus 2002, etc. ~ huh? I need to update it, why again...?

son of a bitch!

(<- works in a tech shop) i supose i'll be seeing lots of new machines now

 

[RagingBITCH]

Thanks for the news!

 

[Rubycon]

What intel chips have hardware DEP?

I think of caulk when people talk about DEP probably because DAP makes it. :Q

 

[FelixDeCat]

Wheres the AVG Free Edition Update?

 

[BriGy86]

trend micro FTW!

 

[mechBgon]

Originally posted by: C6FT7
What intel chips have hardware DEP?

I think of caulk when people talk about DEP probably because DAP makes it. :Q

Intel's chart, see the Execute Disable Bit column at the far right

You still want to enable DEP for all software for it to work, as shown in this pic.

 

[mechBgon]

Originally posted by: BriGy86
trend micro FTW!

VirusScan Enterprise 8.0i generic buffer-overflow protections FTW*! (at work, anyway)






*when using Windows Explorer or Internet Explorer

 

[aplefka]

Pretty sure it's been out for a while now, isn't this the one that's been going around on AIM where it looks like you're clicking on some image and then it's a virus? That's why I don't click any links when it comes out of nowhere and I wasn't talking to the person before.

 

[BriGy86]

Originally posted by: mechBgon

Originally posted by: BriGy86
trend micro FTW!

VirusScan Enterprise 8.0i generic buffer-overflow protections FTW*! (at work, anyway)






*when using Windows Explorer or Internet Explorer

im guessing that its expensive and not found in retail stores

 

[aplefka]

Hahaha as I'm viewing the (o)possum thread I got another link from someone, same thing.

 

[mechBgon]

Originally posted by: BriGy86

Originally posted by: mechBgon

Originally posted by: BriGy86
trend micro FTW!

VirusScan Enterprise 8.0i generic buffer-overflow protections FTW*! (at work, anyway)






*when using Windows Explorer or Internet Explorer

im guessing that its expensive and not found in retail stores

You got me there, it's a minimum 5-pack at their small-biz store They wouldn't dare sell it to consumers, the configuration is a bit overwhelming for home users :evil:

 

[BriGy86]

by that config it seems as though it has the same effect as unpluging the cat 5 wire, lol

and as for that DEP option what does it exactly do?

*edit*

it also says that my CPU does not support DEP (AMD athlon XP 3000+)

is it worth having on anyway?

 

[imported_goku]

Originally posted by: JJWalker

Originally posted by: amjohns5
Ugh, I just reformatted, and forgot my username/password for my 2 year subscription to Norton '06!!

I would look at that as a positive.

QFT
Get kaspersky, norton is garbage, absolute garbage that does sh!t for detecting viruses.

 

[BriGy86]

Originally posted by: goku

Originally posted by: JJWalker

Originally posted by: amjohns5
Ugh, I just reformatted, and forgot my username/password for my 2 year subscription to Norton '06!!

I would look at that as a positive.

QFT
Get kaspersky, norton is garbage, absolute garbage that does sh!t for detecting viruses.

norton is better than mcafee , i suggest trend micro though, or even panda

 

[mechBgon]

Originally posted by: BriGy86
by that config it seems as though it has the same effect as unpluging the cat 5 wire, lol

Hehe

and as for that DEP option what does it exactly do?

*edit*

it also says that my CPU does not support DEP (AMD athlon XP 3000+)

is it worth having on anyway?

AthlonXPs don't have hardware DEP, nopers. I'd turn it on for kicks if it were me, but I'd be counting on the antivirus software as the main line of defense, and my Limited user account as the next layer, plus common sense where possible.

I saw on F-Secure's blog that a very good programmer has made a temporary fix for WinXP systems: http://www.hexblog.com/2005/12/wmf_vuln.html

Anyway, what hardware DEP is supposed to do is to [ layman talking ] only allow code to execute from pages of memory that are specifically marked as executable [ / layman ], declawing some types of buffer-overflow attacks at the hardware level. Telling Windows to use that capability for all programs, not just core Windows components, is what apparently is needed in this case.

Here's a .WMV showing a security researcher deliberately walking into the exploit: http://www.sunbelt-software.com/ihs/alex/wmf_freecat122905.wmv Kinda interesting (oops, edit, I said his hardware DEP shuts it down, but not in that case)

 

[mechBgon]

Ooops, I goofed. This screenshot shows what you'd see if hardware DEP shut down the exploit. I would say the screenshot is borderline NSFW btw.

 

[Amused]

Originally posted by: goku

Originally posted by: JJWalker

Originally posted by: amjohns5
Ugh, I just reformatted, and forgot my username/password for my 2 year subscription to Norton '06!!

I would look at that as a positive.

QFT
Get kaspersky, norton is garbage, absolute garbage that does sh!t for detecting viruses.

It stops this one. And, in the end, that's all the protection I need: Protection from viruses and threats that can harm me through no fault of my own.

 

[mechBgon]

F-Secure reports on their blog that a new no-brainer tool has been made public so ANYONE can make their very own WMF exploit :roll:

McAfee reports that the new make-a-'sploit tool has been used to distribute a spam email containing the file HappyNewYear.jpg, which is really a .WMF. McAfee users need the 4664 DATs (available tomorrow around 10AM, at least for corporate users) and 4400 engine for detection of exploits made with the new tool. McAfee's updated info on Exploit-WMF is here.

 

[mchammer]

wow this is getting out of hand, prepare to get phone calls from friends and family

 

[SagaLore]

I have started an article about this here:

http://www.antisource.com/article.php/wmf-zero-day-exploit

But I'm sure I'm going to be frequently revising this as new information is released. What a way to start the new year!

 

[Anubis]

http://www.grc.com/sn/notes-020.htm

 

[Sundog]

Originally posted by: mchammer
wow this is getting out of hand, prepare to get phone calls from friends and family

Already started.