1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

windows metafile format (WMF) to infect You're PC

Discussion in 'Computer Security' started by Smiten, Jan 1, 2006.

  1. Smiten

    Smiten Bit Poster

    30
    0
    21
    WHO IS VULNERABLE?
    The exploit affects Firefox, Internet Explorer,and any other browser that displayes or downloads the file into the cache on the local machine. The file could also be a WMF renamed to any other image type, or possible other filetypes. Anything that puts the image exploit onto your computer or opens it up in windows fax viewer or the part of windows that generates thumbnails of WMF files is a vulnerability. This means any vector that puts the image onto your computer (wget, browser, email, IM, etc) can potentially cause the problem.

    A short Clip Of the WMF File in action Can be found here

    Read More Here
     
    Certifications: None
    WIP: MCSA,A+N+
  2. hbroomhall

    hbroomhall Petabyte Poster Gold Member

    6,623
    115
    224
    I gather that users of Kerio can apply a SNORT ruleset to keep this thing at bay.

    I've seen a discussion at castlecops with the details.

    Harry.
     
    Certifications: ECDL A+ Network+ i-Net+
    WIP: Server+
  3. Boycie
    Honorary Member

    Boycie Senior Beer Tester

    6,281
    85
    174
    Good find, thanks :thumbleft
     
    Certifications: MCSA 2003, MCDST, A+, N+, CTT+, MCT
  4. hbroomhall

    hbroomhall Petabyte Poster Gold Member

    6,623
    115
    224
    This one seems to be turning into a bit of a nightmare. Quite a lot of the published 'work-arounds' are turning out not to be very effective.

    http://isc.sans.org/diary.php has quite a lot of info, and a pointer to the currently most effective patch.

    Harry.
     
    Certifications: ECDL A+ Network+ i-Net+
    WIP: Server+
  5. ffreeloader

    ffreeloader Terabyte Poster

    3,661
    106
    167
    I've been reading up on this thing and it's a nasty little bug. Sure glad all my email and web surfing are done with Linux. With IE you don't even have to open the graphics file it will trigger the exploit just by indexing the file.

    This thing will pass just about any firewall that blocks files by extension too as this payload doesn't depend on a file extension. It runs off the way MS OS's handle .wmf file header which isn't affected by renaming the file. Thus a graphics file with any file extension will compromise a Windows machine. It doesn't even need to be opened to infect either. All that needs to happen is for the file to be indexed.

    Sooner or later Windows will be classified as a virus.... :twisted:
     
    Certifications: MCSE, MCDBA, CCNA, A+
    WIP: LPIC 1
  6. Smiten

    Smiten Bit Poster

    30
    0
    21
    Certifications: None
    WIP: MCSA,A+N+
  7. Bluerinse
    Honorary Member

    Bluerinse Exabyte Poster

    8,871
    167
    256
    Interesting stuff.

    I have downloaded the most recent patch from your link Harry and unregistered the dll and so far all seems hunky dory on my W2K SP4 lappy.

    I would recommend others do the same as Microsoft seem to be dragging their heals with this.
     
    Certifications: C&G Electronics - MCSA (W2K) MCSE (W2K)
  8. hbroomhall

    hbroomhall Petabyte Poster Gold Member

    6,623
    115
    224
    Just a note to say that the creator of the patch has now put together a small checker to allow you to see if all is well:
    http://www.hexblog.com/

    Harry.
     
    Certifications: ECDL A+ Network+ i-Net+
    WIP: Server+
  9. ffreeloader

    ffreeloader Terabyte Poster

    3,661
    106
    167
    I subscribe to the SANS Security Vulnerability Alert mailing list. Here is how they began their email that references the .wmf vulnerability:

     
    Certifications: MCSE, MCDBA, CCNA, A+
    WIP: LPIC 1
  10. Baba O'Riley

    Baba O'Riley Gigabyte Poster

    1,760
    23
    99
    Scathing but very fair. MS are great at burying their heads n the sand. The MS website plays down the seriousness of this vulnerability.
     
    Certifications: A+, Network+
    WIP: 70-270
  11. eyeball

    eyeball Nibble Poster

    82
    3
    0
    Certifications: A+, Network +, MCSA
    WIP: CCNA, MCSE+security
  12. Bluerinse
    Honorary Member

    Bluerinse Exabyte Poster

    8,871
    167
    256
    Yup well spotted eyeball Microsoft sent me an emal this morning saying that they have released this patch earlier than planned.

    I also see a little boxing glove in my system tray, so I assume it is being rolled out with auto-updates.

    Lets hope that the previous unofficial patch and unregistering the dll won't conflict with the official MS patch :rolleyes:

     
    Certifications: C&G Electronics - MCSA (W2K) MCSE (W2K)
  13. Baba O'Riley

    Baba O'Riley Gigabyte Poster

    1,760
    23
    99
    Bluerinse,

    The unofficial patch I installed can be removed in Add/Remove Programs. I did it straight before installing the patch from MS.

    I would like to point out, that although it didn't take MS the average of 54 days to release this patch, the unofficial patch has been available since at least last weekend and I got an update to protect against this vulnerablity with Spyware Doctor yesterday. Why are MS the last to know about/admit to/fix a problem? :mad
     
    Certifications: A+, Network+
    WIP: 70-270
  14. Bluerinse
    Honorary Member

    Bluerinse Exabyte Poster

    8,871
    167
    256
    Sounds like a good idea Baba, I will do that too 8)
     
    Certifications: C&G Electronics - MCSA (W2K) MCSE (W2K)

Share This Page

Loading...