|
|
 |
|
|
Pages: 1
Exploit Released for Unpatched Windows Flaw
(Click here to view the original thread with full colors/images)
Posted by: Ion Silverbolt
Users should be aware of a nasty exploit floating around that infects fully patched Windows XP machines. Websites that use this hack are growing at an alarming rate. Here's some more info:
The exploit code, first posted on security mailing list Bugtraq, states that the included Internet address can successfully exploit a fully patched Windows XP system with a freshly updated [Symantec] Norton Anti-Virus. Symantec said it has verified that the exploit works on fully-patched Windows XP systems, and that updates that would allow its anti-virus program to detect threats trying to exploit the new flaw would be released as soon as possible, though it noted that "some of the components of this attack, including the exploit itself, are NOT detected by Symantec products."
According to an overnight post at the SANS Internet Storm Center, the link provided at Bugtraq when clicked on successfully drops a Trojan horse program onto fully patched Windows XP SP2 machines (other Windows versions may also be affected.) The Trojan will then download a fake anti-spyware/virus program which asks user to purchase a registered version of software in order to remove threats it claims are resident on the user's machine.
According to information posted at Internet security company Websense, the exploit is now being used by thousands of Web sites to install a bogus anti-spyware application that is fairly tedious to remove from infected machines. Also, Websense says the program "prompts the user to enter credit card information in order to remove the detected spyware. The background image used and the "spyware cleaning" application vary between instances. In addition, a mail relay is installed on the infected computer and it will begin sending thousands of SPAM messages." The above image is from Websense's alert.
Firefox and Opera users are also able to be affected by this exploit. However, users will get prompted to download and run the exploit first.
Read more about it from here.
Posted by: Ion Silverbolt
There's a temporary workaround that may add some protection to your machine. Especially if you're using Internet Explorer. Disable direct rendering of WMF files.
1. Click on the Start button on the taskbar.
2. Click on Run...
3. Type "regsvr32 /u shimgvw.dll" to disable.
4. Click ok when the change dialog appears
The WMF feature may be enabled again by entering the command "regsvr32 shimgvw.dll" in step three above once a patch is released.
Posted by: Zakir
 Quote:
|
Originally Posted by Ion Silverbolt
There's a temporary workaround that may add some protection to your machine. Especially if you're using Internet Explorer. Disable direct rendering of WMF files.
1. Click on the Start button on the taskbar.
2. Click on Run...
3. Type "regsvr32 /u shimgvw.dll" to disable.
4. Click ok when the change dialog appears
The WMF feature may be enabled again by entering the command "regsvr32 shimgvw.dll" in step three above once a patch is released.
|
For Sys admins, you can combine this with a GPO for quick fix for a bunch of worksations.
|
|
|
|
|
