Randomness Redefined

Another exploit for the Windows operating system has come out recently, no surprise there, but this little bugger is particularly nasty so pay attention! I found out about this because I float in IT circles and the Security Now! Podcast’s Episode 20 discusses a patch for this venerability that was written by Ilfak Guilfanov. I have installed it on my machine and it does correct the venerability.

Here is a little background on how this works.It was discovered back in December of 2005 and it affects all versions of Windows (including ME, 98, and 95.. Of course the word of this new hole in Windows was spread rapidly through the Internet “Underworld” and there are already sites that have embedded this exploit into the code, images,etc to further spread the exploit. It has been reported that something like 100 different variations are currently known so you may already have a venerable system.

Low and behold this is not even a new vulnerability, it has been lying dormant as it were since 1991. I should take some time to explain exactly what occurs before I get to involved. A MetaFile is a set of computer instructions that tells Windows how to draw primitive shapes such as circles and squares. The most common use of a MetaFile that you will probably be familiar with are the thumbnail of images that you see inside of Windows Explorer. There is bug in the code base of Windows though, that allows other code to be executed if for some reason the MetaFile is corrupt. I assume this was due in order to have an error thrown so that a developer would know that their file was damaged in some way

The exploits have instructions embedded in them that directs Windows to run malicious code instead of something benign like the debugger inside of Microsoft visual Studio, which is a popular programming suite. What makes this so dangerous is that they could embed anything from a virus to a keylogger that stores your passwords and sends them on to its creator. Basically they can run absolutely anything that they want so time is of the essence.

F-Secure is reporting that there is an email virus that is inside of a Spam message that comes with the subject like “Happy New Year” and I have seen reports that it is floating around the MSN Messenger network as well. The common delivery method for this is usually an image file in an IM message, website, or email. The folks over at M$ have acknowledged this and they have instructions on their website that provides a very half ass workaround for it. They have you past a line into the Run box that unregisters the shimgvw.dll (This is only in Windows 200 or later) but there has been no announcement on when they will release an official patch through Windows Updates.

Anti-Virus vendors have already updated their definitions and they should be heading down the pipe to your machine. While these updates have been effective the malware community is very flexible and I am sure they will find ways around this so the only way to really fix the problem is to patch this yourself., but a new very flexible exploit generation tool has appeared that’s able to create so many different variations of the exploit that A-V signatures are having trouble keeping up.

Fortunately there is some hope as Ilfak Guilfanov has produced a highly-effective patch which successfully fixes all known exploitable vulnerabilities for anyone using Windows 2000, XP, 2003 Server, or the 64 Bit Edition of XP. At this time there is no known patch Windows 95, 98, ME or NT, and none is expected to be forthcoming at any time in the future, if ever.

I have hosted the venerability checker as well of the patch on my server and I will be contacting Ilfak Guilfanov to see if he would like another mirror for the file. Also I have attached the file to this post for ease of download. Please patch you systems as quickly as possible and I will do my best to update everyone if I fine anything for systems older that Windows 2000.

Note: Apparently I misunderstood the use of the new attachment ability in WordPress’ post page. If you would like to get the venerability tester from me you may download it here and the patch itself is available fromhere so download away. I was not able to contact the original author but I have hopefully notified Steve Gibson and Leo Laporte that I am interested in mirroring the file if mirrors are still needed.