These days, my view of desktop-based software has changed quite dramatically. I seem to have gone from: “complaining about how long it would take bloated applications to load”, to something along the lines of me going out of my way to: “avoid using them at every opportunity”.

Working as much as possible with web-based software has been my goal for the last 2 years now, and i can tell you that doing so has saved me many a headache. Gone are the days of wiping out my Windowz machine because of some virus i picked up, then having to remember every software configuration, find serial numbers i hopefully kept, go through software activation processes, updates, blah blah blah. You get the picture, right? The last time my PC got slow and crappy, i simply formatted the harddrive, reinstalled the OS, fired up a new version of Firefox and logged into all of my favorite web-based services. Gmail for email. Flickr for photos. Del.icio.us for bookmarks.. the list goes on. But everything is how i left it (not to mention they are always available from any computer with an internet connection).

I used to use a great web-based antivirus service offered by TrendMicro called Housecall. Unfortunately, they went and messed with what i thought was a perfectly good thing. Housecall used to be a fast, simple way for people who don’t want to keep desktop-based antivirus software installed on their computers to scan their local machines, it even offered to remove any viruses that it may have found. This was the best service of its kind that i had seen and i recommended it to dozens of people. But a couple of month ago they made the whole thing Java, nothing worked right for me, it was slow, complicated, basically the complete opposite of what i once like about and so i stopped both using and recommending it.

I looked for other, comparable services. Norton has a service, i think they call it “Security Center” but they don’t offer to go that extra mile and delete the infected files that were found making the process of actually cleaning out your machine unnecessarily tedious and extremely manual. Not to mention, too difficult and therefore out of reach for the average PC user.

On the other hand, i could see a service like McAfee’s SiteAdvisor as being quite useful to the everyday web surfer. What they do in a nutshell (i’m not going to get into it all here) is “Patrol the Web” for you, testing for viruses, phishing scams, annoying pop-ups and more. So essentially, all the user has to do is enter a URL of a questionable site they are considering visiting (before actually going there with their web browser) and they can get a nice, clean report about any potential hazards they may encounter along the way. The site in question gets a “safety rating” of either a green checkmark, grey questionmark (no data), or a big, fat, red “X”. The entire process is balanced out with a large number of voluntary user reviews, comments, and summaries.

Aside from entering each URL (one at a time) into the form on their front page to get a report, the user can also download a convenient Firefox extension that automatically shows you SiteAdvisor results by just browsing the given site. But i have to say that this second method, while being way more practical (you just go to the site), seems to defeat the point of getting a report in the first place. I mean, isn’t it too late to find out whether a site is sketchy once you’re already there? Granted the extension does add safety ratings to your google search results, which is pretty cool. Still, this just seems to me to be more of a research tool than a browser accessory.

While i can see many uses for this service, what i actually found most interesting about SiteAdvisor was how “other” services have begun to leverage / integrate SiteAdvisor reports and safety ratings into their own web-based services. A perfect example of this (i already mentioned the google integration) would be a service called StumbleUpon. They offer a type of advertising service for content publishers that promises to send targeted visitors to your site. I was thinking of testing out their ad services for a site i am working on, and wanted to learn more before actually giving it a try. On the StumbleUpon FAQ page there’s a section that reads: “make certain that the content you are submitting isn’t flagged by McAfee SiteAdvisor” or your content may not be shown at all. I thought, hey, this would probably be a good time to make sure none of my sites are flagged. Big, fat, red X’s are bad, and fortunately for me, all of my sites were either green checkmarks or grey questionmarks (for newer or smaller sites). So, all of a sudden, McAfee’s SiteAdvisor mattered to me. Hmm, very interesting. But all in all, i think SiteAdvisor is a great services and i will continue to use it whenever i am in doubt.

[ update: Microsoft has finally released it's Security update for WMF vulnerability. To apply the patch, simply visit the Windows Update web site, automatically scan for updates and install. ] Thanks Fuzzie for bringing this to my attention.

The purpose of this article is to clearly lay out all the information i could find on the recent Windows exploit, namely the WMF (Windows Metafile) vulnerability. Instead of adding to the current state of panic, my hope is that this post will help to clear up some of the apparent contradictions surrounding this issue and provide a kind of reference in the decision making process (ie: overall severity and what actions to take).

I’ll begin with a brief overview of the current state of affairs:

A Windows Metafile (WMF) – is a 16-bit metafile that can be used by all versions of Windows to display a picture. Similar to a .jpeg, .gif or bitmap.

A Metafile – is simply a list of commands that can be executed to draw a graphic. Normally, these commands are used to style objects such as lines, polygon and text. In this case, the WMF is being used to trigger potentially malicious code (ex: trojans).

For more background on Windows Metafile you can read the Wikipedia definition here.

i was also planning on quickly going over the events that have unfolded in reaction to the news about the widespread potential of this type of exploit. However, it turns out that the Wikipedia, once again, has done this job for me (and probably better than i could have done). If you’re late on the scene for this whole thing, i recommend you spend a few minutes reviewing that page as well.

Still, here’s a short list of the key points related to the most recent Windows Metafile Vulnerability:

• First reports of affected computers: December 28, 2005. [more info here and here]
• List of Vulnerable Systems: All versions of Windows. [ see full list here ]
• How it spreads: via email attachments [ although Microsoft is now saying otherwise ] or even just loading a website with WMF graphics. Read more here.

There seems to be some uncertainty surrounding the list of vulnerable systems. Some sources believe that older systems like Win95/98 and even WinME/2K can not easily be exploited in this manner. Read here, here and here for more info.

Protection against this exploit -

• The Workaround according to Microsoft: unregistering the dll [ type: "regsvr32.exe /u shimgvw.dll" in the command prompt ]
• The Unofficial Patch: by Ilfak Guilfanov version1.4 can be found here.
• The Unofficial Patch: based on the fix by Ilfak Guilfanov can be found here. [ .msi installer version 1.4 ]
• The Unofficial Patch: developed by ESET version1.1 can be found here. [ updated: Jan. 05, 2006. ( source: eWEEK.com ) ]

The best description of what these fixes actually do to your system can be found here [.pdf format]

Additional Notes -

• This is not an actual virus outbreak [it is an exploit, meaning just leaving your pc online but unpatched does not guarantee that you will be attacked].
• Some people have reported minor “issues” related to installing this patch such as printing problems.
• There is already a Microsoft patch available that is a pre-release which leaked onto the internet this morning and is said to be tested on Winxp/2k3 systems, but every link i’ve found was broken and had the file taken offline. For those interested, the file was named WindowsXP-KB912919-x86-ENU.exe and i’m sure it will surface again sooner or later.
• McAfee has added WMF exploit detection to its latest DAT file, which can detect exploits created by this tool.
• ESET claims its NOD32 anti-virus stops hackers from using all 206/206 tested WMF vulnerability exploits. They offer a 30-day trial version of their software which would protect you from this exploit “without having to take any special actions”, according to ESET (presumably until Microsoft releases an official fix). [ updated: Jan. 05, 2006. ]

That’s all i could find at this time. Hope it helps in some way.

Both FrSIRT and CNET are reporting a recently discovered security vulnerability affecting all versions of Firefox, including the recently released Firefox 1.5 Beta.

According to FrSIRT, “A vulnerability has been identified in Mozilla Firefox and Mozilla Suite, which could be exploited by remote attackers to execute arbitrary commands. This flaw is due to a buffer overflow error in the “NormalizeIDN” function when handling malformed URLs containing “0xAD” characters embedded in HTML tags (e.g. “A HREF”), which could be exploited by remote attackers to take complete control of an affected system via specially crafted Web pages”.

Apparently Netscape 8.0 is also affected by a similar issue.

CNET is claiming that security researcher Tom Ferris mentioned the problem to the Mozilla Foundation as early as Sunday, then decided to publicly disclose the flaw. Mozilla responded by stating that the bug is still under investigation and that “users are currently not at risk because there are no known attacks that take advantage of the flaw”.

The Solution / Temporary Fix: (according to FrSIRT)

Disable IDN support by entering “about:config” in the location bar, and then setting “network.enableIDN” to “false”.

Update: BetaNews is reporting [September 12, 2005, 12:09 PM] that: “Mozilla developers acted fast to patch a new security vulnerability in Firefox, which slipped its way into the first beta build of Firefox 1.5 and exists in earlier versions as well. However, the patch simply disables the buggy feature while a permenant fix is worked out”. Still useful for all those not comfortable with the fix provided above.

Update: Mozilla Firefox 1.0.7 was released [September 21, 2005, 12:09 PM] which addresses several recent security issues, including the one described above. For more info you can visit Mozillazine.