Unhappy new fear (and watery Queen)

In today's IT Blogwatch, we look at the latest unpatched Windows security risk -- the rather nasty WMF exploit. Not to mention Queen's We Will Rock You as you've never seen it before...

Ring out the old and ring in the new (exploit) sings Sharon Machlis, "Attacks are carried out through a vulnerability in the way Windows XP and Windows Server 2003 handle corrupted Windows Metaile (.WMF) graphic files ... So far, it appears that Windows Data Execution Prevention (DEP) software or disabling Windows' shimgvw.dll will block WMF attacks to date, according to iDefense [unregister shimgvw.dll] ... The HappyNY.A attack has been using an e-mail with the subject 'happy new year' that includes the attached file HappyNewYear.jpg. That file, actually a hostile WMF file, installs the Bifrose backdoor Trojan in the victim's system when the file executes." [Oh brother ... Welcome back to work!]

» Harry Waldron: "The 2nd generation of the WMF exploit has been spammed out via email. It appears as a Happy New Year's greeting. This is briefly noted in McAfee's release for DAT 4464 which covers this new variant ... An email message containing an Exploit-WMF built from this new code has been spammed." [Darn, these virus writers work fast]

» WAPO's Brian Krebs: "A new and improved exploit ... Windows users can get infected just by clicking on a specially crafted link in an e-mail or visiting a Web site that hosts the malicious code ... The part that's different about this attack is that it's designed to generate slightly different program code each time the exploit is run ... This is a big deal because ... the major antivirus vendors have been the first lines of defense against this attack ... Last week, I wrote about tests run by Andreas Marx of AV-Test.org that looked at the response time of various antivirus products to some of the largest computer worm outbreaks of 2005 ... I suspect the 2006 work year will begin a bit too soon for many network and computer defense professionals out there." [Ummm, Bill, where's the patch?]

» Nanite, over at Channel 9 asks, "Where are the Microsoft bloggers? Is there some sort of Microsoft gag order on the whole WMF vulnerability thing? The only guy with enough balls to even mention it seems to be Scoble. Everyone else is just eerily stepping aside it without even a single mention. Are you guys just hoping that noone notices it by not mentioning it?" [An interesting ... uhhh ... "discussion" then ensues]

» Joe Wilcox, Microsoft Monitor: "A 0-day exploit means that it's here right now, and Microsoft has no patch for it ... The exploit affects pretty much any version of Windows, including fully-patched Windows XP with Service Pack 2 ... So how bad could this exploit really be? ... On day 2 of the 0-day exploit, already 50 WMF variants had appeared ... The potential for nastiness while great is mitigated by the amount of active behavior on the part of users. Still, each day the vulnerability exists the more likelihood there could be broad exploitation ... Strangely, looked at another way, timing is fortunate, because the holiday may mean fewer people using computers." [Somehow, that's not very comforting]

» Handler's Diary: "Internet Explorer will view the image and trigger the exploit without warning. New versions of Firefox will prompt you before opening the image. However, in most environments this offers little protection given that these are images and are thus considered 'safe' ...  current 'best practice' recommendation is to both unregister the DLL and to use the unofficial patch ... The wmfhotfix.dll is injected into any process loading user32.dll ... Will unregistering the DLL protect me? It might help. But it is not foolproof. We want to be very clear on this: we have some very strong indications that simply unregistering the shimgvw.dll isn't always successful. The .dll can be re-registered by malicious processes or other installations" [Errr, "unofficial patch"? Danger, danger, Will Robinson!]

» Chris Mosby tries to be reassuring: "Wow, this is way past ugly. Tuesday morning is going to be chaos if something isn't done soon ... the Microsoft WMF vulnerability is bad.  It is very, very bad ... We've received many emails from people saying that no one in a corporate environment will find using an unofficial patch acceptable. Acceptable or not, folks ... this is a bad situation that will only get worse. The very best response that our collective wisdom can create is contained in this advice - unregister shimgvw.dll and use the unofficial patch.  You need to trust us ... as the hours to the New Year slowly counted down, a group of volunteers gave up their holiday weekend to come together as a team and put their collective knowledge and intellect to work on the problems this reckless disclosure created ... We have very carefully scrutinized this patch.  It does only what is advertised, it is reversible, and, in our opinion, it is both safe and effective ... The upshot is this: You cannot wait for the official MS patch, you cannot block this one at the border, and you cannot leave your systems unprotected. It's time for some real trustworthy computing." [For what it's worth, your humble blogwatcher has installed the patch on his systems without trouble]

Buffer overflow:

• Tom Tromey: Consumer Linux
• Microsoft Watch: Those Opera Rumors Are All Starting to Make Sense
• Google Blogscoped: 10 Web Trends That Should Die in 2006
• Geek News Central: Podcasters continue to vent about Apple
• Microsoft Watch: 64-Bit XP: A Failed Tech Trend?
• Chris Schalk: Anatomy of an AJAX Transaction
• Pete Finnigan: More detailed analysis of the new Oracle worm
• Om Malik: Broadband in South Korea
• Ian Lamont: Three must-have iPod accessories
• Douglas Schweitzer: More people taking a “byte” of the Apple
• Douglas Schweitzer: Zero day exploits are a sad fact of life
• Shark Tank: Just like the real thing, only quicker
• Douglas Schweitzer: Security in strong demand for 2006
• Douglas Schweitzer: Another reason not to let your guard down
• Sharon Machlis: Strange video storage patent
• Douglas Schweitzer: New toys? Take a moment to think about security!
• Frank Hayes: Women, IT and the C-word
• Mitch Betts: CIO bugbear No.1: The backlog

And finally... Queen's We Will Rock You, albeit a bit wet [if anyone knows who produced this, let us know]

Richi Jennings is an independent technology and marketing consultant, specializing in email, blogging, Linux, and computer security. A 20 year, cross-functional IT veteran, he is also an analyst at Ferris Research. Contact Richi at blogwatch@richi.co.uk. Also contributing to today's post: Judi Dey, our very own Antipodean.