Quantcast
Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
    1. Welcome to GTAForums!

    1. GrandTheftAuto.net - Website Re-Launch

    1. GTA Online

      1. The Diamond Casino Heist
      2. Find Lobbies & Players
      3. Guides & Strategies
      4. Vehicles
      5. Content Creator
      6. Help & Support
    2. Red Dead Online

      1. Frontier Pursuits
      2. Find Lobbies & Outlaws
      3. Help & Support
    3. Crews

      1. Events
    1. Red Dead Redemption 2

      1. PC
      2. Gameplay
      3. Missions
      4. Help & Support
    2. Red Dead Redemption

    1. Grand Theft Auto Series

    2. GTA 6

    3. GTA V

      1. PC
      2. Guides & Strategies
      3. Help & Support
    4. GTA IV

      1. The Lost and Damned
      2. The Ballad of Gay Tony
      3. Guides & Strategies
      4. Help & Support
    5. GTA Chinatown Wars

    6. GTA Vice City Stories

    7. GTA Liberty City Stories

    8. GTA San Andreas

      1. Guides & Strategies
      2. Help & Support
    9. GTA Vice City

      1. Guides & Strategies
      2. Help & Support
    10. GTA III

      1. Guides & Strategies
      2. Help & Support
    11. Top Down Games

      1. GTA Advance
      2. GTA 2
      3. GTA
    1. GTA Mods

      1. GTA V
      2. GTA IV
      3. GTA III, VC & SA
      4. Tutorials
    2. Red Dead Mods

      1. Documentation
    3. Mod Showroom

      1. Scripts & Plugins
      2. Maps
      3. Total Conversions
      4. Vehicles
      5. Textures
      6. Characters
      7. Tools
      8. Other
      9. Workshop
    4. Featured Mods

      1. DYOM
      2. OpenIV
      3. GTA: Underground
      4. GTA: Liberty City
      5. GTA: State of Liberty
    1. Rockstar Games

    2. Rockstar Collectors

    1. Off-Topic

      1. General Chat
      2. Gaming
      3. Technology
      4. Programming
      5. Movies & TV
      6. Music
      7. Sports
      8. Vehicles
    2. Expression

      1. Graphics / Visual Arts
      2. GFX Requests & Tutorials
      3. Writers' Discussion
      4. Debates & Discussion
    3. Gangs

    1. Announcements

    2. Support

    3. Suggestions

Opius

! Windows WMF exploit ! (update 31 Dec)

Recommended Posts

Opius

There's a brand new exploit found in Windows/IE's image renderer. A malformed w*f image can run any code it likes on your computer if manipulated.

 

Symantec response

 

To put it simply, if you use Windows, you're at risk.

If you're using IE, even loading an infected image can infect you.

If you're using another browser, you're safe from immeadiate infection, but be warned that the image may still exist in your browsers cache.

 

Any manipulation of an infected image will result in infection. This includes viewing it, allowing Windows to thumbnail it, or even opening the folder it resides in! Exercise extreme caution.

 

HOW TO FIX IT

Update your virus protection. If you don't have one installed, NOD32 Trial Edition with the latest definitions will stop it before it can cause damage.

 

Stop using IE if at all possible.

 

Note that Google Desktop Search WILL TRIGGER the exploit if it tries to scan an infected image. Disable Google Desktop Search.

 

The following methods are untested and MAY cause damage to your system. No responsibility is taken for any damage caused.

Disable the built-in Windows component responsible for viewing w*f files. Go to Start - Run, and type

regsvr32 /u shimgvw.dll

and press Enter.

You can re-enable this by using

regsvr32 shimgvw.dll

but that would be quite silly to do until a patch is released.

 

R1CH of the Something Awful forums has come up with an UNOFFICIAL PATCH.

Here's a patched GDI32 (well, not quite a patch, just a workaround so it isn't possible to jump to arbitrary code). Since GDI32.DLL is constantly in use by Windows, you'll need to find your own tricks to install it. Try closing all apps, running task manager, killing explorer, run cmd prompt (from task manager), close task manager and then replace GDI32.DLL from the cmd prompt. Type 'explorer' to restart the desktop.

 

Possible alternative install method: rename gdi32.dll to gdi32.old, extract patched version, reboot.

 

Use ONLY on a fully patched XP SP2 install. If your gdi32.dll 'file version' (right click, properties) isn't '5.1.2600.2770 (xpsp_sp2_gdr.051005-1513)' or SHA-1 hash fa02573ce6239d1c375db93058810fb968390485 then DON'T use this!

http://r-1.ch/gdi32.zip

 

Ok. Attempt 2. Again, this is ONLY for Windows XP SP2 fully patched systems, with gdi32.dll file version "5.1.2600.2770 (xpsp_sp2_gdr.051005-1513)" and SHA-1 hash fa02573ce6239d1c375db93058810fb968390485.

 

1. Download http://r-1.ch/gdi32.zip

2. Extract to windows/system32/dllcache. Yes to overwrite.

3. Rename windows/system32/gdi32.dll to gdi32.old

4. Copy windows/system32/dllcache/gdi32.dll to windows/system32/

5. Reboot.

 

Press "Cancel" to any Windows File Protection prompts.

 

 

Until Microsoft fixes this, we've disabled avatars, image posting, and such.

 

Update 31 December- I've just ran a query to set everybody's preferences to not view sigs, post images, or avatars. Avatars and image posting has been renabled however. So if you feel you're safe from the exploit or are otherwise willing to risk it, you can change your viewing options here. Of course doing this is done at your own risk, we cannot be held responsible if something bad happens, etc..

 

Update 3 January

I just got a PM from Bond996 about a permanant fix.

 

I thought I should inform you of a fix to the current w*f file exploit you posted about. A programmer named Ilfak Guilfanov has come up with a fix that works for 2000, XP Home/Pro/SpX, XP x64, and Server 2003. He has both a vulnerability checker and a patch to fix the solution until Microsoft releases a patch. Please note this does NOT patch 95/98/ME. This patch also allows users to reregister the shimgvw.dll file. It would be great if you could update the announcement to let users know about this fix so that they can get patched. More info on it can be found at Steve Gibson's website. He is a known security expert.

 

Thanks,

Bond

Again, I stress that this is untested by myself, and no-one except yourself will take responsibility for any damage that may occur.

Share this post


Link to post
Share on other sites
Spaz

Do you have any idea if other antivirus scanners have updated their definitions for this? I'm currently using AVG.

 

Also, have you noticed any problems using that custom GDI32.DLL?

 

EDIT: Okay, cleared my cache, installed the new dll and about to reboot/scan. I now have stairs in my house.

Edited by SPAZ

Share this post


Link to post
Share on other sites
EmSixTeen
Did the un-registering or the DLL.. Cheers.

Share this post


Link to post
Share on other sites
Opius

Just posted a set of updated instructions for the patched gdi32.dll. See original post.

Share this post


Link to post
Share on other sites
Justin

Thanks for the heads up. I'm pretty sure my Norton LiveUpdate updated its definitions about thirty minutes ago, but I got Norton to update itself again just in case, so I'm all good. smile.gif

 

Cheers.

Share this post


Link to post
Share on other sites
Mxyzptlk

Wow this must be a big deal to warrant a topic from the staff. blink.gif

I use firefox and norton, hopefully that's sufficient eh? Thanks for the warning.

 

EDIT: also I want to say I've never see WMF format images? And to help clean up your hard drives I recommend ccleaner.

Edited by Mxyzptlk

Share this post


Link to post
Share on other sites
Cran.

edit: WRONG TOPIC OPPS

 

Now, thanks for posting this. Thank god I don't use IE.

Edited by Cran.

Share this post


Link to post
Share on other sites
iRloading
user posted image

 

Just started it today. Just over 100 polies.

wow.gif

 

JPG FORMAT!! NOOOES!!!

 

ehm, thanks for the heads-up bout the .wmf trigger thingie tounge2.gif

 

ive spent the whole day getting rid of trojans/spyware/adware on this comp, and another "hidden/dormant" problem is a problem i dont need >___>

Share this post


Link to post
Share on other sites
YeTi
Thanks for informing us of this Opie. I have updated my internet security tools hopefully it has fixed the exploit.

Share this post


Link to post
Share on other sites
Cam
Thanks a bunch Opius, unregistered the DLL. No system damage as you said, but if you do come across system damage I assume you would still be able to go into safe mode and register the dll again.

Share this post


Link to post
Share on other sites
Daggdave
Did the un-registering or the DLL.. Cheers.

I did too, then realized that now I cant preview any images on my hard drive before viewing them sad.gif

Share this post


Link to post
Share on other sites
Opius

If you absolutely MUST HAVE image previews and are aware of the risks, I've edited the first post with instructions on how to re-enable it.

 

I wouldn't recommend it though.

Share this post


Link to post
Share on other sites
Demarest
EDIT: also I want to say I've never see WMF format images?

I try to avoid WM* regardless. Not because of risks, but just because I'm apalled that Microsoft is arrogant enough to devise proprietary formats when functional 3rd party alternatives already prevailed. I mean, who has an issue with JPG? Don't forget this is the same company that took forever and a day to support PNG. sarcasm.gif

Share this post


Link to post
Share on other sites
Opius

WMF is a mixed vector/raster format almost exclusively used for clipart. It's ancient, a remnant of the Win95 era.

Share this post


Link to post
Share on other sites
Xo4
Yay! I now Have Firefox PLus an Anti virus I should be good

Share this post


Link to post
Share on other sites
Crimson.

I have fire fox and norton 2006, if that does not work I will fight the thing off with a stick. happy.gif

Share this post


Link to post
Share on other sites
iamdigitalman

 

iamdigitalman and his ubuntu Macintosh with firefox dance around the room.

 

sorry, I couldnt help it. windows=sh*t.

 

 

iamdigitalman waits for some windows fanboys to come in here and give hime a wedgie.

 

AMF 4ever. -digital wink.gifxmas.gif

Share this post


Link to post
Share on other sites
PresidentKiller

Whatever, I got this Secunia advisor in the morning.

 

http://secunia.com/advisories/18255/

 

Thank God I always have my security software updated and running like a charm. Don't these morons have anything better to do than messing with people's "computer life"?

Share this post


Link to post
Share on other sites
_cory_

I noticed it said "use only on a sp2 version"

 

What if you don't have sp2?

Share this post


Link to post
Share on other sites
I Love Anna Kournikova

Is this the reason we cant use tags and we cant have custom avatars?

 

And If so, Why can we still have sigs?

Share this post


Link to post
Share on other sites
PresidentKiller
Is this the reason we cant use tags and we cant have custom avatars?

 

And If so, Why can we still have sigs?

I guess that's because the "old" HTML is already stored on the database, so previously posted images will show properly while "new" ones won't.

Share this post


Link to post
Share on other sites
illspirit
Is this the reason we cant use tags and we cant have custom avatars?

 

And If so, Why can we still have sigs?

Yes, I've just disabled img tags and avatars. Images won't show up in sigs either if you try to edit them.

Share this post


Link to post
Share on other sites
Waddy

Im not 1005 sure what all this is about, but any info would be greatful if anyone could fill me in a little bit more, I have 6 machines running at my office, so if I can stop it then thats good.

 

I have disabled anyway. Thanks for letting us know.

Share this post


Link to post
Share on other sites
Doku-san

I have Norton System Works 2003.. I hope that's good enough. And who uses Internet Explorer these days's anyway?

Screw this I'm getting a Mac! rah.gif

Share this post


Link to post
Share on other sites
iamdigitalman
And who uses Internet Explorer these days's anyway?

 

well, acording to general tryst and his midnight MSN messenger confessions, he does. like a damn fool too. and, to make matters worse, he browses "warez" websites. and acoording to him, he has only gotten "one virus". barf8bd.gif

 

 

Screw this I'm getting a Mac! rah.gif

 

right on my man. for even more fun, do what I did, and throw ubuntu on it. stable as a rock, I tells ya.

 

AMF 4ever. -digital wink.gifxmas.gif

Share this post


Link to post
Share on other sites
TwoZero

It would be better to disable avatars for everyone by running a mysql query taht sets everyone's user setting for avatar viewing to 0 (no) so it will be disabled for everyone.

That leaves the option that people can enable it again in their controls if they feel they are safe, I'm on linux running the latest firefix, I'm not afraid of this.

Share this post


Link to post
Share on other sites
vALKYR
It would be better to disable avatars for everyone by running a mysql query taht sets everyone's user setting for avatar viewing to 0 (no) so it will be disabled for everyone.

That leaves the option that people can enable it again in their controls if they feel they are safe, I'm on linux running the latest firefix, I'm not afraid of this.

But some idiot could say "it's safe" while he knows it's infected, thus infecting everything by enabling it.

Share this post


Link to post
Share on other sites
BroDan
I used the start -> run method you showed, I dunno how safe that method is, it disabled it anyway, MS better hurry the f*ck up and patch Windows soon.

Share this post


Link to post
Share on other sites
Spaz
Is this the reason we cant use tags and we cant have custom avatars?

 

And If so, Why can we still have sigs?

Yes, I've just disabled img tags and avatars. Images won't show up in sigs either if you try to edit them.

What if the images are changed server-side?

Share this post


Link to post
Share on other sites
steve-m
It would be better to disable avatars for everyone by running a mysql query taht sets everyone's user setting for avatar viewing to 0 (no) so it will be disabled for everyone.

That leaves the option that people can enable it again in their controls if they feel they are safe, I'm on linux running the latest firefix, I'm not afraid of this.

But some idiot could say "it's safe" while he knows it's infected, thus infecting everything by enabling it.

I think he means disabling viewing them, as everyone can do in their user controls (CP > Options > Board Settings > ... member avatars ...).

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • 1 User Currently Viewing
    0 members, 0 Anonymous, 1 Guest

×
×
  • Create New...

Important Information

By using GTAForums.com, you agree to our Terms of Use and Privacy Policy.