• with a random size;
• no .wmf extension, (.jpg), but could be any other image extension actually;
• a random piece of junk in front of the bad call; carefully crafted to be larger than the MTU on an ethernet network;
  
• a number of possible calls to run the exploit are listed in the source;
  
• a random trailer

We just released a new version of the Metasploit Framework exploit module for the Escape/SetAbortFunc code execution flaw. This module now pads the Escape() call with random WMF records. You may want to double check your IDS signatures -- most of the ones I saw today could be easily bypassed
or will false positive on valid graphic files.

Very fishy.

The @stake/research directories are gone now. In fact I'm not able to find any info on the corp web site, and the phone-sales people aren't answering the phone (yet?). At first glance it seems most likley that a business decision was made to end-of-life the product, which kind of sucks because I had just told some Windows admins to buy the thing to test their systems.

Fortunately, I guess, lcsrc.zip is still widely available (as are lc201.exe and lc3setup)...alas, source is good.

For this WMF exploit: Until Microsoft patches this thing, here is a workaround:

From the command prompt, type REGSVR32 /U SHIMGVW.DLL.

You can also do this by going to Start, Run and then pasting in the above command.

This effectively disables your ability to view images using the Windows picture and fax viewer via IE. This is an old Windows feature that doesn’t even show up under programs. Not “core” or critical. 

However, it is a preventative measure. If you are already infected, it will not help.

All it does is to prevent the WMF file from being opened in the viewer where the bug is that makes it execute the code in the picture.

Works for IE, should work fine for Firefox users as well.

The 22nd Chaos Communication Congress (22C3) is a four-day conference on technology, society and utopia. The Congress offers lectures and workshops on a multitude of topics including (but not limited to) information technology, IT-security, internet, cryptography and generally a critical-creative attitude towards technology and the discussion about the effects of technological advances on society.

The Chaos Communication Congress is the annual congress of the Chaos Computer Club e.V. (CCC). The Congress has established itself as the "European Hacker Conference" bringing in people from all over Europe and even further away.

The congress not only addresses the techno geek but also those who are interested in appliances and aftermathes. A part of the lectures will be held in English, the rest in German. The language used for each lecture is clearly marked in the conference program.

A company spokesperson said that RSA-compatibility tests were completed using 31, 62, 64, 128, 256, 510, 1024, 2048, 4096, 8192, 16384, and 32768-bit security keys. The results were achieved on single hardware platform but the company engineers were able to reach even higher speeds by grouping processors.

Researchers at Clarkson University have found that fingerprint readers can be spoofed by fingerprint images lifted with Play-Doh or gelatine or a model of a finger moulded out of dental plaster. The group even assembled a collection of fingers cut from the hands of cadavers.

In live fingers, perspiration starts around the pore and spreads along the ridges, creating a distinct signature of the process.

In a systematic test of more than 60 of the carefully crafted samples, the researchers found that 90 percent of the fakes could be passed off as the real thing.

But when researchers enhanced the reader with an algorithm that looked for evidence of perspiration, the false-verification rate dropped to 10 per cent.

BayTSP has been monitoring the Net for illegal distributions of "screeners," advance copies of movies that are sent to people who vote on Academy Award nominations.

"A digital copy of a movie can be placed on the Internet and it will hit the streets within hours," said Jim Graham, a spokesperson for BayTSP.

In this article, I'll detail many of the common PHP programming mistakes that can result in security holes. By showing you what not to do, and how each particular flaw can be exploited, I hope that you'll understand not just how to avoid these particular mistakes, but also why they result in security vulnerabilities. Understanding each possible flaw will help you avoid making the same mistakes in your PHP applications.

• Unvalidated Input Errors
• Access Control Flaws
• Session ID Protection
• Cross Site Scripting (XSS) Flaws
• SQL Insertion Vulnerabilities
• Error Reporting
• Data Handling Errors
• Configuring PHP for Security

Before you buy a PSP for that special gamer this Holiday season, you have to ask yourself one thing: do they homebrew? If the answer is yes, you better take care not to get a unit with a firmware over 2.0 — otherwise, no hackie. You can determine the firmware version by checking for a letter code above the UPC on the bottom of the box.

A-1.50
B-1.51
C-1.52
D-2.00 Unconfirmed
E-2.00 Unconfirmed (likely 1.52)
F-2.00
G-2.01

Using the above list, photograph, and a kindergarten skillset, we can determine that my PSP was version B, meaning it shipped with version 1.51; yet now I control firmware versions as a god would, manipulating them hither and thither! Muahaha!

Spyware tricks have become increasingly devious, making spyware and adware stick to machines longer, more difficult to remove and sometimes impossible to see with ordinary methods. In the spyware tricks series I wrote about seeing installations with multiple resuscitators, increasing numbers of randomly named files, even randomly named folders. Internet Explorer security settings are being changed by spyware and hosts files are being hijacked. We've recently seen installations of keyloggers and spam bots along with your garden variety of adware. Now add rootkits to that list.  Let's look back at the top 10 tricks of 2005…

• Spyware spread through Windows Media files
• Adware companies hide their dirty work using rootkit technology
• Internet Explorer infected through Firefox
• Direct Revenue unleashed Aurora
• Spam bots, keyloggers, kiddie porn connect with major adware companies
• Spazbox domain installs massive spyware/adware – using IRC
• Anti-spyware spread by spyware and trojans
• Direct Revenue adware distributed through BitTorrent
• AIM worm carries backdoor, rootkit and adware, found to be powered by world wide bot net with ties to the Middle East
• Sony BMG infects users with DRM rootkit