Month: December 2005

Last night I was checking our website from home and the connection was brutally slow.  I managed to catch our head of IT via Instant Messenger and he checked into it.

Well, it turns out that a major blog was linking to our Silly Putty Physics Experiment and it was killing the T-3 that our main site is hosted on.  So we moved it over to our new OC-3 and all is fine. I love bandwidth…

So if you were experiencing difficulties with the site last night, you can blame it on silly putty! 

But if you haven’t seen the experiment (conducted back in 2002) it’s worthy of a chuckle. See it here.

Alex Eckelberry

I recently picked this one up on a Borland alumni list I’m part of — the Computer History Museum is working on a cool project to document the histories of key software companies.

It’s still evolving, but if you worked for any of the companies listed and have some history to share, feel free to contact them.  

The link is here.  Note that it is a work in progress and lots is still being added.

 

Alex Eckelberry

Wired writes about click fraud. Yes, there is click fraud, but this article includes breathless statements like “It’s search giants against scam artists in an arms race that could crash the entire online economy.” 

Excerpt:

Pay-per-click is the fastest-growing segment of all advertising, reports the Interactive Advertising Bureau. Last year, Yahoo! alone ran more than 250 million individual listings, according to Michael Egan, the company’s search-marketing director of content strategy. Yahoo! doesn’t break out PPC earnings separately in its financial statements, but Goldman Sachs analyst Anthony Noto believes that keyword advertising accounted for about half of the company’s estimated $3.7 billion in revenue for 2005. PPC is even more lucrative for Google. According to Noto, Google will end 2005 with $6.1 billion in revenue. About 99 percent of that revenue comes from keyword ads (over 56 percent from AdWords, according to the company’s most recent quarterly financial statement, and 43 percent from AdSense), making Google a bigger recipient of ad dollars than any television network or newspaper chain. All of which is to say that little blue text links, a type of advertising that barely existed five years ago, are poised to become the single most important form of marketing in the US – unless click fraud ruins it.

Article link here via John Battelle.

Alex Eckelberry

Just a reminder that if you are using Snort rules for this exploit, check for updates. Bleeding- Edge Snort has posted a newer one here. Also if you are using Snort rules in the free Sunbelt Kerio Personal Firewall, update your signatures to the latest (simply append them to the file “bad-traffic.rlk” in the Program FilesSunbelt SoftwarePersonal Firewall 4ConfigIDSRules folder).  

Alex Eckelberry

Earlier I had written that in our preliminary tests, hardware-enforced DEP was effective at blocking the new WMF file exploit.  Software-enforced DEP was not. 

However, some were having difficulties making it work.  In one case, for example, a fellow security researcher had to use a different switch in DEP than we had used. Another had problems getting DEP itself to even work at all, instead having to set a manual switch in the boot.ini file — and even then we’re not sure it stops the exploit.

It’s a pretty important issue, because if hardware-enforced DEP is a way to protect against the exploit, it would put a lot of people’s minds at ease.  So fellow security researcher George Ou asked Microsoft, and got a response this evening from a Microsoft spokesperson, which he kindly forwarded to me.   

“Microsoft has continued to investigate the use of software-enforced Data Execution Prevention (DEP) to mitigate the Windows Meta File vulnerability for Windows XP Service Pack 2 users.  As a result of this investigation, we have updated our guidance regarding DEP to say that some hardware-based DEP, when enabled, can mitigate this vulnerability; however, software-based DEP does not mitigate this vulnerability”

They’ve updated their advisory, and now say the following:

I have DEP enabled on my system, does this help mitigate the vulnerability?
Software based DEP does not mitigate the vulnerability. However, Hardware based DEP may work when enabled: please consult with your hardware manufacturer for more information on how to enable this and whether it can provide mitigation.

That is fairly useless, but at least they have clarified that, as we’ve earlier stated, software-enforced DEP doesn’t work at all.

Conclusions:

• Software-enforced DEP doesn’t work against this thing.
• Hardware-enforced DEP probably works but don’t count on it.   If you’re going to try it, use the option of “Turn on DEP for all programs and services except those I select”.  Do not rely on this for protection.

In the end, there are only a few recommendation I can give you for this exploit until Microsoft fixes it.

Basic, easy fixes:

UPDATE:  Houston, we have an unofficial hotfix!   Install Ilfak Guilfanov’s patch.  Link here.  CAVEATS HERE.

1. Have AV protection in place.   On a budget? See my article, Security on the Cheap, here.

2. To be safe, unregister SHIMGVW.DLL.  It is not a perfect fix, though.

3. Run IESPYAD. 

IESpyad is a free tool that puts block lists into IE’s restricted sites zone.  It’s managed by Eric Howes, who works as a consultant for Sunbelt.  We regularly update him with the latest URLs.  Click here.  

Additional fixes for the more advanced user:

4. Use our free Kerio firewall with added Snort rules.  This is highly effective.

5. If you’re an administrator, filter common file extensions at the perimeter, like BMP, DIB, EMF, etc. See SANS here.  Just blocking WMF files is not a full solution, as Windows goes by the header info for the file, not the extension (so one could rename a WMF file to GIF and it would still go through if you weren’t blocking GIF images).

6. It’s not a panacea, but by all means, if you have hardware-enforced DEP, make sure it’s enabled. I would be safe and enable “Turn on DEP for all programs and services except those I select”.  In our test systems, it works fine but I wouldn’t bet on it for all systems, and it may not even work with all variants.  (If you’re technical and hyper-anal, you could always test for DEP and adjust switches in boot.ini.).  Again, this is not a guaranteed fix.

Wow, quite a list, eh?  

Alex Eckelberry

I’m certainly not the first to break this, but it is of interest.  From NIST.org, Lotus Notes is not immune from the WMF exploit.  Link here via Suzi.

Alex Eckelberry

You can see the prospectus here. 

Article on TechWeb via techdirt.

 

Alex Eckelberry

I admit I’m getting rather tired of talking about this WMF exploit and hope to stop writing about it soon.  But because we were the first security company to break the story, a lot of people have been coming to this blog and we feel we have a responsibility to keep people updated.

Last night I blogged about the fact that based on our tests hardware-enforced DEP seems to mitigate this WMF exploit.   I was surprised no one had written about this before and felt that we had an obligation to share our tests results. I had already posted other workarounds but this was a new twist.

I did make the caveat that this was based on preliminary research.   And now we find there is at least one differing opinion out there.

A little history: I first got curious about this a few days ago when Microsoft posted their Security Advisory 912840 on this exact exploit, where they said:

I have software DEP enabled on my system, does this help mitigate the vulnerability?
Yes. Windows XP Service Pack 2 also includes software-enforced DEP that is designed to reduce exploits of exception handling mechanisms in Windows. By default software-enforced DEP applies to core operating system components and services. This vulnerability can be mitigated by enabling DEP for all programs on your computer.
For additional information about how to “Enable DEP for all programs on your computer”, see the product documentation.

I was baffled by Microsoft’s statement, which directly contradicted our own test results. And the word “mitigate”, which means to lessen the impact of something.  Hey, you can’t mitigate this thing.  It either happens or doesn’t.

I checked with one of our researchers and the answer back was that hardware-enforced DEP seemed to be doing the trick, but not software-enforced DEP.  Yesterday, we ran tests which confirmed that this was the case on our test systems.  A system that had hardware-enforced DEP (available on newer chipsets) was stopping the exploit.  But software-enforced DEP was not doing the trick.

So we wrote about it, and an expert over at PC Doctor also confirmed that hardware-enforced DEP was doing the trick.  PG over at VitalSecurity has also confirmed it works on his test system.

Obviously, we didn’t test it on thousands of machines, so it’s really preliminary research and that’s why I made that caveat in my blog. 

Enter George Ou from ZDNET. On his test system, DEP didn’t stop the exploit, and he blogged about it.    (Update:  It ultimately did work for him, but he had to change his settings.  More at his blog.)

Look, all I can say is that on our test systems, it worked.   And others will confirm these results on their systems.

Security is like a pitched battle.  Things are moving  very quickly, information is coming in from all directions, confusion reigns as you get differing reports, and so you’re constantly trying to assess the best data. I’m sorry it’s not all perfect, but that’s the world of security software.

The best thing you can do to protect yourself from this exploit is a) keep your AV program updated and b) unregister shimgvw.dll (itself not a foolproof solution).  You can also use our free Kerio firewall with added Snort rules to block it.

And ultimately, the best solution is for Microsoft to just fix this damn thing. At least then I can stop writing about it and go back to writing about my other favorite things.

Alex Eckelberry

IMPORTANT UPDATE: George Ou emailed me to tell me that he was ultimately able to make hardware-enforced DEP actually work on his system to stop the exploit, but he had to set DEP to “all programs and services”.

Here are some observations:

• Microsoft says that software-enforced DEP will “mitigate” this exploit.  We have concluded that this is an incorrect statement.  
• While we are able to stop the exploit using hardware-enforced DEP, and others have reported similar success, the fact that George Ou had to change his setting to make it work is of concern.  Additionally, I have spoken with Dave Methvyn (a reputable authority) and he has had difficulties getting hardware-enforced DEP to work on his AMD 64.More details on that later.   

CONCLUSION:  Do not rely on any variant of DEP at all as a protection mechanism against this exploit.  

Update: This is NOT a guaranteed fix.  See latest.

Based on preliminary research, we’re finding that systems with software-enforced DEP will get the WMF exploit, but systems with hardware-enforced DEP will not.   However, your results may vary, so don’t take this as gospel.

For those of you unfamiliar with DEP, Microsoft explains it well:

Data Execution Prevention (DEP) is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running on a system. In Microsoft Windows XP Service Pack 2 (SP2) and Microsoft Windows XP Tablet PC Edition 2005, DEP is enforced by hardware and by software.

DEP is installed by default with Service Pack 2.  However, in order to get the full capabilities of DEP, you will need to have a processor that supports these advanced features (this is called hardware-enforced DEP). 

For example, the processor in my newer Dell Inspirion Optiplex (bought sometime in the last 12 months) has hardware-enforced DEP and I don’t get the exploit (I test in Vmware). Instead, I get this message:

However, my Dell home system (purchased last winter) does not have hardware-enforced DEP and I get the exploit on it.

Here’s how to see if you have hardware- or software-enforced DEP:

Right click on My Computer, choose Properties, then Advanced.  Then, under Performance, choose Settings.  (Alternatively, go to the Control Panel, and if you’re in Classic View, choose System, then Advanced.  If you’re running in Category View, choose Performance and Maintenance, and then System.)

You’ll see a tab for Data Execution Prevention. 

If your processor supports DEP, you’ll see something like the following. Update: You’ll want to choose the option of Turn on DEP for all programs and services except those I select just to be sure.

  

If your processor doesn’t support DEP (in other words, it’s software-enforced), you’ll see something like this:

 

Alex Eckelberry

IMPORTANT UPDATE:  This is absolutely not a foolproof solution, but it’s free and it’s not hard to implement.  See my latest blog on this subject.

Errata:  In the original blog, credit was accidently given to the incorrect person for providing us with the info that Exfol was using this exploit.  Correct credit goes to Dan Hubbard/WebSense. And thanks, Gadi Evron.

Exfol/WebExt is a piece of adware that is often offered through popup ads at various sites.   This means they buy advertising through an advertising network (a “third party ad network”) which then places Exfol’s ads on various websites.

We originally saw mention of Exfol hoisting off this exploit on a private expert spyware discussion list, and knowing Exfol’s behaviour (we had been researching them earlier), we went to a site where we knew their popup ads were often placed.  Well, there was an Exfol pop spawning exploit. 

Ok, here is why this is bad.  You don’t have to go to a crack site or a porn site.  You go to any site that is using rotational popups from a third party ad network that is spawning Exfol popups, you get exploited.

I have a video taken by Sunbelt Researcher Patrick Jordan to show the point here.. The exploit is not coming off of Wallpapers4u(dot)com.  It’s coming from a popup generated by a third party ad network.

As an aside, we also were provided a link to a place where you can see how well Exfol is doing.  Busines looks good (note that this is not installs only using the WMF exploit, they are just general Exfol download stats):

Daily statistics
Date	Hits
12/29/2005	192,487
12/28/2005	322,857
12/27/2005	316,617
12/26/2005	277,103
12/25/2005	271,639
12/24/2005	292,915
12/23/2005	349,438
12/22/2005	696,507
12/21/2005	608,402
12/20/2005	503,861
12/19/2005	501,661
12/18/2005	112,855
12/17/2005	320,787
12/16/2005	445,630
12/15/2005	468,806
12/14/2005	531,140
12/13/2005	576,974
12/12/2005	530,167
12/11/2005	435,616
12/10/2005	454,213
12/9/2005	513,488
12/8/2005	404,149
12/7/2005	446,025
12/6/2005	497,170
12/5/2005	426,465
12/4/2005	378,563
12/3/2005	375,680
12/2/2005	353,507
12/1/2005	413,862
11/30/2005	370,949
11/29/2005	274,809
11/28/2005	183,754
11/27/2005	27,761
11/24/2005	20,849
11/23/2005	153,974

 

Alex Eckelberry
1/4 Update:  The Wallpapers4u(dot)com site no longer appears to have this popup.   But it does try to push you to install adware…  Exfol has also disappeared…

A break from WMF exploits and the like: Our creative director, Robert LaFollette, took his holiday vacation in the Florida Keys (Sunbelt is in the Tampa area, so the Keys south of us, about an 8 hour drive).  Of course, he took lots of pictures and you can see them here.  And you can read his blog of it here.

Of course, this ties right into my current recruiting campaign.  Yes, I have no shame.

But by all means, enjoy the pictures.

Alex Eckelberry

Our friends over at Bleeding-Edge Snort http://www.bleedingsnort.com/ have posted a snort rule to block all infected Windows Metafiles (WMF). We have tested this with our Kerio Firewall product and it does indeed work and block all of this nasty stuff.

The following Bleeding-Edge Snort rules, when implemented into Sunbelt Kerio Personal Firewall, have been successful in blocking different variations of the WMF (Windows Metafile) exploit:

alert ip any any -> any any (msg: “COMPANY-LOCAL WMF Exploit”; content:”01 00 09 00 00 03 52 1f 00 00 06 00 3d 00 00 00″; content:”00 26 06 0f 00 08 00 ff ff ff ff 01 00 00 00 03 00 00 00 00 00″; reference: url,www.frsirt.com/exploits/20051228.ie_xp_pfv_metafile.pm.php; sid:2005122802; classtype:attempted-user; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:”BLEEDING-EDGE EXPLOIT WMF Escape Record Exploit”; flow:established,from_server; content:”01 00 09 00 00 03″; depth:500; content:”00 00″; distance:10; within:12; content:”26 06 09 00″; within:5000; classtype:attempted-user; reference:url,www.frsirt.com/english/advisories/2005/3086; sid:2002733; rev:1;)

UPDATE: Snort rules are updated regularly, so check here for the latest signatures.

You can add these rules into the “bad-traffic.rlk” file located at: C:Program FilesSunbelt SoftwarePersonal Firewall 4ConfigIDSRules
NIPS (Network Intrusion Prevention System) must be enabled.

And you must restart the Sunbelt Kerio Firewall Service or reboot for these rules to take affect.

These rules work in the Free or Full version of Sunbelt Kerio Firewall.

Cheers,

Eric Sites
VP of Research & Development

Girard Gibs and Kamber and Associates sued Sony BMG, First 4 Internet and SunnComm International last month in regard to the Sony rootkit mess.

We have obtained a copy of a preliminary settlement that was filed today seeking judicial approval for a settlement in the Sony case.

The proposed settlement is as follows:  

Under the terms of the settlement, Defendants agree to:

• stop manufacturing SONY BMG CDs with XCP software (“XCP CDs”) and SONY BMG CDs with MediaMax software (“MediaMax CDs”);

• immediately recall all XCP CDs;

• provide software to update and uninstall XCP and MediaMax content protection software from consumers’ computers;

• ensure that ongoing fixes to all SONY BMG content protection software are readily available to consumers;

• implement consumer-oriented changes in operating practices with respect to all CDs with content protection software that SONY BMG manufactures in the next two years;

• waive specified provisions currently contained in XCP and MediaMax software End-User Licensing Agreements (“EULAs”);

• refrain from collecting personal information about users of XCP CDs or MediaMax CDs without their affirmative consent; and

• provide additional settlement benefits to Settlement Class Members including cash payments, “clean” replacement CDs without content protection software, and free music downloads.

Much more reading in the proposed settlement, which you can read here.

 

Alex Eckelberry  

 

Latest post from Microsoft on the WMF exploit that’s capturing everyone’s attention:

New Security Advisory for Possible Windows Vulnerability

Hi everyone, Stephen Toulouse here. Just wanted to make everyone is aware that this evening the MSRC posted a security advisory regarding a possible vulnerability affecting the Graphics Rendering Engine in Windows.  The MSRC has made some additional information and guidance available to customers which you can read more about here.

Link here.

Possible vulnerability?   Umm… ok.

We go to the Security Advisory itself and see this:

Microsoft is investigating new public reports of a possible vulnerability in Windows. Microsoft will continue to investigate the public reports to help provide additional guidance for customers.

But then later, we get the difference between the PR spin and the real data — because this was obviously written by a real person:

What is the scope of the advisory?
Microsoft is aware of a new vulnerability report affecting the Graphics Rendering Engine in Microsoft Windows. This vulnerability affects the software that is listed in the “Overview” section.

Is this a security vulnerability that requires Microsoft to issue a security update?
We are currently investigating the issue to determine the appropriate course of action for customers. We will include the fix for this issue in an upcoming security bulletin.

They also mention what we’ve been saying — that one attack vector is through email…

I am reading e-mail in plain text, does this help mitigate the vulnerability?
Yes. Reading e-mail in plain text does mitigate this vulnerability where the e-mail vector is concerned although clicking on a link would still put users at risk.

It’s worth reading the advisory, here.

Alex

 

UPDATE: 

Houston, we have an unofficial hotfix!   Install Ilfak Guilfanov’s patch.  Link here.  You will need to remember to uninstall it after Microsoft releases its patch.  Frequently Asked Questions here. Caveat — this is an unofficial, unsupported fix. However, it has been broadly tested by many in the Internet community and we recommend it as a temporary solution.

Many AV engines are doing a great job of keeping on top of this thing.  Between this simple hotfix and keeping your AV signatures up to date, you should be just fine. 

Need AV but on a budget?  My recommendations for free security tools is here. 

The rest of the blog posting (below) has additional workarounds but with these two fixes in place, it’s largely irrelevant.

—————

For this WMF exploit: Until Microsoft patches this thing or your AV provider has updated defs, here are some workarounds.   

Basic, easy fixes

Unregister SHIMGVW.DLL. 

This is your best workaround for the time being (realizing that nothing is perfect).    As CERT says, “Remapping handling of Windows Metafiles to open a program other than the default Windows Picture and Fax Viewer (SHIMGVW.DLL) may prevent exploitation via some current attack vectors. However, this may still allow the underlying vulnerability to be exploited via other known attack vectors.” 

There’s also this caveat.

At any rate, here’s how you do it:

From the command prompt, type REGSVR32 /U SHIMGVW.DLL.  A reboot is recommended.  (It works post reboot as well.  It is a permanent workaround).

You can also do this by going to Start, Run and then pasting in the above command.

This effectively disables your ability to view images using the Windows picture and fax viewer via IE. 

However, it is not the most elegant fix.  You’re probably going to have all kinds of problems viewing images.

But, no biggie: Once the exploit is patched, you can simply type “REGSVR32 SHIMGVW.DLL” to bring back the functionality.

And, it is a preventative measure. If you are already infected, it will not help.

Works for IE, should work fine for Firefox users as well. 

Change file associations for WMF files. 

Note that if a WMF file was spoofed to look like it was a different type of file (like GIF), this fix wouldn’t do anything.  So it’s a pretty weak workaround. At any rate, here it is:

    a)  Go to My documents, Tools, Folder Options, File Types.
    b)  Change WMF Image to notepad and select Always Open with this.

Your WMF files will open in Notepad.  I really don’t recommend bothering with this solution. Ugly and not as effective as unregistering SHIMGVW.DLL. 

Run IESPYAD. 

IESpyad is a free tool that puts block lists into IE’s restricted sites zone.  It’s managed by Eric Howes, who works as a consultant for Sunbelt.  We regularly update him with the latest URLs.  Click here. Also, see Eric’s comments here.

If you don’t have AV in place, get it.  If you have it, update it.

If you’re on a budget, see my article, Security on the Cheap.

Additional fixes for the more advanced user:

Add Snort rules to the free Sunbelt Kerio Personal Firewall.

This is probably way too technical for most, but you can add Snort rules to the free Sunbelt Kerio Personal Firewall to block this exploit.  Link here. It looks hard, but it’s actually not that difficult and it is pretty effective.

Use hardware-enforced DEP.

Again, way too technical for most, but enabling hardware-enforced DEP may help (but it may not always work for this exploit). It’s free, so no harm in doing it.  Software-enforced DEP is useless, so don’t bother.

Administrators: Filter graphic files at the perimeter.

If you’re an administrator, filter common file extensions at the perimeter, like BMP, DIB, EMF, etc. See SANS here.  Just blocking WMF files is not a full solution, as Windows goes by the header info for the file, not the extension (so one could rename a WMF file to GIF and it would still go through if you weren’t blocking GIF images).

 

Alex Eckelberry
(Hat tip to Jon and Sunbelt researchers Lior Kimchi and Adam Thomas)

Word on this nasty new exploit is getting around.

Our friends at F-Secure (who are enjoying a wonderful warm Helsinki winter) also posted on this nasty new exploit.  Link here.  Secunia also writes here.

eWeek also wrote about it, here.

And for some humorous side color: I noticed this amazing quote in the eWeek article from Peter Lindstrom at Sprite:

Although Secunia deemed the flaw highly critical, at least one security researcher was dismissive of the bug’s severity. Pete Lindstrom, research director for Spire Security LLC, said that at this stage in the game, anything that requires user interaction is hardly worth notice.

“There’s no such thing as ‘extremely critical’ when user interaction is required,” Lindstrom said. “That’s just silly.”

Wow.  I have sent Peter an email with a link to a website that has this exploit and his response was as follows:

Hi, Alex – it is my understanding that the vuln still requires an end user (target) to actually do something, like click on a link. If that is the case, then my quote is accurate. Don’t worry, you’ll still sell your software 😉

<sigh> 

The only thing you need to do is actually visit a site with the nasty and you get it.  In my mind, that makes it a pretty critical vulnerability.  You go to a site that has this vulnerability, you get hit.  It’s not necessarily done through social engineering…

 

Alex Eckelberry

Sunbelt researches have come across more than 50 new variants of the Windows Metafiles (WMF) using the new zero day exploit.

Most of these new variants are coming from Iframeurl [dot] biz but here is a list of other websites using this exploit you should block from your network ASAP.

m.cpa4 [dot] org
008k [dot] com
mscracks [dot] com
keygen [dot] us
dailyfreepics [dot] us
pornsites-reviews [dot] com
mmxo.megaman-network [dot]
com
600pics [dot] com
Crackz [dot] ws
unionseek [dot] com
www.tfcco
[dot] com
Iframeurl [dot] biz
beehappyy [dot] biz
Buytoolbar [dot] biz
teens7 [dot] com

This exploit is very interesting in that it does not just affect Microsoft Internet Explorer but most browsers and normal applications that interact or display WMF graphics. Yesterday only a few of the websites we monitor used this exploit but now that number is exploding.

What does this mean?

The number of attach vectors are exponential. For example the latest craze of posting spam in blog talkbacks. How would you like to be reading your favorite blog, click the talkback link and get infected so badly your only option is to reinstall your operating system.

Another potential vector would be spam delivered to say all hotmail accounts or other web based email systems.

Let’s hope Microsoft gets a patch out quickly!!

Cheers,

Eric Sites
VP of Research & Development

We saw a new nasty exploit yesterday around 5:00 PM. This is a totally new exploit and is not the same one posted by FrSIRT back on 11/30/05.

We have a number of sites that we have found with this exploit. Different sites download different spyware. We only had a handful of websites using this new exploit but now we are seeing many more using this to install bad stuff. These image files can be modified very easily to download any malware or virus.

I hit one site with a fully patched XP system last night and it was pretty intense—it went right through and infected my machine with this happiness:

SecurityFocus just posted a bulletin on it.

Microsoft Windows WMF graphics rendering engine is affected by a remote code execution vulnerability. The problem presents itself when a user views a malicious WMF formatted file, triggering the vulnerability when the engine attempts to parse the file. The issue may be exploited remotely or by a local attacker. Any code execution that occurs will be with SYSTEM privileges due to the nature of the affected engine. Microsoft Windows XP is considered to be vulnerable at the moment. It is likely that other Windows operating systems are affected as well.

Link here.

Any application that automatically displays a WMF image will cause the user’s machines to get infected. This includes older versions of Firefox, current versions of Opera, Outlook and all current version of Internet Explorer on all versions of Windows.

Our security response team is working on this as I write and so the situation is unfolding. We have notified Microsoft and will release more details under our Responsible Disclosure policy and as we get more information.

Folks, I’ve seen it with my own eyes and this is a really bad exploit. Be careful out there.

Alex Eckelberry

Webmasters who want to tell search engines what they can or can’t download simply place a a file called robots.txt after their domain name with instructions for the search engine (explanation here).

Something interesting was reported today by Richard Smith on funsec.

Why is the White House using such a large robots.txt file to disallow so much?  You can see it here.

# robots.txt for http://www.whitehouse.gov/

User-agent: *
Disallow: /cgi-bin
Disallow: /search
Disallow: /query.html
Disallow: /help
Disallow: /360pics/iraq
Disallow: /360pics/text
Disallow: /911/911day/iraq
Disallow: /911/911day/text
Disallow: /911/heroes/iraq
Disallow: /911/heroes/text
Disallow: /911/iraq
Disallow: /911/messages/text
Disallow: /911/patriotism/iraq
etc….

Odd.

Alex Eckelberry 

Update:  Comment from David helps to explain it: “This has been mentioned a couple of times previously on other sites. They’ve been burned by having search accessible documents (with meta data) that can’t be found on the White House Web site. Thus the extensive block list. Now *only* those things that are actually on the web site are accessible (and only through the web site).