Public Service Announcement

[fleetfootmike]

Via keristor and khaosworks:

Public service announcement. You may have heard of the latest WMF exploit for Windows. This is serious stuff, people — you may think you're not vulnerable, or that it won't happen to you, but it can, and it's just so easy to do, and it gives complete control by an intruder over your computer. Everything.

So rather than wait for Microsoft to get off their asses and patch it up by January 10, by which time Lord knows how many people will get bitten, you might do well to be just a tad paranoid and get the unofficial patch.

For just what the WMF exploit can do, see http://www.f-secure.com/weblog/archives/archive-122005.html

And the unofficial patch can be found at:

http://www.grc.com/miscfiles/wmffix_hexblog14.exe
http://handlers.sans.org/tliston/wmffix_hexblog14.exe
http://castlecops.com/modules.php?name=Downloads&d_op=getit&lid=496
http://csc.sunbelt-software.com/wmf/wmffix_hexblog14.exe
http://www.antisource.com/download/wmffix_hexblog14.exe

So, begone — go forth and patch that hole. Once the fix from Microsoft is issued, you can uninstall this and install the official one.

..or, of course, you could switch to Mac or Linux :)

Comments

[qb-fox.livejournal.com]

This is a very serious loophole.

Our tech guru, much like the engineers at Chernobyl disarming the safeguards one at a time, accidently triggered the virus while examining a WMF file disected from a suspicious web page (without even openning it) when windows auto-parsed it. Fortunately, and unlike the russian technicians, it was on a deliberately isolated system.

Our examinations here are showing that to date neither AGV nor McAfee identified the virus.

[otherdeb.livejournal.com]

Oh, ick.

[otherdeb.livejournal.com]

If I had someone who could help me through the switch to Linux, including little things like getting my Palm to sync with the puter, I would switch in a heartbeat.

But I don't, so I'm trying to find out all the stuff I would need to do to make it work on my own, and bit by bit from friends.

[otherdeb.livejournal.com]

Oh, and thanks for posting the newer patch. When I d/l'd hexblog13.exe, it prevented me from logging in to dal.net for a meeting. Hexblog 14.exe seems to have fixed that.

[nelladarren.livejournal.com]

I already installed it last week after Paul's post. Just one question: you say after Microsoft issues a patch we should uninstall the hex and install the official patch.
Do you think the Microsoft patch will be better? And if I use both, isn't that safer? Or will they interfere?
:o)

[pbristow.livejournal.com]

We don't know until Microsoft release their patch and we have a chance to find out what it does. It's more general principle that if there's an official patch available, you should use that rather than an unofficial one, because then there's less risk of a clash with whatever Microsoft do next, and you're more likely to get sympathetic support from MS for any other problems you get (i.e. they can't just blame everything on having non-MS patches on your system.)

[demoneyes.livejournal.com]

..or, of course, you could switch to Mac or Linux :)

http://www.unshelved.com/archive.aspx?strip=20040216

:-)

[marypcb.livejournal.com]

I'm not saying this unoffical patch is a bad thing even though it uses the same approach as a rootkit, but in general, an unofficial patch could be just as much a threat as what it's patching against. Make sure you know what you're installing and get the up to date AV signatures that do now protect against the attack.

[keristor.livejournal.com]

Well, among other things the patch installs its source code so you (or probably more importantly lots of independent Windows experts) can verify that it is correct and does only what it says it does. Can you say that for any patch from Microsoft? For all anyone outside MS knows their patch could be faulty, break something else, or whatever.

And note that according to recent reports MS have had a patch for several days but they aren't releasing it until they get it translated into 23 languages or whatever. Anyone who has problems in the meantime should be able to sue MS for criminal negligence...

[pbristow.livejournal.com]

In general, yes. This is an exceptional case, however, in that's its produced by a very widely respected guy, has been independently verfified by hundreds of testers, and is being outrightly championed by internet security companies who normally don't do that sort of thing (in particular, f-secure). And that the vulnerablity in question is a socking huge hole that's being very eagerly exploited, *and* the official patch is being stupidly delayed.

[dan-ad-nauseam.livejournal.com]

thnidu vouches for SANS, who have a patch at http://isc.sans.org/diary.php (You may have to scroll down.)