December 2005

2005 List of (Known!) OS Vulnerabilities

Nothing says 'end of year' like a big honking list of all (known) vulnerabilities in various operating systems.

Read it and be afraid, very afraid: http://www.us-cert.gov/cas/bulletins/SB2005.html.

Happy New Year!

Windows Metafiles (.WMF) Exploits Continue, Part 2

Microsoft has explained how to unregister the Windows Picture and Fax Viewer (Shimgvw.dll):

1. Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK.
2. A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

NOTE: The Windows Picture and Fax Viewer will no longer open when yous click on a link to an image type that is associated with the Windows Picture and Fax Viewer.

To undo this change, re-register Shimgvw.dll by following the above steps:

1. Click Start, click Run, type "regsvr32 %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK.
2. A dialog box appears to confirm that the registration process has succeeded. Click OK to close the dialog box.

Windows Metafiles (.WMF) Exploits Continue

It appears the real time indexing of metafile data using Google Toolbar is enough to exploit the payload. For now you should disable this indexing of media files until Microsoft issues a patch.

You should also add the following sites to your hosts file:

• Crackz.ws
• unionseek.com
• www.tfcco.com
• Iframeurl.biz
• beehappyy.biz

There is no "MSN Messenger 8 Working BETA" !

So don't be clicking those links to download a copy even if the Instant Message comes from a friend. Especially if that friend is not as security aware as you. All you MSN Messenger users read this: http://www.infoworld.com/article/05/12/27/HNmicrosoftvirkelvirus_1.html and this: http://www.f-secure.com/weblog/archives/archive-122005.html#00000751.

Windows Metafiles (.WMF) Exploits

You might add unionseek[DOT]com to your host file. The site is using images, specifically .WMF files (Windows Metafiles), to carry a payload of trojans. Internet Explorer is vunerable, older versions of Firefox and Opera are also at risk but at least they prompt users before they launch external applications ("Windows Picture and Fax Viewer") to view the image. F-secure has the details here: http://www.f-secure.com/weblog/archives/archive-122005.html#00000752. The first I saw of it was at The Register: http://www.theregister.co.uk/2005/12/28/messenger_virus/.

Dell Notebook Batteries Recalled

CBC.CA is reporting a recall of 1,500 batteries in Canada here: http://www.cbc.ca/story/canada/national/2005/12/23/Dell-batteries051223.html. The batteries, sold between Oct. 5, 2004 and Oct. 13, 2005, are for these Dell models:

• Latitude(TM) D410, D505, D510, D600, D610, D800, D810.
• Inspiron(TM) 510M, 600M, 6000, 8600, 9200, 9300, XPS Gen 2.
• Precision(TM) M20 and M70 mobile workstations.
• Latitude(TM) D410, D505, D510, D600, D610, D800, D810.
• Inspiron(TM) 510M, 600M, 6000, 8600, 9200, 9300, XPS Gen 2.
• Dell Precision(TM) M20 and M70 mobile workstations.

IM Trojan on the Loose

Various reports, including this one: http://news.zdnet.com/2100-1009_22-6002790.html, have a new Instant Messaging trojan being sent to AOL, MSN and Yahoo users. The link, to some lame Santa whats-it, also installs a Rootkit on users Windows PC. The links arrive from people on users "buddy lists" so folks are not as suspicious as they might otherwise be. Remember to never click, download, accept attachments, etc. unless you have been informed before the fact that they are on the way.

Bluetooth Vulnerability

The folks at digitalmunition.com have found a security hole in most Bluetooth software. The skinny is here: http://www.digitalmunition.com/DMA%5B2005-1214a%5D.txt. F-secure has an overview of the problem here: http://www.f-secure.com/weblog/archives/archive-122005.html#00000741.

Fake McAfee Site via Email Links

F-Secure has reported instances of fake emails from McAfee with links that point to a bogus site with downloads that contain viruses. Applications do not update themselves by having their parent company send emails encouraging users to visit sites. Be aware what software is installed on your PC. Determine which of these update automagically and keep a grip on what URL's correspond to what websites. If in doubt do not click that link! Never respond to unsolicited emails.

The Thirty Day Rule

An old Javascriprt vulnerability in all Firefox versions prior to 1.0.5 has taken on a new life since the code to take advantage of it has been published on the web. Those of you who are still happily using older versions should upgrade. Best Practices: Always upgrade to the latest version of software at about the thirty daymark after its release because . . . a) This gives any bugs in the release time to be found by all those early adopters allowing the developers time to patch the bug. b) Not enough time has passed that evil virus writers have released exploits. c) Authors of plugins and other add-ons (such as Firefox extensions) will have had time to patch their products.

Sony Rootkit Patch Needs Patch

The Sony Rootkit saga lurches ever onward with news that the recently issued patch can, according to Cnet, ". . . allow Sony's original patch to trigger malicious software on a computer, if that software was already in place when the patch was installed."What to do? Dunno. Wait and see? Sounds good.

IM Worm 'Chats' to Victims

CNET is reporting a new worm that tricks users on America Online's Instant Messenger to download a .pif file containing a trojan that does the usual evil things. The worm, IM.Myspace04.AIM, appears to respond to keywords. Dubious people asking about possible viruses are assured, "lol no its not its a virus". If this trend continues (oh, it will) make sure you only chat with known users and DO NOT download files unless you have an up to date anti-virus, etc. on your Windows machine. You might also want to try using GAIM IM client.

Aardvark

Sony Rootkit Patch

SunnComm Makes Security Update Available To Address Recently Discovered Vulnerability On Its MediaMax Version 5 Content Protection Software, Which Is Included On Certain SONY BMG CDs

The full scoop is here: http://www.eff.org/news/archives/2005_12.php#004234. Sony has finally (it appears) got the message that Rootkits are bad. Check the end of the article to determine if you have any of the affected titles and if so download and apply the patch.

Google Desktop Patched

Google has patched the security hole in its Google Desktop application as noted here. You may now go back to using Internet Explorer. Sucker.

Object Lesson in Keeping Current

Much like no one likely suspected that Sony would be involved in Rootkits we have a story about hardware containing a trojan. F-secure has the scoop and the previous horrors: http://www.f-secure.com/weblog/archives/archive-112005.html#00000723. The companies had no intention of placing these trojans but you must always be aware of your own security. Be aware that hardware and/or software could be compromised. So, always have an updated anti-virus running and run applications designed to catch spyware, adware and other evils.

Phishing with Google Desktop & Internet Explorer 6

If you use Google Desktop and Internet Explorer 6 you run the risk of exposing information on your PC to evil web site operators. The details are here: http://www.theregister.co.uk/2005/12/03/google_desktop_vuln/. The solution? The usual - use Firefox or Opera ;-)