OneCare users, you’re safe

In an earlier post, I reprinted a list of which antivirus programs had been successful at blocking the WMF exploit early. (By now, of course, almost everyone has caught up.) One name that was noticeably absent from both lists was the beta release of Microsoft’s Windows OneCare Live, which I’ve been using for a couple months now.

According to Microsoft’s updated Security Advisory 912840, OneCare works:.

If you are a Windows OneCare user and your current status is green, you are already protected from known malware that uses this vulnerability to attempt to attack systems.

That’s a relief.

Help is on the way for the WMF vulnerability

Microsoft has updated Security Advisory 912840, which provides details of the WMF exploit that was sprung on an unsuspecting world last week. The good news? A patch will be available in one week:

Microsoft has completed development of the security update for the vulnerability. The security update is now being localized and tested to ensure quality and application compatibility. Microsoft’s goal is to release the update on Tuesday, January 10, 2006, as part of its monthly release of security bulletins. This release is predicated on successful completion of quality testing.

The update will be released worldwide simultaneously in 23 languages for all affected versions of Windows once it passes a series of rigorous testing procedures. It will be available on Microsoft’s Download Center, as well as through Microsoft Update and Windows Update. Customers who use Windows’ Automatic Updates feature will be delivered the fix automatically.

Based on strong customer feedback, all Microsoft’s security updates must pass a series of quality tests, including testing by third parties, to assure customers that they can be deployed effectively in all languages and for all versions of the Windows platform with minimum down time.

The level of hysteria over the WMF exploit is getting a little silly. Yes, it’s a zero-day exploit, which is a very bad thing. But the drumbeat that this will be “the mother of all Internet worms” has been spreading. Even the normally down-to-earth crew at SANS has melted down. And yet, as Larry Seltzer at eWeek points out, Microsoft’s deliberate pace seems correct. Major antivirus software vendors, who are usually ready to hit the panic button (and sell a lot of software) at the slightest provocation, are surprisingly low-key:

[I]t’s Monday morning, Jan. 2, and none of the major anti-virus has a serious alert up. McAfee, Symantec, Trend and Panda all show no alarm, and the ones that have a general level of alertness are all showing a low level. Panda can usually be counted on for some hysteria at a time like this, and Computer Associates doesn’t even seem aware of the threat on its site.

There is F-Secure, who is showing a Level 2 (out of 3) alert. F-Secure has been on top of this situation from the very beginning …

As I pointed out in an earlier piece, actual testing of 73 variants of this threat shows excellent protection common among anti-virus vendors. As of Saturday morning, the 100 percent list included AntiVir, Avast, BitDefender, ClamAV, Command, Dr Web, eSafe, eTrust-INO, eTrust-VET, Ewido, F-Secure, Fortinet, Kaspersky, McAfee, Nod32, Norman, Panda, Sophos, Symantec, Trend Micro and VirusBuster. If you’re a user of one of these products and you keep your anti-virus updated, odds are good that you’re protected against any exploits you’re likely to see.

And as one of the anti-virus vendors pointed out to me, there may be dozens of variants out there and a first attempt at an IM worm, but there is no major attack yet. In other words, there may be a major vulnerability, but there is no major exploit, and you’re unlikely to encounter one unless you spend a lot of time on porn sites or already are running adware.

So let’s review:

Disabling the Windows Picture and Fax Viewer is a proven workaround for all variants to date.
If you’re running auto-updating antivirus software from a major vendor, it’s able to detect and block all known variants of this exploit.
The average person is extremely unlikely to get hit with this thing in everyday browsing.
No one has come up with an e-mail-based vector yet, aside from the usual spammy attempts to entice you to a shady Web site.

In short, it’s not time to panic. I directly support about a dozen users – family and friends. None of them are shy about calling for help, and none of them have encountered this exploit. I have an extended family of correspondents who reach out when they encounter viruses and spyware. I haven’t heard a word from them. In fact, although lots of security sites are finding examples of this exploit in the usual dark corners of the Web, no one has reported widespread infections. The updated security bulletin confirms what the antivirus companies are saying:

Microsoft has been carefully monitoring the attempted exploitation of the WMF vulnerability since it became public last week, through its own forensic capabilities and through partnerships within the industry and law enforcement. Although the issue is serious and malicious attacks are being attempted, Microsoft’s intelligence sources indicate that the scope of the attacks are not widespread.

In addition, anti-virus companies indicate that attacks based on exploiting the WMF vulnerability are being effectively mitigated through up-to-date signatures.

One skilled and apparently trustworthy coder has released an unauthorized patch for this vulnerability. SANS recommended that everyone install it. I haven’t recommended this patch, because in my view the risk is greater than the benefit. I think Microsoft has made a perfectly reasonable trade-off in developing and testing this patch. A seemingly small change can have a ripple effect in unexpected places. The nightmare scenario is a poorly tested patch that renders a system unstable or causes data loss.

If this had been the Slammer worm, which spread like wildfire over the Internet back in 2003, a more aggressive approach would be called for. In this case, I think the response from Microsoft has been appropriate.

Best advice yet on the WMF exploit

Jesper Johansson on Conscientious Risk Management and WMF.

(Thanks to Ryan Naraine for the pointer.)

The phony metadata scare

Gartner Group is out trying to stir up some controversy from a meaningless issue. eWeek explains:

A feature expected in the next version of Windows that will allow users to tag documents and other files with “metadata” could lead to embarrassing information disclosures if companies are not careful, according to research from Gartner Inc.

[…]

Gartner’s research note, “Plan to deal with metadata issues with Windows Vista,” published Wednesday, takes Microsoft to task for not designing security into the upcoming versions of Windows, code-named Vista, and Microsoft Office.

Those programs make it easy to attach keywords to documents, but they don’t make it clear that the keywords and other metadata can be viewed by anyone.

Sheesh, what planet have these guys been living on? Metadata issues have been around for years. (This long Knowledge Base article covers the nine-old Word 97.) Any company that hasn’t put policies and procedures in place to minimize the risk of sensitive data leaking out into the world just hasn’t been paying attention.

Gartner was trying to take advantage of a slow news week to try to manufacture a controversy where none should exist.

By the way, I read somewhere that Office 12 actually has some tools built in that allow you automatically scan document files for metadata, comments, deleted text, and other stray bits of data that can inadvertently reveal information you would prefer to leave private.

PC Magazine and PC World both got to write about these Office 12 features and even show screenshots. Unfortunately, I can’t do that because of an NDA agreement I signed. I wrote this a few weeks ago:

As I pointed out yesterday, the terms of the Office 12 confidentiality agreement prohibit me from discussing any aspect of the product. This information blackout applies to everyone except Microsoft employees, apparently.

And selected media outlets, too. Different rules apply to a handful of people and publications, most of them still in the dead-tree business.

Scoble agrees:

I’ll talk to the team about that. I think NDAs are often too restrictive and are ultimately counterproductive.

Hope they return your calls this week.

Update: Bruce Schneier had some interesting thoughts on the subject back in November.

How effective is your antivirus software?

eWeek points to an authoritative analysis of how security software companies have responded to the WMF exploit:

AV-Test, which tests anti-malware products, has been tracking the situation closely and has, so far, analyzed 73 variants of malicious WMF files. Products from the following companies have identified all 73:

* Alwil Software (Avast)
* Softwin (BitDefender)
* ClamAV
* F-Secure Inc.
* Fortinet Inc.
* McAfee Inc.
* ESET (Nod32)
* Panda Software
* Sophos Plc
* Symantec Corp.
* Trend Micro Inc.
* VirusBuster

These products detected fewer variants:

* 62 — eTrust-VET
* 62 — QuickHeal
* 61 — AntiVir
* 61 — Dr Web
* 61 — Kaspersky
* 60 — AVG
* 19 — Command
* 19 — F-Prot
* 11 — Ewido
* 7 — eSafe
* 7 — eTrust-INO
* 6 — Ikarus
* 6 — VBA32
* 0 — Norman

The difference for the more effective products is likely to be heuristic detection, tracking the threat by identifying the basic techniques of the exploit, rather than looking for specific patterns for specific exploits.

I know a lot of people who use various free antivirus programs, especially AVG. I don’t recommend them, and this study is one giant data point in my argument.

Anyone with an updated subscription to any of the AV programs on the first list above is fully protected from the WMF exploit. Anyone using a program on the second list should ask themselves whether it’s time to switch.

You may already be protected from the WMF exploit

Over at the Sunbelt Blog, Alex Eckelberry has some good news. Your computer may already protect you from the WMF exploit:

Based on preliminary research, we’re finding that systems with software-enforced DEP will get the WMF exploit, but systems with hardware-enforced DEP will not.

Alex includes a link to a Microsoft TechNet article that explains how DEP works:

Data Execution Prevention (DEP) is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running on a system. In Microsoft Windows XP Service Pack 2 (SP2) and Microsoft Windows XP Tablet PC Edition 2005, DEP is enforced by hardware and by software.

As Alex explains, DEP is installed by default with Service Pack 2. To get the full capabilities of DEP, you need to combine the software protection with a processor that supports these advanced features.

This is big news, because it means that one of the most common attack vectors for malware has been effectively blocked, without requiring any third-party solutions like firewalls or antivirus software.

We wrote about DEP in Windows XP Inside Out, Second Edition. At that time, it was mostly a theoretical feature. To my knowledge, this is the first time the concept has been proven to work in the real world.

Read Alex’s post for details on how to see whether your computer is already protected.

Update: In a follow-up post, Alex casts serious doubt on the effectiveness of DEP as a protective strategy.

“Really bad” security exploit arrives

The Sunbelt Software Blog has details on a new security exploit that blows by fully patched Windows XP systems:

Any application that automatically displays a WMF image will cause the user’s machines to get infected. This includes older versions of Firefox, current versions of Opera, Outlook and all current version of Internet Explorer on all versions of Windows.

This is a zero-day exploit, the kind that give security researchers cold chills. It works by exploiting a weakness in the Windows engine that views graphics in the Windows Metafile (WMF) format. You can get infected by simply viewing an infected WMF image.

Another report from F-Secure says so far it’s being exploited by a handful of sites in Russia, but it will spread. You’re most likely to get directed to one of these sites via a spam message offering dirty pictures, free software, and other forms of bait.

I expect that all major antivirus companies will have detection and prevention for this by the end of the day. I don’t know of any workarounds, but will update this post if I hear any more. For now, use the most recent version of Firefox rather than any other browser and steer well clear of unknown/untrusted sites.

Update: One way to prevent this exploit from working is to disable the Windows Picture and Fax Viewer component. To do so, click Start, Run. In the Open box, type the following command:

regsvr32 /u shimgvw.dll

Press Enter to make the change.

This measure isn’t without side effects. Disabling this component eliminates the capability to view thumbnails of all image types (not just WMF files) in Windows Explorer folders, and it zaps the Preview command for images as well. You can work around these limitations by using a graphics viewing/editing program.

To re-enable the Windows Picture and Fax Viewer, issue this command:

regsvr32 shimgvw.dll

Is Windows Vista too protective?

Update: Over at ZDNet, I’ve put together a visual representation of UAC as it exists in Windows Vista Build 5365.

One of the most intriguing new features in Windows Vista is a major change in the way user accounts work. Windows XP allows accounts to reside in either the Administrators group (where they have full control over the system, including the ability to install a piece of spyware or a virus) or in the Users group, where their capabilities are so limited as to be practically unusable.

Windows Vista adds a feature called User Account Control (UAC), which until recently was called User Access Protection (UAP) and grows out of research into least-privileged user accounts (LUA), a drum that Microsoft Senior Consultant Aaron Margosis has been banging for some time on his Non-Admin blog.

The theory behind UAC is sound: When you’re about to do something that requires an administrator’s privileges, you need an administrator’s consent. For a regular user, that means typing in a set of credentials (username/password) that belong to a member of the Administrators group; if you’re already an administrator, you just have to click a Permit button. This option allows you to see when a program or process is trying to do something that can have an impact on your system’s stability, and it’s an effective way to block untrained or naive users from accidentally screwing up their system.

(The UAC team has a new blog where they’re sharing some of the technical details behind this feature.)

UAC in the current build of Windows Vista is working, but not well. Some programs fail when they can’t get full system access or when they try to save a file to an area where the current user doesn’t have write privileges. The barrage of dialog boxes is annoying, especially during the initial phases of setting up a system. And those permission boxes can be confusing – at this early stage of the beta, some key Windows Vista components are still unsigned, leading to dialog boxes like this one, which appears when you try to run a Control Panel applet:

The annoyance factor is even higher when you factor in the steady stream of warnings from Windows Defender and Internet Explorer.

It’s possible to disable UAC so that you can run with administrator privileges full-time. But as Josh at Windows Connected argues, doing so means you’re not giving this feature the testing it needs. From a personal point of view, I have no choice but to grit my teeth and figure out how to work with UAC, because I have to document the inner workings of this feature for Windows Vista Inside Out.

I’m hoping that this feature will work much more smoothly in future beta versions. If it doesn’t, the UAC team had better be prepared for some caustic reviews.

Symantec shows how not to do security

This post is from guest blogger Carl Siechert, my co-author on Windows XP Inside Out and Windows XP Networking and Security Inside Out:

A coworker recently bought via Symantec’s online store a copy of Norton Internet Security 2006 for her home computer. (This wouldn’t have been my recommendation, btw.) After making the payment, the last page of the order process includes a download button. She clicks the button (and was flummoxed by the Run/Save security dialog) and eventually screws up the courage to save the file to disk. (She’s not particularly at ease with computers.)

It downloads a 156-KB file called Setup.exe (or Norton Upgrade Setup.exe, depending on the target folder), which turns out to be Norton Internet Security Download Manager–a program to download the real application installer. But here’s the kicker: the download manager program is not signed. So, of course, when she opens it Windows pops up an ominous warning about an unknown publisher. Contravening standard security advice, she forges ahead. (Looking at the file properties imparts no useful information either. The Version tab shows a product name of “xDM” and no publisher name.)

Without any warning that the 40-MB download is going to tie up her phone line for a considerable time, it eventually completes, depositing on her desktop a file called NIS06900_2YR.exe. (Examining the properties of this file is even less helpful; it doesn’t even have a Version tab.) Because it was placed there by a program other than Internet Explorer, running the program doesn’t display any sort of warning.

There’s no way to confirm that either of these files came from Symantec, nor any way to confirm that they haven’t been altered by someone else (or that they aren’t a different potentially malicious program altogether).

This kind of sloppy work by one of the major players in security software makes it difficult to explain to unsophisticated users how to determine which programs are safe to run. How many warnings have we seen about malicious programs that purport to be a security program or update from Symantec and its competitors? And what’s our usual advice? If it’s not signed by the publisher, it’s probably bogus. Nice work, Symantec.

Sony releases a rootkit remover

If you’ve been attacked by Sony’s XCP rootkit software, you can finally remove it. Here are the download links.

Remarkably, Sony has finally admitted that the XCP software is dangerous. Their announcement confesses:

CDs containing XCP content protection software developed by First4Internet for SONY BMG may increase the vulnerability of your computer to certain computer viruses.

The uninstaller allows you to completely remove the XCP software (good idea) or update it to a newer version that Sony claims is free of the rootkit component (do you feel lucky?).

Not so remarkably, Sony can’t resist the urge to say dumb things. Like this:

Please be advised that this [update/uninstall] program is protected by all applicable intellectual property and unfair competition laws, including patent, copyright and trade secret laws, and that all uses, including reverse engineering, in violation thereof are prohibited.

Yes, it certainly wouldn’t be appropriate for any security researchers to look closely at this software and determine whether it’s safe and effective. Especially given Sony’s track record so far.