windows metafile format (WMF) to infect You're PC

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

WHO IS VULNERABLE?
The exploit affects Firefox, Internet Explorer,and any other browser that displayes or downloads the file into the cache on the local machine. The file could also be a WMF renamed to any other image type, or possible other filetypes. Anything that puts the image exploit onto your computer or opens it up in windows fax viewer or the part of windows that generates thumbnails of WMF files is a vulnerability. This means any vector that puts the image onto your computer (wget, browser, email, IM, etc) can potentially cause the problem.

A short Clip Of the WMF File in action Can be found here

Read More Here

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

I gather that users of Kerio can apply a SNORT ruleset to keep this thing at bay.

I've seen a discussion at castlecops with the details.

Harry.

 

Good find, thanks

 

This one seems to be turning into a bit of a nightmare. Quite a lot of the published 'work-arounds' are turning out not to be very effective.

http://isc.sans.org/diary.php has quite a lot of info, and a pointer to the currently most effective patch.

Harry.

 

I've been reading up on this thing and it's a nasty little bug. Sure glad all my email and web surfing are done with Linux. With IE you don't even have to open the graphics file it will trigger the exploit just by indexing the file.

This thing will pass just about any firewall that blocks files by extension too as this payload doesn't depend on a file extension. It runs off the way MS OS's handle .wmf file header which isn't affected by renaming the file. Thus a graphics file with any file extension will compromise a Windows machine. It doesn't even need to be opened to infect either. All that needs to happen is for the file to be indexed.

Sooner or later Windows will be classified as a virus....

 

Here is another link with abit more infomation

 

Interesting stuff.

I have downloaded the most recent patch from your link Harry and unregistered the dll and so far all seems hunky dory on my W2K SP4 lappy.

I would recommend others do the same as Microsoft seem to be dragging their heals with this.

 

Just a note to say that the creator of the patch has now put together a small checker to allow you to see if all is well:
http://www.hexblog.com/

Harry.

 

I subscribe to the SANS Security Vulnerability Alert mailing list. Here is how they began their email that references the .wmf vulnerability:

 

Scathing but very fair. MS are great at burying their heads n the sand. The MS website plays down the seriousness of this vulnerability.

 

http://www.microsoft.com/technet/security/bulletin/ms06-001.mspx

Hope it helps.

 

Yup well spotted eyeball Microsoft sent me an emal this morning saying that they have released this patch earlier than planned.

I also see a little boxing glove in my system tray, so I assume it is being rolled out with auto-updates.

Lets hope that the previous unofficial patch and unregistering the dll won't conflict with the official MS patch

 

Bluerinse,

The unofficial patch I installed can be removed in Add/Remove Programs. I did it straight before installing the patch from MS.

I would like to point out, that although it didn't take MS the average of 54 days to release this patch, the unofficial patch has been available since at least last weekend and I got an update to protect against this vulnerablity with Spyware Doctor yesterday. Why are MS the last to know about/admit to/fix a problem?

 

Sounds like a good idea Baba, I will do that too