January 2006

Winamp 5.x Exploit

Secunia reports on an exploit that may allow evildoers to compromise a user's system. The exploit is publically available so until a patch is issued use one of many other programs in place of Winamp.

Nyxem.e Email Worm Spreading Fast

This puppy is really spreading fast - over 500,000 PC's are likely infected and when the trojans payload is released on the 3rd of February it could get much worse. Users need to practise safe emailing to avoid this and other nasties. F-secure has the details here: http://www.f-secure.com/v-descs/nyxem_e.shtml.

Apple iWeb - RSS for Macheads

Apple has introduced an RSS reader/writer as part of the iLife suite. iThink mac users will love it :-)
Hotwired has the info here: http://www.hotwired.com/webmonkey/06/02/index3a.html.

Windows WiFi Vulnerability

The Washington Post reports a flaw related to ad-hoc networks on WiFi enabled Windows 2000 or XP machines. The solution, at least until Microsoft patches the flaw, is to use a firewall - this prevents the exploit. The blog has full details: http://blogs.washingtonpost.com/securityfix/2006/01/windows_feature.html.

Norton SystemWorks Patch

Symantec has patched its Norton SystemWorks following the discovery of a security vulnerability. Users are advised to run LiveUpdate ASAP.

WMF Exploit Official Microsoft Patch Available

Microsoft has released the official patch designed to close the WMF exploit. If you are running Microsoft Windows 2000 with Service Pack 4 download from here: http://www.microsoft.com/downloads/details.aspx?FamilyId=AA9E27BD-CB9A-4EF1-92A3-00FFE7B2AC74. If you are running Microsoft Windows XP with Service Pack 1 or 2 download from here: http://www.microsoft.com/downloads/details.aspx?FamilyId=0C1B4C96-57AE-499E-B89B-215B7BB4D8E9.

WMF Exploits via Email, Part 2

The latest email using the WMF exploit purports to come from Yale University. If the link within the email is clicked then the exploit launches. This evil site also attempts to exploit flaws found in older versions of Firefox - another reason to upgrade to the latest Firefox. Unless you are protected as previously outlined (here, here, here and here) you are screwed! Welcome to the Internet! Sheesh. Please add the following entries to your ever expanding hosts file:

• playtimepiano[dot]home[dot]comcast[dot]net
• 86[dot]135[dot]149[dot]130 # UDP
• 140[dot]198[dot]35[dot]85:8080 # IRC
• 24[dot]116[dot]12[dot]59:8080 # IRC
• 140[dot]198[dot]165[dot]185:8080 # IRC
• 129[dot]93[dot]51[dot]80:8080 # IRC
• 70[dot]136[dot]88[dot]76:8080 # IRC

Please note that [dot] (above) should be replaced with .

WMF Exploit Unofficial Patch

Tests performed on various machines protected by up to date Anti-virus applications have shown that they are almost powerless to stop this series of WMF exploits. On top of the previous best practices an unofficial patch has been released. Understand that Microsoft has no hand in this so if it breaks your OS you are on your own. Since Microsoft appears to not have a fix in the works for a long while this patch is likely a good move until an official fix is released.

Remember to first run the command "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotes) from START - RUN. Assuming you get the OK that the "Microsoft Picture and Fax Viewer" was successfully unregistered then run the patch found here: http://handlers.sans.org/tliston/wmffix_hexblog11.exe.

WMF Exploits via Email

The emails Subject line is: "Happy New Year" and the Body says: "picture of 2006". Included is an attached exploit WMF file named "HappyNewYear.jpg". When the HappyNewYear.jpg is accessed (file opened, folder viewed, file indexed by Google Desktop) it executes and downloads a backdoor trojan from www[dot]ritztours.com. Please add this domain to your hosts file and make sure your Anti-virus is up to date.