URGENT: read this (Windows security issue)

electron

Administrator
Staff member
I have been following this for a while now, and it looks like things are getting worse. A new security issue has been discovered with a component in the Windows OS, which is responsible for displaying images. The problem is that due to a bad design (or bug, whichever you want to call it), code can be executed, taking over your PC. There have been several proof of concepts, and it looks that there is a virus/worm going around now, which exploits this. This is almost impossibe to stop, but someone has released a patch which will help dealing with this issue until Microsoft can put the official patch out.

Read this FAQ for more info:
http://isc.sans.org/diary.php?storyid=994

I suggest you also monitor the main site:
http://isc.sans.org/
 

BraveSirRobbin

Moderator
I heard about this. So someone with Outlook that has their mail opened automatically (in the message view window) can expose their PC to this then?
 

TonyNo

Active Member
From e's first link...

Q: How could a malicious WMF file enter my system?

A: There are too many methods to mention them all. E-mail attachments, web sites, instant messaging are probably the most likely sources. Don't forget P2P file sharing and other sources.
 

BraveSirRobbin

Moderator
Yes, I saw that, but what I was referring to was this scenario:

When I open Outlook the last message or message clicked on in the inbox automatically gets opened in the "view" pane. I was wondering if this could trigger this somehow (i.e. never opened an attachment).
 

Dean Roddey

Senior Member
One would assume they could put a link back to a WMF image on their web site, which would make your Outlook load the image and display it. I really wish Outlook could be configured to never do that, since it's always spam and usually it's used to confirm your address by doing a reverse DNS on you when you connect to access the linked images.
 

brothers

Member
The latest updates to Outlook (for the last year or so, actually) modify it so that it requests your permission before downloading pictures (to prevent the confirmation scenario). I don't think this helps if there's a mime-encoded graphic in the email itself, but I almost never see those.

- Dennis Brothers
 
TonyNo said:
This is why I don't use the Preview Pane in Outlook. ;)
This is why I don't use Outlook or IE! This kind of garbage happens because someone at MS thought it would be a clever idea to allow programs to be launched while playing media files. It seems they are not forward thinking enough to realize that this kind of stuff opens the doors to hackers. Pictures, audio files, and movies should be data, not code, and they should not be allowed to cause code to be launched, web sites to be opened, or any other such antics.
 

electron

Administrator
Staff member
Even Firefox users can be affected by this, so it's not just a 'client' issue. Any program using this DLL is vulnerable, which is why the only good solution right now is to unregister the dll (use Infran view to view pics), and to install that unofficial patch.

It also looks like the DEP feature (part of SP2) in combination with the AMD chips which support it will stop this from happening as well, even if you don't have the patch.
 

huggy59

Active Member
The answer is YES, at least on some versions of Outlook, the preview pane can display an HTML-based email which contains an image and code that can infect your machine. In fact, the preview pane can and does go to a web site to get the images at times, depending on how the email was created. In general, SHUT OFF THE PREVIEW PANE in Outlook views and do not use the new mail tray icon to open new email without viewing it's header data first!

As a security practice, if you have an email in your Inbox (or other folders, for that matter) that you do not recognize, DO NOT OPEN IT - you can right-click the email form the list, select Options, and look at the Internet headers to see if it came from someone you THINK is not infected - this does not open the email itself. Lots of times, at least the originating account or the originating machine is easily determined to be bogus - would you open an email from "Mike" if the originating account was "[email protected]" ??? I wouldn't. Just close the Options dialog, and shift-delete the msg. Bye bye sucker!
 
Top