A Windows 98 & ME forum. Win98banter

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Go Back   Home » Win98banter forum » Windows ME » General
Site Map Home Authors List Search Today's Posts Mark Forums Read Web Partners

Microsoft makes errors in Microsoft Security Advisory (912840)



 
 
Thread Tools Display Modes
  #1  
Old January 4th 06, 12:30 PM posted to microsoft.public.windowsme.general
external usenet poster
 
Posts: n/a
Default Microsoft makes errors in Microsoft Security Advisory (912840)

Just an FYI for ME users.....

[Standard Disclaimer: I could always be wrong.....but.....]

In the most current update to Microsoft's Security Advisory about the WMF
exploit (http://www.microsoft.com/technet/sec...ry/912840.mspx), I
believe that there are several mis-statements that should addressed in the
"Mitigating Factors" section.

1) "In a Web-based attack scenario, an attacker would have to host a Web
site that contains a Web page that is used to exploit this vulnerability."
This is false. Attackers can post infected files to unsecured websites or
photo blogs like Flickr. Hosting the website would add an unwanted trail to
the hacker and is avoided by all but the most inexperienced hackers. While
script kiddies will host this exploit, the more advanced exploitations are
likely to pop up on websites NOT hosted by the attackers.

In fact, all you have to do is ciew an infected image onscreen to
launch the attack against your PC.

2) "Instead, an attacker would have to persuade users to visit the Web site,
typically by getting them to click a link in an e-mail or Instant Messenger
request that takes users to the attacker's Web site." Also not true.
Pop-ups can also hold exploits used to take over a user's PC. As you are
aware, you don;t have to do anything to get a pop-up to launch except visit
a site that may have no knowledge of what is in the pop-up (other than any
advertising agreements they have with the pop-up target site or ad
reseller).

Also not taken into account is the rather nasty habit that most
websites (even sites like www.CNN.com) of hosting third-party images that
are frequently retrieved from even a 4th, 5th or Xth party site. This
increases the likelihood of an attack being launched via 3rd party images on
even well-respected sites like www.cnn.com or www.cnet.com .

3) "In an e-mail based attack involving the current exploit, customers would
have to click on a link in a malicious e-mail or open an attachment that
exploits the vulnerability." This is not true for any user that reads thier
email in HTML format. HTML emails automatically download and display images
in HTML emails. This means that simply reading an HTML email can infect an
unpatched machine. You don't have to click a thing.

A little lower in the updated advisory Microsoft states "In Windows
Server 2003, Microsoft Outlook Express uses plain text for reading and
sending messages by default. When replying to an e-mail message that is sent
in another format, the response is formatted in plain text.", indicating
that they are aware of the HTML email vulnerability, but not making it clear
that reading emails in HTML format can launch an attack without clicking on
anything.

4) "At this point, no attachment has been identified in which a user can be
attacked simply by reading mail." This is true and should be differentiated
from #3's mis-statement. An attachment must be clicked to be viewed. Note
the word "attachment". HTML emails (if read in HTML format) load thier
images from servers ad display them automatically within the email when you
view the HTML email. When reading an HTML email that contains and infected
image file, you do not need to click anything for the exploit to be
executed. The display of the image on your screen is all it takes to launch
it's payload.

Financial Times states "Unlike most attacks, which require victims to
download or execute a suspect file, the new vulnerability makes it possible
for users to infect their computers with spyware or a virus simply by
viewing a web page, e-mail or instant message that contains a contaminated
image." - at
http://news.ft.com/cms/s/0d644d5e-7b...0779e2340.html

5) "This issue is not known to be wormable." Not true. An MSN Messenger
worm has already been reported to be spreading in the wild - see
http://www.f-secure.com/weblog/archi...ve-122005.html and
http://www.viruslist.com/en/weblog?d...92530&return=1.

If I've got anything wrong here (I'm not perfect either )....speak up.

Jim



  #2  
Old January 4th 06, 01:41 PM posted to microsoft.public.windowsme.general
external usenet poster
 
Posts: n/a
Default Microsoft makes errors in Microsoft Security Advisory (912840)

I see you appear to be one of the let's spread panic group Jim. :-)
Personally I feel that everyone needs to calm down and step back a moment
and consider how they use their PCs, whether they practice safe computing,
the sort of sites they visit, and more importantly whether they even have
the WMF file associated with an application or not.

Please answer me one question. Do you know anyone running a Win Me or Win
9x system who has actually fallen foul of this problem? If so then they
should contact Microsoft as requested and give them full details.
--
Mike Maltby



Jim wrote:

Just an FYI for ME users.....

[Standard Disclaimer: I could always be wrong.....but.....]

In the most current update to Microsoft's Security Advisory about the
WMF exploit
(
http://www.microsoft.com/technet/sec...ry/912840.mspx), I
believe that there are several mis-statements that should addressed
in the "Mitigating Factors" section.
1) "In a Web-based attack scenario, an attacker would have to host a
Web site that contains a Web page that is used to exploit this
vulnerability." This is false. Attackers can post infected files to
unsecured websites or photo blogs like Flickr. Hosting the website
would add an unwanted trail to the hacker and is avoided by all but
the most inexperienced hackers. While script kiddies will host this
exploit, the more advanced exploitations are likely to pop up on
websites NOT hosted by the attackers.
In fact, all you have to do is ciew an infected image onscreen to
launch the attack against your PC.

2) "Instead, an attacker would have to persuade users to visit the
Web site, typically by getting them to click a link in an e-mail or
Instant Messenger request that takes users to the attacker's Web
site." Also not true. Pop-ups can also hold exploits used to take
over a user's PC. As you are aware, you don;t have to do anything to
get a pop-up to launch except visit a site that may have no knowledge
of what is in the pop-up (other than any advertising agreements they
have with the pop-up target site or ad reseller).

Also not taken into account is the rather nasty habit that most
websites (even sites like www.CNN.com) of hosting third-party images
that are frequently retrieved from even a 4th, 5th or Xth party site.
This increases the likelihood of an attack being launched via 3rd
party images on even well-respected sites like www.cnn.com or
www.cnet.com .
3) "In an e-mail based attack involving the current exploit,
customers would have to click on a link in a malicious e-mail or open
an attachment that exploits the vulnerability." This is not true for
any user that reads thier email in HTML format. HTML emails
automatically download and display images in HTML emails. This means
that simply reading an HTML email can infect an unpatched machine. You
don't have to click a thing.
A little lower in the updated advisory Microsoft states "In
Windows Server 2003, Microsoft Outlook Express uses plain text for
reading and sending messages by default. When replying to an e-mail
message that is sent in another format, the response is formatted in
plain text.", indicating that they are aware of the HTML email
vulnerability, but not making it clear that reading emails in HTML
format can launch an attack without clicking on anything.

4) "At this point, no attachment has been identified in which a user
can be attacked simply by reading mail." This is true and should be
differentiated from #3's mis-statement. An attachment must be
clicked to be viewed. Note the word "attachment". HTML emails (if
read in HTML format) load thier images from servers ad display them
automatically within the email when you view the HTML email. When
reading an HTML email that contains and infected image file, you do
not need to click anything for the exploit to be executed. The
display of the image on your screen is all it takes to launch it's
payload.
Financial Times states "Unlike most attacks, which require
victims to download or execute a suspect file, the new vulnerability
makes it possible for users to infect their computers with spyware or
a virus simply by viewing a web page, e-mail or instant message that
contains a contaminated image." - at
http://news.ft.com/cms/s/0d644d5e-7b...0779e2340.html

5) "This issue is not known to be wormable." Not true. An MSN
Messenger worm has already been reported to be spreading in the wild
- see http://www.f-secure.com/weblog/archi...ve-122005.html and
http://www.viruslist.com/en/weblog?d...92530&return=1.

If I've got anything wrong here (I'm not perfect either )....speak
up.
Jim


  #3  
Old January 4th 06, 02:59 PM posted to microsoft.public.windowsme.general
external usenet poster
 
Posts: n/a
Default Microsoft makes errors in Microsoft Security Advisory (912840)


"Mike M" wrote in message
...
I see you appear to be one of the let's spread panic group Jim. :-)
Personally I feel that everyone needs to calm down and step back a moment
and consider how they use their PCs, whether they practice safe computing,
the sort of sites they visit, and more importantly whether they even have
the WMF file associated with an application or not.

Please answer me one question. Do you know anyone running a Win Me or Win
9x system who has actually fallen foul of this problem? If so then they
should contact Microsoft as requested and give them full details.


No. I don't personally know anyone still using either of these operating
systems at all.

Jim


  #4  
Old January 4th 06, 03:14 PM posted to microsoft.public.windowsme.general
external usenet poster
 
Posts: n/a
Default Microsoft makes errors in Microsoft Security Advisory (912840)

Jim wrote:

No. I don't personally know anyone still using either of these
operating systems at all.


In which case may I politely suggest that you keep the unwarranted panic
to yourself and restrict yourself to posting facts. Whilst the WMF
exploit might for some mean they allow an unwanted trojan or keylogger
onto their system this should be immediately detected by a user's chosen
AV application provided that users keep their AV systems up to date and
practice safe hex.
--
Mike Maltby



  #5  
Old January 4th 06, 04:10 PM posted to microsoft.public.windowsme.general
external usenet poster
 
Posts: n/a
Default Microsoft makes errors in Microsoft Security Advisory (912840)


"Mike M" wrote in message
...
Jim wrote:

No. I don't personally know anyone still using either of these
operating systems at all.


In which case may I politely suggest that you keep the unwarranted panic
to yourself and restrict yourself to posting facts.


Please point out anything that I have posted that is not factual. (And,
quote me please....don't paraphrase.)

And, yes, you may suggest anything you wish.

Whilst the WMF exploit might for some mean they allow an unwanted trojan or
keylogger onto their system this should be immediately detected by a user's
chosen AV application provided that users keep their AV systems up to date
and practice safe hex.


May I politely suggest that you do a little research before posting? As of
Dec 31, 2005, all AV systems have not been keeping up -
http://www.eweek.com/article2/0,1895,1907102,00.asp. I have not had time to
check them as of today. Perhaps that is a good starting point for your
searches.

F-Secure shows the latest email attack at
http://www.f-secure.com/weblog/archi....html#00000764 in the
form of a Trojan payload, masquerading as a JPG file.

Are you seriously telling me that curious individuals would not normally
click on a JPG file? And, please don't tell me about your "safe hex"
standards. While you prefer to deal with what a perfect user shoudl do, I
prefer to deal with users as they are. Imperfect like you and me.

Imperfect beings need a little more knowledge when the risks to thei
behavors change. Imperfect beings don't always follow the "safe hex"
suggesitons and need to be informed of new and emerging threats in order to
protect themselves.

Iimperfect users clicks on attachments that seem harmless (JPG, ZIP, GIF,
etc.). They need to know that there are new exploits that make that
behavior more risky now.

What they do not need is silence because you (or whoever) may have told them
about "safe hex" in the past.

And, here are some more facts for you (taken from
http://antivirus.about.com/od/virusd...fexploit_4.htm) Please
pay special attention to 4 & 5.

"Fact #1: You do not have to open the image file to be affected.. If you
browse to a folder it's in, view a website it's on, receive it in email,
click a link pointing to an exploited image in IM or email, select it with
your mouse or keyboard, or if you use Google Desktop, the exploit will
render.
Fact #2: This is not a browser problem. Using Firefox or Opera isn't going
to help. This exploit is made possible because of a design flaw in the
Windows operating system. The rendering of the exploit happens within
Windows (gdi32.dll to be exact, and not from within and not because of the
browser). As seen in Fact #1 above, you can also encounter an exploited
image file in a variety of ways, not just by web surfing.

Fact #3: The .WMF extension is immaterial. Just because the image has a
different extension, doesn't mean it's not a WMF file containing the
exploit. The most recent version spotted in email was disguised as
HappyNewYear.JPG. This wasn't some double extension ruse either. Windows
doesn't care what extension the image file has, it will still recognize that
it's a WMF file and the handling for it will be the same - thus the exploit
will render.

Fact #4: The exploit is not restricted to Windows Fax and Picture Viewer.
The vulnerable DLL is actually GDI32.DLL. The previously implicated
SHIMGVW.DLL is guilty, but apparently only because it calls GDI32.DLL.
However, you can not unregister GDI32.DLL - not if you want your system to
function, that is. A patch for GDI32.DLL was created by IDA Pro genius Ilfak
Guilfanov and it's backed up by SANS. You can read more about Iflak's patch,
and how to download it, here.

Fact #5: The exploit impacts nearly all Windows users. Affected versions
include: all versions of Windows XP (SP1 and SP2, Pro and Home, 32-bit and
64-bit), Windows Server 2003 (including SP1, 32-bit and 64-bit, and
Itantium-based versions), Microsoft Windows 2000 Service Pack 4, as well as
Windows 98 (including SE), and Windows ME. In short, if you use Windows,
odds are you are one of the 'hundreds of millions' sitting ducks to this
exploit. "

Cheers!

Jim


  #6  
Old January 4th 06, 04:44 PM posted to microsoft.public.windowsme.general
external usenet poster
 
Posts: n/a
Default Microsoft makes errors in Microsoft Security Advisory (912840)

Jim,

May I once again politely suggest that you stop spreading quite
unnecessary panic and YOU YOURSELF do some research. It appears you
prefer to believe everything that is posted rather than doing any real
work or research yourself.

When you've found someone running a Win 9x system who has been infected
please let me know and Microsoft know but until then may I suggest you get
on with that other job you said was so important and stop posting
unnecessary and irrelevant messages to this newsgroup. That you say you
know no-one running a Win9x system goes a long way to explaining why you
appear to understand much that you are posting.

Please point out anything that I have posted that is not factual.


By repeatedly posting to a Win 9x newsgroup details that are totally
irrelevant such as advising posters to install a patch that is designed
for XP.

Your facts are far from facts. You are little more than a scaremonger.
If this is how you get your kicks may I respectfully suggest that you do
so elsewhere.

One more question for you to answer please. Why is this group, and all
the others that I read, not filled with posts from people whose systems
have been infected due to this vulnerability rather than instead being
filled by posting forecasting the end of the world such as we know from
people such as yourself?
--
Mike Maltby



Jim wrote:


Posted yet more inflammatory and pnaic inducing twaddle.

  #7  
Old January 4th 06, 04:51 PM posted to microsoft.public.windowsme.general
external usenet poster
 
Posts: n/a
Default Microsoft makes errors in Microsoft Security Advisory (912840)

That you say you know no-one running a Win9x system goes a long way
to explaining why you appear to understand much that you are posting.


Should of course have read: .. why you appear NOT to understand much ...
--
Mike Maltby



Mike M wrote:

Jim,

May I once again politely suggest that you stop spreading quite
unnecessary panic and YOU YOURSELF do some research. It appears you
prefer to believe everything that is posted rather than doing any real
work or research yourself.

When you've found someone running a Win 9x system who has been
infected please let me know and Microsoft know but until then may I
suggest you get on with that other job you said was so important and
stop posting unnecessary and irrelevant messages to this newsgroup.
That you say you know no-one running a Win9x system goes a long way
to explaining why you appear to understand much that you are posting.

Please point out anything that I have posted that is not factual.


By repeatedly posting to a Win 9x newsgroup details that are totally
irrelevant such as advising posters to install a patch that is
designed for XP.

Your facts are far from facts. You are little more than a
scaremonger. If this is how you get your kicks may I respectfully
suggest that you do so elsewhere.

One more question for you to answer please. Why is this group, and
all the others that I read, not filled with posts from people whose
systems have been infected due to this vulnerability rather than
instead being filled by posting forecasting the end of the world such
as we know from people such as yourself?

  #8  
Old January 4th 06, 05:55 PM posted to microsoft.public.windowsme.general
external usenet poster
 
Posts: n/a
Default Microsoft makes errors in Microsoft Security Advisory (912840)

In ,
Mike M had this to say:

My reply is at the bottom of your sent message:

Jim wrote:

No. I don't personally know anyone still using either of these
operating systems at all.


In which case may I politely suggest that you keep the unwarranted
panic to yourself and restrict yourself to posting facts. Whilst the
WMF exploit might for some mean they allow an unwanted trojan or
keylogger onto their system this should be immediately detected by a
user's chosen AV application provided that users keep their AV
systems up to date and practice safe hex.


I can add that Noel and I have spent the past good number of hours
intentionally trying to get infected in various situations. At worst my AV
software eats the payload. At best it doesn't load at all. Even on XP
systems we had trouble getting infected! (I think Noel's still trying
though. Me? I'm giving up for a while and getting food.) Either way,
following best practices and being smart about the ways you surf and where
you go is far better prevention from a known threat than blissfully patching
and thinking that you're secure. So, yes, I agree... Avoid FUD. It just
makes things more problematic in the long-run.

--
Galen - MS MVP - Windows (Shell/User & IE)
http://dts-l.org/
http://kgiii.info/

"We approached the case, you remember, with an absolutely blank mind,
which is always an advantage. We had formed no theories. We were simply
there to observe and to draw inferences from our observations." -
Sherlock Holmes


  #9  
Old January 4th 06, 06:25 PM posted to microsoft.public.windowsme.general
external usenet poster
 
Posts: n/a
Default Microsoft makes errors in Microsoft Security Advisory (912840)

Galen,

Avoid FUD. It just makes things more problematic in
the long-run.


We clearly agree but unfortunately some people appear to prefer FUD and to
be trolls.

I can add that Noel and I have spent the past good number of hours
intentionally trying to get infected in various situations.


As did I a couple of days ago and decided that I was simply wasting my
time.
--
Mike Maltby



Galen wrote:

I can add that Noel and I have spent the past good number of hours
intentionally trying to get infected in various situations. At worst
my AV software eats the payload. At best it doesn't load at all. Even
on XP systems we had trouble getting infected! (I think Noel's still
trying though. Me? I'm giving up for a while and getting food.)
Either way, following best practices and being smart about the ways
you surf and where you go is far better prevention from a known
threat than blissfully patching and thinking that you're secure. So,
yes, I agree... Avoid FUD. It just makes things more problematic in
the long-run.


  #10  
Old January 4th 06, 10:01 PM posted to microsoft.public.windowsme.general
external usenet poster
 
Posts: n/a
Default Microsoft makes errors in Microsoft Security Advisory (912840)


"Mike M" , ignoring pleas for specific facts,
wrote in message ...
Jim,

May I once again politely suggest that you stop spreading quite
unnecessary panic and YOU YOURSELF do some research. It appears you
prefer to believe everything that is posted rather than doing any real
work or research yourself.


People like yourself amaze me. You completely skip the very first
qualifying line of the OP because it is convenient for your rant.

In case you just missed it...."Just an FYI for ME users....." This was just
supposed to be information for ME users. Yoiu have turned it into your
personal crusade to stop people from protecting themselves.

I am starting to wonder if you are simply a script kiddie that is angry that
people may be fortifying their machiones before he could "take over the
world" with his new toy.


When you've found someone running a Win 9x system who has been infected
please let me know and Microsoft know but until then may I suggest you get
on with that other job you said was so important and stop posting
unnecessary and irrelevant messages to this newsgroup. That you say you
know no-one running a Win9x system goes a long way to explaining why you
appear to understand much that you are posting.

Please point out anything that I have posted that is not factual.


By repeatedly posting to a Win 9x newsgroup details that are totally
irrelevant such as advising posters to install a patch that is designed
for XP.


An FYI about a Windows exploit is irrelevant to Windows users. That's a
good one.

If you (even as an ME user) do not use XP or 2003 machines at all, you would
be in the minority of ME users.

If you (even as an ME user) do not view HTML emails you would be in an even
smaller minority.

If you believe that this does not apply to you, move on. How is my looking
after the welfare of others negatively affecting you?

Put me in your killfile and take your chances. It won't hurt my feelings
one bit, and I won;t loose a wink of sleep over it.....I promise.


Your facts are far from facts. You are little more than a scaremonger. If
this is how you get your kicks may I respectfully suggest that you do so
elsewhere.


You are neither repectful nor knowedgeable about the topic that you have
chosen to join. Being respectful would be to quote the areas that you think
I said something incorrect, out of line or off topic for this newsgroup.
You call me a "scaremonger" while offering no securtiy expert opinions that
the WMF exploit does NOT affect ME users. Quite to the contrary, they all
say that the WMF exploit CAN affect ME users.

While you may be many things, respectful is not one of them.

And, you have pointed to no statement that I have made so that we can see
your vast wisdom for what it is.

While I have never claimed to be an expert on WMF or Windows exploits, I
have pointed you to well known experts and security sites that more
thoroughly discuss the issue and also recommend the unofficial patch that I
have.

I cannot make you understand the issue. Nor can I make you take steps to
protect yourself (thus protecting those around you) by taking measures
recommended by experts in the security field.

I suggest that YOU do nothing. That would seem to make you happy and would
alleviate the burden of reading your posts - devoid of any factual rebuttals
to what I have posted.


One more question for you to answer please. Why is this group, and all
the others that I read, not filled with posts from people whose systems
have been infected due to this vulnerability rather than instead being
filled by posting forecasting the end of the world such as we know from
people such as yourself?


How would you know if you were infected? The exploits don't typically pop
up a "WE HAVE INFECTED YOUR PC" message box.

As more people (like yourself) do nothing, you will see internet traffic
slow, spam increase and DDOS attacks increase as more users do nothing and
become infected. (Yes, you can quote me on that.)

Now, put up or shut up. (No respect intended.)

Jim


 




Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Ping Ron Martell PAT (Paul) General 7 April 3rd 05 07:16 PM
Microsoft Security Bulletin MS04-018 - Cumulative Security Update for Outlook Express (823353) PA Bear General 5 July 15th 04 05:49 AM
Microsoft Security Bulletin MS04-024 - Vulnerability in Windows Shell Could Allow Remote Code Execution (839645) Gary S. Terhune General 2 July 14th 04 05:06 AM
Microsoft Security Bulletin MS04-023--Please Note! Gary S. Terhune General 4 July 14th 04 04:39 AM
Please help! Display settings !! Mitzi Monitors & Displays 12 July 11th 04 05:19 AM


All times are GMT +1. The time now is 01:55 PM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright ©2004-2024 Win98banter.
The comments are property of their posters.