Quantcast
Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
    1. Welcome to GTAForums!

    1. GTANet.com

    1. GTA Online

      1. The Cayo Perico Heist
      2. Find Lobbies & Players
      3. Guides & Strategies
      4. Vehicles
      5. Content Creator
      6. Help & Support
    2. Red Dead Online

      1. Frontier Pursuits
      2. Find Lobbies & Outlaws
      3. Help & Support
    3. Crews

    1. Red Dead Redemption 2

      1. PC
      2. Help & Support
    2. Red Dead Redemption

    1. Grand Theft Auto Series

      1. St. Andrews Cathedral
    2. GTA VI

    3. GTA V

      1. Guides & Strategies
      2. Help & Support
    4. GTA IV

      1. The Lost and Damned
      2. The Ballad of Gay Tony
      3. Guides & Strategies
      4. Help & Support
    5. GTA San Andreas

      1. Guides & Strategies
      2. Help & Support
    6. GTA Vice City

      1. Guides & Strategies
      2. Help & Support
    7. GTA III

      1. Guides & Strategies
      2. Help & Support
    8. Portable Games

      1. GTA Chinatown Wars
      2. GTA Vice City Stories
      3. GTA Liberty City Stories
    9. Top-Down Games

      1. GTA Advance
      2. GTA 2
      3. GTA
    1. GTA Mods

      1. GTA V
      2. GTA IV
      3. GTA III, VC & SA
      4. Tutorials
    2. Red Dead Mods

      1. Documentation
    3. Mod Showroom

      1. Scripts & Plugins
      2. Maps
      3. Total Conversions
      4. Vehicles
      5. Textures
      6. Characters
      7. Tools
      8. Other
      9. Workshop
    4. Featured Mods

      1. Design Your Own Mission
      2. OpenIV
      3. GTA: Underground
      4. GTA: Liberty City
      5. GTA: State of Liberty
    1. Rockstar Games

    2. Rockstar Collectors

    1. Off-Topic

      1. General Chat
      2. Gaming
      3. Technology
      4. Movies & TV
      5. Music
      6. Sports
      7. Vehicles
    2. Expression

      1. Graphics / Visual Arts
      2. GFX Requests & Tutorials
      3. Writers' Discussion
      4. Debates & Discussion
    1. Announcements

      1. GTANet 20th Anniversary
    2. Support

      1. Court House
    3. Suggestions

! Windows WMF exploit ! (update 31 Dec)


Opius

Recommended Posts

There's a brand new exploit found in Windows/IE's image renderer. A malformed w*f image can run any code it likes on your computer if manipulated.

 

Symantec response

 

To put it simply, if you use Windows, you're at risk.

If you're using IE, even loading an infected image can infect you.

If you're using another browser, you're safe from immeadiate infection, but be warned that the image may still exist in your browsers cache.

 

Any manipulation of an infected image will result in infection. This includes viewing it, allowing Windows to thumbnail it, or even opening the folder it resides in! Exercise extreme caution.

 

HOW TO FIX IT

Update your virus protection. If you don't have one installed, NOD32 Trial Edition with the latest definitions will stop it before it can cause damage.

 

Stop using IE if at all possible.

 

Note that Google Desktop Search WILL TRIGGER the exploit if it tries to scan an infected image. Disable Google Desktop Search.

 

The following methods are untested and MAY cause damage to your system. No responsibility is taken for any damage caused.

Disable the built-in Windows component responsible for viewing w*f files. Go to Start - Run, and type

regsvr32 /u shimgvw.dll

and press Enter.

You can re-enable this by using

regsvr32 shimgvw.dll

but that would be quite silly to do until a patch is released.

 

R1CH of the Something Awful forums has come up with an UNOFFICIAL PATCH.

Here's a patched GDI32 (well, not quite a patch, just a workaround so it isn't possible to jump to arbitrary code). Since GDI32.DLL is constantly in use by Windows, you'll need to find your own tricks to install it. Try closing all apps, running task manager, killing explorer, run cmd prompt (from task manager), close task manager and then replace GDI32.DLL from the cmd prompt. Type 'explorer' to restart the desktop.

 

Possible alternative install method: rename gdi32.dll to gdi32.old, extract patched version, reboot.

 

Use ONLY on a fully patched XP SP2 install. If your gdi32.dll 'file version' (right click, properties) isn't '5.1.2600.2770 (xpsp_sp2_gdr.051005-1513)' or SHA-1 hash fa02573ce6239d1c375db93058810fb968390485 then DON'T use this!

http://r-1.ch/gdi32.zip

 

Ok. Attempt 2. Again, this is ONLY for Windows XP SP2 fully patched systems, with gdi32.dll file version "5.1.2600.2770 (xpsp_sp2_gdr.051005-1513)" and SHA-1 hash fa02573ce6239d1c375db93058810fb968390485.

 

1. Download http://r-1.ch/gdi32.zip

2. Extract to windows/system32/dllcache. Yes to overwrite.

3. Rename windows/system32/gdi32.dll to gdi32.old

4. Copy windows/system32/dllcache/gdi32.dll to windows/system32/

5. Reboot.

 

Press "Cancel" to any Windows File Protection prompts.

 

 

Until Microsoft fixes this, we've disabled avatars, image posting, and such.

 

Update 31 December- I've just ran a query to set everybody's preferences to not view sigs, post images, or avatars. Avatars and image posting has been renabled however. So if you feel you're safe from the exploit or are otherwise willing to risk it, you can change your viewing options here. Of course doing this is done at your own risk, we cannot be held responsible if something bad happens, etc..

 

Update 3 January

I just got a PM from Bond996 about a permanant fix.

 

I thought I should inform you of a fix to the current w*f file exploit you posted about. A programmer named Ilfak Guilfanov has come up with a fix that works for 2000, XP Home/Pro/SpX, XP x64, and Server 2003. He has both a vulnerability checker and a patch to fix the solution until Microsoft releases a patch. Please note this does NOT patch 95/98/ME. This patch also allows users to reregister the shimgvw.dll file. It would be great if you could update the announcement to let users know about this fix so that they can get patched. More info on it can be found at Steve Gibson's website. He is a known security expert.

 

Thanks,

Bond

Again, I stress that this is untested by myself, and no-one except yourself will take responsibility for any damage that may occur.

Link to post
Share on other sites

Do you have any idea if other antivirus scanners have updated their definitions for this? I'm currently using AVG.

 

Also, have you noticed any problems using that custom GDI32.DLL?

 

EDIT: Okay, cleared my cache, installed the new dll and about to reboot/scan. I now have stairs in my house.

Edited by SPAZ
Link to post
Share on other sites

Thanks for the heads up. I'm pretty sure my Norton LiveUpdate updated its definitions about thirty minutes ago, but I got Norton to update itself again just in case, so I'm all good. smile.gif

 

Cheers.

Link to post
Share on other sites

Wow this must be a big deal to warrant a topic from the staff. blink.gif

I use firefox and norton, hopefully that's sufficient eh? Thanks for the warning.

 

EDIT: also I want to say I've never see WMF format images? And to help clean up your hard drives I recommend ccleaner.

Edited by Mxyzptlk
Link to post
Share on other sites
user posted image

 

Just started it today. Just over 100 polies.

wow.gif

 

JPG FORMAT!! NOOOES!!!

 

ehm, thanks for the heads-up bout the .wmf trigger thingie tounge2.gif

 

ive spent the whole day getting rid of trojans/spyware/adware on this comp, and another "hidden/dormant" problem is a problem i dont need >___>

Link to post
Share on other sites
Thanks a bunch Opius, unregistered the DLL. No system damage as you said, but if you do come across system damage I assume you would still be able to go into safe mode and register the dll again.
Link to post
Share on other sites

If you absolutely MUST HAVE image previews and are aware of the risks, I've edited the first post with instructions on how to re-enable it.

 

I wouldn't recommend it though.

Link to post
Share on other sites
EDIT: also I want to say I've never see WMF format images?

I try to avoid WM* regardless. Not because of risks, but just because I'm apalled that Microsoft is arrogant enough to devise proprietary formats when functional 3rd party alternatives already prevailed. I mean, who has an issue with JPG? Don't forget this is the same company that took forever and a day to support PNG. sarcasm.gif

Link to post
Share on other sites

 

iamdigitalman and his ubuntu Macintosh with firefox dance around the room.

 

sorry, I couldnt help it. windows=sh*t.

 

 

iamdigitalman waits for some windows fanboys to come in here and give hime a wedgie.

 

AMF 4ever. -digital wink.gifxmas.gif

Link to post
Share on other sites
Is this the reason we cant use tags and we cant have custom avatars?

 

And If so, Why can we still have sigs?

I guess that's because the "old" HTML is already stored on the database, so previously posted images will show properly while "new" ones won't.

Link to post
Share on other sites
Is this the reason we cant use tags and we cant have custom avatars?

 

And If so, Why can we still have sigs?

Yes, I've just disabled img tags and avatars. Images won't show up in sigs either if you try to edit them.

Link to post
Share on other sites

Im not 1005 sure what all this is about, but any info would be greatful if anyone could fill me in a little bit more, I have 6 machines running at my office, so if I can stop it then thats good.

 

I have disabled anyway. Thanks for letting us know.

Link to post
Share on other sites
And who uses Internet Explorer these days's anyway?

 

well, acording to general tryst and his midnight MSN messenger confessions, he does. like a damn fool too. and, to make matters worse, he browses "warez" websites. and acoording to him, he has only gotten "one virus". barf8bd.gif

 

 

Screw this I'm getting a Mac! rah.gif

 

right on my man. for even more fun, do what I did, and throw ubuntu on it. stable as a rock, I tells ya.

 

AMF 4ever. -digital wink.gifxmas.gif

Link to post
Share on other sites

It would be better to disable avatars for everyone by running a mysql query taht sets everyone's user setting for avatar viewing to 0 (no) so it will be disabled for everyone.

That leaves the option that people can enable it again in their controls if they feel they are safe, I'm on linux running the latest firefix, I'm not afraid of this.

Link to post
Share on other sites
It would be better to disable avatars for everyone by running a mysql query taht sets everyone's user setting for avatar viewing to 0 (no) so it will be disabled for everyone.

That leaves the option that people can enable it again in their controls if they feel they are safe, I'm on linux running the latest firefix, I'm not afraid of this.

But some idiot could say "it's safe" while he knows it's infected, thus infecting everything by enabling it.

Link to post
Share on other sites
Is this the reason we cant use tags and we cant have custom avatars?

 

And If so, Why can we still have sigs?

Yes, I've just disabled img tags and avatars. Images won't show up in sigs either if you try to edit them.

What if the images are changed server-side?

Link to post
Share on other sites
It would be better to disable avatars for everyone by running a mysql query taht sets everyone's user setting for avatar viewing to 0 (no) so it will be disabled for everyone.

That leaves the option that people can enable it again in their controls if they feel they are safe, I'm on linux running the latest firefix, I'm not afraid of this.

But some idiot could say "it's safe" while he knows it's infected, thus infecting everything by enabling it.

I think he means disabling viewing them, as everyone can do in their user controls (CP > Options > Board Settings > ... member avatars ...).

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • 1 User Currently Viewing
    0 members, 0 Anonymous, 1 Guest

×
×
  • Create New...

Important Information

By using GTAForums.com, you agree to our Terms of Use and Privacy Policy.