!!! – Windows WMF exploit – Updated on 03/01/2006 @ 20:32

Alright, you should pay attention to this one, according to F-Secure (link), there’s now an unpatched exploit for the WMF (I think it stands for Windows Meta File – but I’m not sure).  And this time, all you have to do is visit a website to get infected.  According to the F-Secure page (link), some of the sites include:
 
Crackz . ws <— All you crack-heads out there, beware!
unionseek . com
http://www.tfcco . com
Iframeurl . biz
beehappyy . biz
 
Since the exploit targets a common component used by applications to view WMF – shimgvw.dll, this time, all you have to do to get pwned is to simply visit a site (containing the malicious) WMF…  So urm… I guess the usual advice of "don’t download any un-trusted files" doesn’t apply here – and this is exactly why you (including me…) should be very careful with this, until a patch or work around is available.
 
Is it me or does this have a familiar ring to one of a previous exploit (I can’t remember exactly which one – but there were definitely one that sounds similar to this one…).
 

Update (29/12/2005 @ 09:05):
 
Microsoft have now posted a link on their website suggesting some possible workarounds (link).  They are:
 
• Enabling DEP (Data Execution Prevention) for ALL programs and services.
 
• Un-registering shimgvw.dll.
 

Update (30/12/2005 @ 17:05):
 
Ok, forget about what I said about enabling DEP.  According to ZDNet (link), enabling DEP (be it software / hardware) won’t protect you against this exploit.  The only real solution for now is to un-register shimgvw.dll.
 
You can do that by simply running the following command in cmd:
 
regsvr32 /u shimgvw.dll
 
(To re-register it, use the following command:
 
regsvr32 shimgvw.dll
)
 
The downside to this is that the Windows Picture and Fax Viewer will not work after un-registering the dll.
(More information on this is available on the Microsoft website (link) ).
 
However, it is important to point out that you can still get exploited if you open the image – and by that I don’t mean with a .wmf extension – it can be in any extension).  Though I’m not sure whether you can still be exploited if Google Desktop Search is installed and indexing WMF.
 

Update (31/12/2005 @ 17:52):
 
Apparently, there’s now a temporary fix for the WMF exploit according to F-Secure (link).  So urm… for those of you who are weeping because Windows Picture and Fax Viewer is not working anymore (and other things, perhaps?), here might be one worth checking out.
 
As for me?  Well, I’ll wait for the official fix… whenever that will come out…
(Come-on Microsoft, get the patch out!)
 

Update (31/12/2005 @ 19:49):
 
Ok, great… now there’s officially a worm taking advantage of the WMF exploit (link) – to make matter worse, it propagates on MSN Messenger as a download link.  So urm… if someone sends you anything (and by that I mean, not just pictures, but anything!), DON’T DONWLOAD THEM unless you are 110% sure that it is from a trusted source and it is legitimate – ask the person that is sending the file before accepting it!
 

Update (02/01/2006 @ 00:29):
 
Alright, people, remember what I said about the patch that provides a temporary fix for the exploit (posted on 31/12/2005 @ 17:52)?  Well, now that I’ve heard (link) the patch is safe to apply, I have (and also suggest you to) apply the patch to keep your system safe until MS decides to release a patch sometime next decade (link)…
 
You can get the patch here:
 

Update (03/01/2006 @ 20:32):
 
lol, don’t you just love Microsoft when it comes to security (sarcastically speaking, of course!).  I mean, they are now saying (link) the patch for the WMF exploit will be out on 10th January – yes, that’s right, 10th!
 
I was wondering, did MS host a big Christmas / New Year party or something in which all their researches are involved, got drunk, and only starting to recover today or something,  !?
 
In the mean time, if you are worried, you can apply a temporary patch (please see my previous update for link).
Advertisements

My MZ-N1 MD recorder is dead…

After 4 years of usage, my MZ-N1 MD recorder have finally decided to quit on me…  Basically, I can still record stuff onto the disc, but I just can’t play it back…
 
I decided to put the recorder in service mode and see if I can do something to the software to fix it (since it is still able to record – I figured it might help if I can tweak some settings in there) but, it turns out I’d probably need to buy a lot of hardware to properly tweak the hardware settings (which is not that supprising…).
 
(If you are really interested, here’s the service manual for my MD recorder:
)
 
Anyway, here’s what I got after running some tests on the unit:
• Microcomputer version:
  002 Ver 1.400

• No error in Self-Diagnosis Display Mode. (Strangely...)

• "138 NG 1F" error in MO test <- 138 = MO RF gain adjustment

• "Stat66" error - Decoder status error (count)
• "BEmp02" error - Buffer is empty (count)
(The above 2 keeps increasing as I try to play more recorded discs.)
Apart from that, all seems fine (at least according to the diagnostic results anyway…)…
 
If anyone knows what’s going on or have ANY idea as to what I can do (short of paying to get it repaired), I’d appreciate if you can contact me here

SmashMyViper.com

smashmyviper.com logo
 
Man, alright, if someone wants to smash an iPod (link) to bits, fair enough.
 
However, this time, they’ve clearly crossed the line between what’s acceptable and what’s fucked up – they are gonna get (alright, already got…) a brand new Viper (yes, that’s right, a VIPER – you know, the car!) and smash it up…
 
If you must see them keying their Viper (there’ll be worse to come…), you can take a look at the website below:
 
 
 
Is it me or is that just totally fucked up?
What do you think?

SplitCam

SplitCam - Video Clone Software
 
Oouh, this seems like a nice piece of software for those of you who wants to use your webcam simultaneously in several applications.  The program is called SplitCam (link) – you can get more info on it from the author’s website:
 
 
However, the current version do not seem to be able to automatically start the video feed (to other applications), but from looking at the support forum (link), this feature will be added in the next version – it’s a small annoyance, but I can put up with it – for now at least…
 
(Just in case you are interested in knowing where I came across this program, here’s the original slashdot post (link). )

Deleting the “Event Viewer” logs

Just in case you ever find an extra event log in the Event Viewer (eventvwr.msc) after some software installation, here’s how you can delete that extra even viewer log:
 
1 – Go to:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesEventlog
 
2 – Delete the key you wanted to delete (i.e. The key with the name of the log you want to delete.)
(In my example, I installed NetLimiter 2 and that resulted in a new log called NetLimiter.  To delete, simply delete the key:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesEventlogNetLimiter
)
 
3 – Open up eventvwr.msc and you should now be able to delete that log  .
 
I know it’s so simple, but I admit I’ve spent half an hour to come up with this…
(And one has to ask – for a program like NetLimiter, what’s wrong with simply dumping the log as a text file in the installation directory?  It’s not like anything important ever appeared in my log…)

Hard Drive poem

For those of you who haven’t backed up in years, you might wanna look at this poem:
 
 
How does he find such time (and creating juice) to write a poem after a complete HDD failure?  I know I wouldn’t… 

Update – Christmas lights gone wild!

A few weeks ago, I’ve posted a link to a video of someone rigging their Christmas lights that flashes to the rhythm of the background music (link).
 
Today, I’ve come across a website with lots more of those videos:
 
 
 
House with Christmas lights
 
 
Also, if you go to the FAQ section of the website (link), you’ll be pointed to a few links that may help if you decides to get into the business of this kinda light show – or just wanna know how this is done!