Workaround for the WMF Exploit

Un-register the Windows Picture and Fax Viewer (Shimgvw.dll)

1. Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll"
(without the quotation marks), and then click OK.

2. A dialog box appears to confirm that the un-registration process has succeeded.
Click OK to close the dialog box.

The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.

To undo this change, simply re-register Shimgvw.dll :

1. Click Start, click Run, type "regsvr32 %windir%\system32\shimgvw.dll"
(without the quotation marks), and then click OK.

2. A dialog box appears to confirm that the registration process has succeeded.
Click OK to close the dialog box.

This workaround is better than just trying to filter files with a WMF extension. There are methods where files with other image extensions (such as BMP, GIF, PNG, JPG, JPEG, JPE, JFIF, DIB, RLE, EMF, TIF, TIFF or ICO) could be used to exploit a vulnerable machine.

US Govt Posts Social Security Numbers on the Web

From InfoWeek

A document on the Justice Department Executive Office for Immigration Review's site listed the name and Social Security number of a woman involved in a 2003 immigration review case. Other searches of the site yielded more Social Security numbers and identifying information.

Link: InformationWeek | Identity Theft | InformationWeek Exclusive: Justice Department Reveals Social Security Numbers | December 23, 2005.

MacScan: Finding Worms in the Apple

Spyware and keystroke loggers have often been thought of as a Windows only problem, but Nicholas Raba, CEO of SecureMac.com and co-author of Maximum Security says many Apple Macintosh users may have a false sense of security. SecureMac has released MacScan which detects and removes Macintosh spyware, remote administration utilities and keystroke loggers.

Link: Security expert says Mac users may have a false sense of security | TG Daily.

New WMF Vulnerabilty Give Malicious Sites Full Control

A vulnerability has been discovered in Microsoft Windows, which can be used to compromise even fully patched systems (Windows XP Service Pack 2). According to Secunia users simply need to preview a a corrupted WMF in explorer, Windows Picture Fax Viewer, or IE to execute the exploit. As noted by Sunbelt this exploit is being actively exploited in the "Wild". If you are running Windows do not open a WMF file from anyone you do not explicity know and trust and if you are using Internet Explorer set your security level to "High".

1. To raise the browsing security level in Microsoft Internet Explorer:

2. From the Internet Explorer Tools menu, click Internet Options.

3. In the Internet Options dialog box, click the Security tab, and then click the Internet icon.

4. Under Security level for this zone, move the slider to High. This sets the security level for all Web sites you visit to High. (If no slider is visible, click the Default Level button and then move the slider to High.)

Link: http://sunbeltblog.blogspot.com/2005/12/new-exploit-blows-by-fully-patched.html

Happy Holiday's

Talesfromthetechside will take a short break over the holidays I will resume our regularly scheduled programming on Tuesday the 27th of December. Have a wonderful holiday and enjoy the rest.

Rootkit Guru: AntiVirus Makes Me Do It

Smart computer users know that once a computer is infected by a rootkit, it's changed forever. And as Windows rootkits go, Hacker Defender is among the most dangerous. The author of Hacker Defender, holy_father, explains why he does what he does, and what you can do to detect his rootkit.

Link: Rootkit Guru: AntiVirus Makes Me Do It.

Measuring How Spyware Spreads

Suzi of Spyware Warrior and Spyware Confidential has posted her top 10 list of spyware infection methods for 2005. The most prevelant trend throughout is the increase in rootkit usage, using third party applications to infect Internet Explorer, and using anti-spyware as installation vectors. For myself in 2006 I believe we will see more spyware for firefox, spyware using drm technology to cloak itself, and BitTorrent being used as both a control and distribution network.

Link: Top 10 tricks causing spyware epidemic | Spyware Confidential | ZDNet.com.

XSS vulnerabilities in Google.com

Two XSS vulnerabilities were identified in the Google.com website, which allow an attacker to impersonate legitimate members of Google's services or to mount a phishing attack. The advisory is well written and easy to read click the link below to view it.

Link: [WEB SECURITY] XSS vulnerabilities in Google.com.

Symantec Antivirus Vulnerable When Scanning RAR Files

Owners of Norton and Symantec products excluding Symantec Corporate versions 8 & 9, Symantec Client Security, Enterprise Firewall, Clientless VPN Gateway 4400 series, Firewall/VPN Appliance, and Gateway Security 300/400 series are vulnerable when decompressing RAR Files.

Due to the way these products decompress RAR files a user's system could be controlled remotely through a worm or virus hidden within a RAR file. A RAR file is an archive much like a zip file in that the data is compressed thereby making it easier for large amounts of and is popular on P2P networks and Usenets due to the way it can broken into multiple parts and reassembled.

According to Symantec there are no documented viruses or worms exploiting this but given the popularity of the Anti-virus platform and RAR files it is only a matter of time. The default configuration of Symantec Anti-Virus is to scan all incoming email makes it likely that this vulnerability could be exploited without any action from the user. Therefore until a solution is released it is advisable that users of these products do not scan RAR files delete the attachment if you are not sure of the user but do not scan the file. If you are unsure how to do this please ping me on yahoo or send me an Email and I will be happy to help unfortunately due to the number of affected products I can not post walk-throughs for each.

Affected Products

Product	Version
Norton AntiVirus for Microsoft Exchange	2.18
Symantec Mail Security for Microsoft Exchange	4.0
	4.5
	4.6.3
Symantec AntiVirus/Filtering for Domino NT	3.1
Symantec Mail Security for Domino NT	4.0
	4.1.4
Symantec AntiVirus/Filtering for Domino Ports	3.0.11
Symantec AntiVirus Scan Engine	4.1.8
	4.3.12
Symantec AntiVirus for MS ISA	4.3.12
Symantec AntiVirus for MS Sharepoint	4.3.12
Symantec AntiVirus for Messaging	4.3.12
Symantec AntiVirus for NAS	4.3.12
Symantec AntiVirus Scan Engine for NetApp Filer	4.0
	4.3
Symantec AntiVirus Scan Engine for NetApp NetCache	4.0
	4.3
Symantec AntiVirus Scan Engine for Bluecoat	4.0
	4.3
Symantec AntiVirus for Clearswift	4.3.12
Symantec AntiVirus Scan Engine for Caching	4.3.12
Symantec AntiVirus for SMTP	3.1
	4.1.9
Symantec Client Security	3.x
Symantec Web Security	3.0.1
Symantec BrightMail AntiSpam	5.5
	4.0
Symantec Gateway Security 5000 Series	3.0
Symantec Gateway Security 5400 Series	2.0
Symantec Gateway Security	1.0
Symantec Norton Anti-virus for Macintosh Corporate Edition	9.0
Symantec Mail Security for Microsoft Exchange	5.0
	4.6
	4.5
	4.0
Symantec AntiSpam for SMTP	3.1
Symantec AntiVirus/Filtering for Domino NT	3.1
Symantec Mail Security for Domino	4.0
	4.1
Symantec AntiVirus/Filtering for Domino Ports	3.0
Symantec Scan Engine	5.0.1 and earlier
Symantec AntiVirus Scan Engine	4.3
Symantec AntiVirus Scan Engine for ISA	4.3.X
Symantec AntiVirus Scan Engine for Netapp Filer	4.3.X
Symantec AntiVirus Scan Engine for Netapp NetCache	4.3.X
Symantec AntiVirus for Caching	4.3.12 and earlier
Symantec AntiVirus for Clearswift	4.3.12 and earlier
Symantec AntiVirus Scan Engine for Microsoft Portal Server	4.3.X
Symantec AntiVirus Scan Engine for Bluecoat	4.3.X
Symantec AntiVirus Scan Engine for Filers	4.3.X
SharePoint Portal Server 2003
Symantec AntiVirus for SMTP	3.1
	4
Symantec Mail Security for SMTP	4.0
	4.1
Symantec Web Security	3.01x
Symantec BrightMail AntiSpam	6.0
	4.0
	5.5
Symantec AntiVirus Corporate Edition	10
Symantec Norton AntiVirus	7.6
Symantec I-Gear
Symantec AntiVirus for HandHelds - Corporate Edition
Symantec Client Security for Nokia

Consumer Products

Product	Version
Symantec Norton Anti-virus	2006
	2005
	2004
Symantec Norton Internet Security Professional	2006
	2005
	2004
Symantec Norton System Works	2006
	2005
	2004
Norton Personal Firewall	2006
	2005
	2004
Symantec Norton Anti-virus for Macintosh	9.x
Symantec Norton Internet Security for Macintosh	3.x
Symantec Norton System Works for Macintosh	3.x
Symantec Norton Anti-virus for Macintosh	7.x
Symantec Norton Anti-virus for Macintosh	8.x
Symantec Norton Internet Security for Macintosh	2.x
Symantec Norton System Works for Macintosh	7.0
Symantec Norton Anti-virus for Macintosh	9.x
Symantec Norton Internet Security for Macintosh	3.x
Symantec Norton System Works for Macintosh	3.x
Symantec AntiVirus for Handhelds	All

Link: SecurityFocus.

Link: Symantec Advisory

Germany: Sober Virus Makes Pedophile Turn Himself In

The Sober virus which has been sending emails to unsuspecting people telling them that they are being investigated due to visiting illegal sites on the Internet inadvertently did some good this last week. The emails coming from various agencies look very realistic, so realistic that this past week in Germany a person received a message turned himself into the local police office. When officers investigated they found the computer contained child pornography. While I in know way believe this was the intent of the of this virus's writers it is good to know that a person who exploited children was caught.

Link: F-Secure : News from the Lab.