D-Day for “Zero Day”
David Shamah, The Jerusalem Post January 3, 2006
I hate to do this – we were doing so well with that video stuff – but I have to tell you about the latest virus and security scandals emerging in the Windows world.
The computing world has just about gone to hell in a handbasket, the way I see it. No doubt you've already read about the new WMF “zero day” exploit (the term “zero day” comes from the fact that there was no defense to this exploit when it was discovered “in the wild.” The exploit takes advantage of a deficiency in Windows Metafile graphic format files, such that simply having your computer display an image on a Web site or in an e-mail can install some rogue code on your computer that will essentially let someone on the “other side” use your computer for whatever purpose they want!
Now, we all know that viruses are a fact of life, and our inboxes are constantly being bombarded with them (like the ones from the FBI and CIA that tell us that we “visit illegal web sites” - more about that one below). But this is a problem on the level of the JPEG buffer overrun exploit (http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx) from about a year and a half ago, which installed rogue code on your system when you clicked on the wrong pixel(s) on the wrong image, at very legitimate looking sites, it may be added – including one well-known bank site, at least for awhile!
The latest exploit showed up during the most inconvenient week of the year for patch developers – the last week of the year when developers are largely away from their desks, or at least are incapacitated to a large extent, what with all the office parties, shopping and days off. Quick thinking businesspeople, among others, are taking advantage of the situation by “hijacking” systems and installing viruses on systems using this exploit – and then then they try to sell a “solution” to fix the problem, for a hefty fee! It's a virtual protection racket – as in “racketeering,” the thing that made the Mob rich – and if you want to see a horror film of just how the WMF exploit works, check out http://www.websensesecuritylabs.com/images/alerts/exfol-movie.wmv.
You may visit a small, trusted range of Web sites, but since the rogue images can be accessed directly in your e-mail, chances are the WMF exploit will come to you before you go to it. Until Microsoft issues a patch for this exploit, your best bet is to unregister the dll used by Windows Picture and Fax Viewer by going to your Start menu, clicking on Run, and typing in this command:
regsvr32 /u shimgvw.dll
If you find that some applications get “broken” by this, close your Web browsers and e-mail programs, and type in
regsvr32 shimgvw.dll
Possibly a patch will have been released by the time you read this, but until then, you're better off disabling the dll, just to be sure.
As an aside, by the way, another virus danger abounds this week, and, despite appearances, the CIA and FBI have nothing to do with it. A new version of e-mail virus Sober, set to “hatch” this week, could, believe it or not, fill your e-mail box with Nazi propaganda!
Huh? Yes, I know that's what you just said to yourself, because it was exactly what I said to myself! But virus experts around the have heralded the warning; in honor of the
87th anniversary of the founding of Germany’s Nazi party! What is more significant about the 87th anniversary than the 86th I can't imagine, except that some Nazi hacker got a new computer for Christmas that he's been itching to try out. Expect a barrage of e-mail messages with Nazi nonsense, and hidden executables that, if installed, could turn computers infected by Sober.AH into “zombies,” spreading “political” spam, similar to a June 2004 attack that sent e-mails to thousands of users — mainly German and Dutch — with content such as “what Germany needs is German children,” or other racist messages, in honor of the following day’s elections for the European Parliament.
Will it ever end? Apparently not; the folks at Microsoft really thought that XP Service Pack 2 would do the trick, but the Windows Registry is just too open. Microsoft will want to blame the WMF exploit on the fact that WMF is part of DOS's legacy 16 bit code, and the new 32 bit code developed for Windows is immune to this kind of thing. However, what they don't tell you is that this legacy code will probably be around forever – because many very old applications (known in the industry as “Line of Business” applications) used by companies are part and parcel of their everyday computing needs. It's the same problem that could have happened, but didn't, during Y2K, except on a grander scale – and except that Window's problems, whether security or virus related, are real, and chronic.
But home users, or even small business owners, don't have to do through the endless cycles of boom and bust. One way many users have dispensed with Windows-specific computing problems is by moving to Linux, which is far easier to install and use than ever before. And there are no lack of applications in the Linux/Unix world. Sourceforge (http://sourceforge.net) has over 100,000 projects for almost any application you can imagine a computer doing. Not that Unix cannot be compromised either (“rootkits” are a common problem) and learning a new OS is work, but undoing the damage done by the constant security problems is lots of work too. This WMF exploit has the potential to be the biggest and worst Windows worry users have had to face. It's got me, for one, thinking of alternatives.
Ds@newzgeek.com