Posts Tagged ‘MSN Messenger’

Temporary Fix for the WMF Exploit

Since Microsoft has decided to wait until Tuesday to release it’s patch for the latest Windows exploit, the WMF security flaw, F-Secure has posted on their site about a fix released by the author of Interactive Disassembler and probably one of the best low level Windows experts in the world, Ilfak Guilfanov. The fix is here.

Ilfak Guilfanov has published a temporary fix which does not remove any functionality from the system (all pictures and thumbnails continue to work normally).

The fix works by injecting itself to all processes loading USER32.DLL. It patches the Escape() function in GDI32.DLL, revoking WMF’s SETABORT escape sequence that is the root of the problem.

This flaw has already spawned dozens of attacks from a MSN Messenger worm to spam that tries to get users to click on malicious web sites.

The vulnerability can be easily exploited in Windows XP with Service Pack 1 and 2, as well as Windows Server 2003, security experts said. Older versions of the operating system, including Windows 2000 and Windows ME, are also at risk, though in those cases the flaw is more difficult to exploit, said Mikko Hypponen, chief research officer at F-Secure.

“We have seen dozens of different attacks using this vulnerability since Dec. 27,” Hypponen said. “One exploits image files and tries to get users to click on them; another is an MSN Messenger worm that will send the worm to people on your buddy list, and we have seen several spam attacks.”

He added that some of the spam attacks have been targeted to select groups, such as one that purports to come from the U.S. Department of State. The malicious e-mail tries to lure the user to open a map attachment and will then download a Trojan horse. The exploit will open a backdoor on the user’s system and allow sensitive files to be viewed.

A chief researcher at F-Secure said,

“We are still far away from a massive virus,” he said. “Most people get attacked by this if they (search for something on the Internet) and get a million results. They may click on a link that goes to a malicious Web site or one that has been hacked, and then get infected.”

In an article from posted today, an antivirus specialist stated that over a million pc’s have been compromised,

More than a million PCs have already been compromised, said Andreas Marx, an antivirus software specialist at the University of Magdeburg in Germany. He has found a hidden Web site that shows how many copies of a program that installs malicious software have been delivered to vulnerable PCs.

“I’m sure it’s just a matter of days until the first (self-propagating) WMF worm will appear,” he said. “A patch is urgently needed.”

So, with Microsoft waiting until Tuesday, attackers are going to have about a week with no worries to try to take advantage of this. So far, most of the attacks have involved installing spyware and adware to display pop up advertising on the infected pc’s.

Microsoft has completed a fix for the problem and is currently testing and localizing the update into 23 languages, the software maker said in its advisory, updated on Tuesday. “Microsoft’s goal is to release the update on Tuesday, Jan. 10, 2006, as part of its monthly release of security bulletins,” the company said.

To protect Windows users, Microsoft shouldn’t wait, but release the patch now, several critics said.

“The flaw is actively exploited on multiple sites, and antivirus provides only limited protection,” said Johannes Ullrich, the chief research officer at the SANS Institute. “Active use of an exploit without sufficient mitigating measures should warrant the early release of a patch, even a preliminary, not fully tested patch.”

Once again, we see a large company not really caring about the users and all they are doing is creating even more ill will.

Added: One of the F-Secure researches stated that one of their test machines became infected after downloading an infected file using the Wget command line tool, without even executing it.

It seems that Google Desktop creates an index of the metadata of all images too, and it issues an API call to the vulnerable Windows component SHIMGVW.DLL to extract this info. This is enough to invoke the exploit and infect the machine. This all happens in realtime as Google Desktop contains a file system filter and will index new files in realtime.

2 comments - What do you think?  Posted by Jimmy Daniels - January 4, 2006 at 11:39 am

Categories: Microsoft News, Spyware Info, Tech News, Virus Info   Tags: , , , , , ,

Microsoft Could Pull Windows out of South Korea

Responding to a statement from South Korea’s Fair Trade Commission, Microsoft has stated that if they are required to remove code, such as MSN Messenger or Windows Media Player, and create a special edition for the Korean market, that they may have to withdraw Windows or delay the offering of new versions of Windows. From,

The KFTC began its probe in 2001, when South Korean Internet portal Daum Communications alleged that Microsoft’s bundling of the operating system with other services broke antitrust rules. It widened the probe, following a similar complaint from RealNetworks in late 2003.

A ruling could come as soon as Wednesday, a KFTC spokesman said.

“No matter what Microsoft does, we will proceed with our deliberation and discuss it again at a plenary session on Wednesday,” Lee Tae Hwi said by telephone. “There is no change in our stance to fight unfair business practices.”

In a recent settlement with Realnetworks, Microsoft agreed to pay them 761 million to settle a suit that claimed Microsoft was using it’s dominance to push Windows Media Player.

As a part of the agreement, RealNetworks said it would drop similar suits in South Korea and Europe.

But the Korean commission has said its investigation would not be affected by the settlement.

An article on Yahoo from the AP, adds,

Microsoft’s competitive practices have been under investigation by the Korean Fair Trade Commission, which is looking into the company’s inclusion into Windows of streaming media and instant messenger technology.

The Redmond, Wash.-based software giant has faced legal and regulatory antitrust actions worldwide because of its decisions to include various services in its operating system.

In its quarterly report filed Thursday with the Securities and Exchange Commission, Microsoft said the Korean commission could require the company to remove code or redesign Windows uniquely for the Korean market.

In other news, Microsoft reported their first quarter earnings, which were just ahead of Wall Street estimates, but, even so, sales and current quarter forecasts fell short of their expectations.

The company said it earned $3.14 billion or 29 cents per share, on revenue of $9.74 billion for the three months ended Sept. 30, including the earnings hit caused by a settlement with RealNetworks. The results compare with earnings of $2.52 billion, or 23 cents per share, on revenue of $9.19 billion for the same quarter a year ago. The year-ago figures include a charge for Microsoft’s settlement with Novell.

Excluding the cost of the RealNetworks pact, Microsoft would have had earnings of 31 cents per share. Analysts were expecting the company to post earnings of 30 cents per share, excluding the legal costs, but including stock-based compensation charges, on revenue of $9.78 billion, according to First Call. In July, Microsoft had forecast earnings of between 29 and 31 cents per share on revenue of $9.7 billion to $9.8 billion.

There’s always bad news with the good news, right folks?

Shares of Microsoft slipped in after-hours trading following the report, changing hands recently at $24.16, down more than 2 percent from their $24.85 closing price.

For the full fiscal year, which stretches through June 30, Microsoft said it expects revenue in the range of $43.7 billion to $44.5 billion and per-share earnings in the range of $1.26 to $1.30, including the two-cent charge for the RealNetworks settlement. That’s roughly similar to the full-year outlook given by Microsoft three months ago.

They have announced a “big bang” of products coming, pointing to the release of SQL Server 2005, Windows Vista, Visual Studio and other products.

Microsoft is “at the beginning of 12 months of the greatest innovation pipeline we have ever had,” Ballmer said.

2 comments - What do you think?  Posted by Jimmy Daniels - October 28, 2005 at 8:12 am

Categories: Microsoft News, Windows XP   Tags: , , ,