Symantec warns of more WMF glitches
Days after Microsoft rushed out a patch for the extremely critical Windows Meta File (WMF) flaw, Cupertino, Calif.-based AV giant Symantec Corp. is warning
"An attacker may leverage these issues to carry out a denial-of-service attack or execute arbitrary code on an affected computer with the privileges of the user viewing a malicious image," Symantec said. "An attacker may gain system privileges if an administrator views the malicious file. Local code execution may also facilitate a complete compromise."
Symantec said the first vulnerability is triggered "when the 'WMFRECORD.Function,PlayMetaFileRecord' value of the WMFRECORD structure is set to 0xff followed by supplying malicious values for 'Parameters.All_PointtStruct_Num' and 'PointtStruct.PointNum.' This causes the 'PointtStruct' structure to trigger an access violation error."
The firm said the second issue is triggered "when a large value such as 0xffff is supplied to the 'cbInput' parameter and a small value is supplied to 'szInData' parameter of the 'ExtEscape' function. This also causes an access violation error."
These problems appear when a user views a malicious WMF-formatted file containing specially crafted data, Symantec added. The vulnerabilities are triggered when a file is parsed, which typically happens when an image is displayed, printed or used as a thumbnail.
Fortunately, Symantec is not aware of any exploits for these issues. The firm recommended the following steps to blunt the flaw's impact:
- Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.
- Do not allow untrusted individuals to have local access to computers.
- Deploy network intrusion detection systems to monitor network traffic for malicious activity.
- Do not accept or execute files from untrusted or unknown sources.
- Do not follow links provided by unknown or untrusted sources.
- Disabling client support for HTML e-mail may limit exposure to this attack vector.
Two accused of bogus spyware claims settle with FTC
Two organizations -- Spyware Assassin and Trustsoft -- that promoted spyware detection products by making bogus claims have agreed to settle Federal Trade Commission (FTC) charges that their claims were deceptive and violated federal law, the FTC said in a statement. "Each operation claimed to detect spyware, even when there was not any, and then sold consumers antispyware software that either did not work or did not work as advertised," the FTC said.
The settlements require that the defendants give up nearly $2 million in "ill-gotten gains" and prohibit deceptive claims. One set of defendants will be barred from selling or marketing any antispyware product or service in the future, the FTC added.
In March 2005 the FTC charged that Spyware Assassin and its affiliates used Web sites, e-mail, banner ads and pop-ups to drive consumers to the Spyware Assassin Web site. Consumers were told the Web site "scanned" consumers' computers at no cost to determine whether they were infected with spyware. The results of the "scans" were positive, often falsely, and the site warned consumers that they had spyware installed on their systems, the commission said in its statement.
In June 2005, the FTC charged an unrelated operation, Trustsoft, with using similar tactics to sell its "SpyKiller" software. The FTC alleged the defendants sent pop-up and e-mail messages informing consumers that their computers had been remotely "scanned" and that spyware had been "detected," even though defendants had not performed any such scans. The defendants urged consumers to access the SpyKiller Web site to get "free scans" for spyware, the FTC statement said.
U.S. district courts ordered a halt to the deceptive practices of both operations, pending trials. The FTC said settlements announced this week end those lawsuits.
Sober explosion fails to materialize
Malicious code-watchers were on edge last week as they waited for an expected attack from the prolific Sober worm family. But so far, cyberspace appears to have dodged a bullet.
The Sober attack was predicted last month by iDefense Security Intelligence Services, a division of Mountain View, Calif.-based VeriSign Inc. At the time, iDefense said it had discovered hard-coded commands within the recent Sober-X variant that were programmed to launch a new wave of Sober assaults Thursday, Jan. 5, 2006. But as of Tuesday, no attack had materialized.
"We've been monitoring the locations of the files that infected machines are now trying to download. So far none of them have activated," Finnish firm F-Secure Corp. said in its daily lab blog.
Many AV firms had already updated their signatures to counter the threat. But iDefense spokesman Jason Greenwood warns that the danger isn't over. Last week, he said, "If nothing happens on Jan. 6, the worm is programmed to stay dormant for 14 days. After 14 days it is programmed to look for a different set of sites. The process will repeat every 14 days."