liz_marcs (liz_marcs) wrote,

  • Mood:

Why Windows Sucks...Worm/Virus Warning: WMF Vulnerability

I heard/read about this a few days ago (I forget where) and only just now got around to looking into it.

Windows users ranging from 98 all the way up to present-day incarnations are vulnerable to this attack, although a patch for it has recently emerged.

Malware programmers exploiting a flaw in Windows programming can open Internet-connected machines to spyware, viruses, and other malware. All you have to do is view an image from either a Web site or in the preview pane of email to become infected.

All people using Internet Explorer are especially vulnerable. Users (like me) who use Firefox or Opera to get around Explorer's weaknesses are also vulnerable, although in some cases (by no means all) you'll be asked to download something to view the image with the malicious software encoded in it.

Please keep in mind, it appears you do not have to download anything to your computer. You just have to view the image to become infected.

It appears that Microsoft will not be sending out a fix until at least January 10. By then, we'll have a mess on our hands.

What makes this insidious is that the average computer user is vulnerable, even the paranoid sorts like myself who download almost nothing down to my computer unless it's from a trusted site.

The Washington Post more fully explains the details here and here.

Right now, the advice to deal with this is as follows:

  • Make sure that your Data Execution Protection (DEP) program is enabled. It helps block things somewhat, but it's not 100% certain to do so. There's some technical reasons why it's not a complete protection, something to do with hardware vs. software DEP. Still, it's a good idea to make sure it's on. If you want to check to make sure it's on:

    • Go into "Control Panel"
    • Click on "Performance and Maintenance"
    • Click on "System"
    • Click on the "Advanced" tab
    • Under the "Performance" option, click on "Settings"
    • Click on the "Data Execution Protection" tab
    • Make sure the second radial button is on
    • Click "OK"

  • Download a hotpatch that's been proven to work from here. Several security experts have vouchsafed for it. I downloaded it and installed it and have not seen any problems with my machine since I've done it.

  • Security Fix from the Washington Post offers another workaround that can provide additional protection. Once an official Microsoft patch is available, you can reverse this fix. Apparantly you might have problems seeing some images, especially thumbnail images, but I haven't had any problems at all since using this hack.

  • After you take the above steps, make sure to restart your machine to ensure your changes take hold. Before restarting, you may still be vulnerable, even if you've set DEP, downloaded the patch, and have used the hack.

  • If you download email to your computer, shut off the preview pane. Do not open email from unfamiliar addresses. One of the scams being used to deliver the virus is to the unsuspecting is notification that you've received a "greeting card" and to view it, you need to click on a link.

  • Before clicking on a link, hover your mouse over the link first and read the link that should appear at the bottom of your browser. If you see it takes you to an executable file, do not click the link.

  • Keep up with your Microsoft Security Updates. Although the "official" patch has not been made available, it's still good practice to do so. Again, we're looking at 10 to 14 days before we see anything out of Gates's people.

  • Keep your virus definitions and firewall updated. Some of the anti-virus companies have started working on solutions to root out problems. I know that Norton has already upgraded its firewall to help block it.

  • Do not visit visit Websites that are unknown to you. View even those Websites that are known to you with suspicion.

  • Download spyware detectors and keep them updated. I right now run three on a regular basis. I personally like Ad-Aware the best. I also use SpyBot and Microsoft Beta. Between the three, I'm kept pretty much spyware- and adware-free

Thankfully, I've been so busy this week that I haven't really done a lot of online research. End result, my machine is clean at least.

ETA: According to the Sunbelt Blog, chatting by IM will also make you vulnerable to this attack. Be sure to read through the latest posts, which gives a fantastic overview of the situation.

Also, check out the blog of the programmer who created the patch at Hexblog for updates on the patch as well as a nifty tool to see if you've vulnerable to attack. Please be aware that Hexblog is getting slammed right now as people race to get the downloads and fixes, so please be patient.

ETA2: SANS — Internet Storm Center has a .WMF FAQ on why this issue is so important.

ETA3: The latest Firewall Update from Norton/Symantec will not allow you to run the WMF Vulnerability Checker. It recognizes it as a virus/trojan/attack and jumps all over it before killing it dead before you can run it. Updated Norton Firewall also will not allow you to download any file name that includes "WMF" and ".exe" in it. Which, well, good because that's why I pay these people. On the other hand...

So please note that you should download the Hexblog patch before updating your firewall, otherwise you might be blocked from doing so.

ETA4: In light of the current WMF threat, and because my Norton Firewall threw up a WMF Exploit warning when I visited a YouSendIt link, I've gone through all the links included on my Sunnydale Survivors soundtrack to make sure they're "clean." The sites and downloads appear to be in the clear. However, this is subject to change as both YouSendIt and MegaUpload rotate ads. Please make sure to update your firewall protection (if Symantec has updated for WMF, I'm certain other firewalls have as well) before downloading any of the files.

  • Post a new comment


    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.