Page 1 of 2 12 LastLast
Results 1 to 15 of 20

Thread: The WMF 0-day

Hybrid View

  1. #1
    Triple Platinum Member Curio's Avatar
    Join Date
    Nov 2004
    Location
    London
    Posts
    899

    The WMF 0-day

    There is a nice page detailing the WMF 0-day exploit that is currently in use here http://www.f-secure.com/weblog/archi...ve-122005.html which has a list of some domains you might not like to visit. As of so far no viruses have been seen to be using the exploit but with the exploit to virus life being so short now I would expect to see a variant of Sober or Netsky using the exploit within a week or two.

    At the moment (as usual) it is being used to install spyware and scam antispyware on peoples PCs. I won't try to explain the exploit just look at the link article for more details. It appears to be the one used for the modified SpyAxe nagger I posted about previously.
    Last edited by Curio; December 29th, 2005 at 10:37 AM.
    I'm using Windows 7 - you got a problem with that?

  2. #2
    Super Moderator Super Moderator Big Booger's Avatar
    Join Date
    Apr 2002
    Location
    JAPAN
    Posts
    10,961
    Quote Originally Posted by Curio
    There is a nice page detailing the WMF 0-day exploit that is currently in use here http://www.f-secure.com/weblog/archi...ve-122005.html which has a list of some domains you might not like to visit. As of so far no viruses have been seen to be using the exploit but with the exploit to virus life being so short now I would expect to see a variant of Sober or Netsky using the exploit within a week or two.

    At the moment (as usual) it is being used to install spyware and scam antispyware on peoples PCs. I won't try to explain the exploit just look at the link article for more details. It appears to be the one used for the modified SpyAxe nagger I posted about previously.
    Glad I use firefox.

  3. #3
    Hardware guy Super Moderator FastGame's Avatar
    Join Date
    Apr 2002
    Location
    Blasters worm farm
    Posts
    3,416
    Here's some more info and work around for the exploit WMF 0-day

    Avast! users can use URL Blocking in WebShield to block all *.wmf files.

    See the nasty in action (safe) http://www.websensesecuritylabs.com/.../wmf-movie.wmv

  4. #4
    Triple Platinum Member Curio's Avatar
    Join Date
    Nov 2004
    Location
    London
    Posts
    899
    Can work through Firefox. Especially notable is it will trigger even if you don't view it at all (by for instance just doing a save as on the link) if you have google desktop search installed, it's trggered when GDS catalogs it - woohoo!
    I'm using Windows 7 - you got a problem with that?

  5. #5
    Head Honcho Administrator Reverend's Avatar
    Join Date
    Apr 2002
    Location
    England
    Posts
    13,473
    Workarounds:

    Microsoft has tested the following workaround. While this workaround will not correct the underlying vulnerability, it will help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.

    Un-register the Windows Picture and Fax Viewer (Shimgvw.dll) on Windows XP Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and Windows Server 2003 Service Pack 1

    To un-register Shimgvw.dll, follow these steps:

    1. Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK.

    2. A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

    Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.

    To undo this change, re-register Shimgvw.dll by following the above steps. Replace the text in Step 1 with “regsvr32 %windir%\system32\shimgvw.dll” (without the quotation marks).

    =========== Please Read The Forum Rules ===========

  6. #6
    Triple Platinum Member Curio's Avatar
    Join Date
    Nov 2004
    Location
    London
    Posts
    899
    The clever man that does IDA Pro has made a patch that disables the vulnerable function in the dll while retaining all the other usefulness of picture rendering in the OS shell. Basically this means unregistering the dll is not necessary.

    Can be downloaded here http://www.hexblog.com/security/file..._hexblog13.exe which is nice. It works for w2k SP4 onwards I think - check the page at http://www.hexblog.com/2005/12/wmf_vuln.html
    I'm using Windows 7 - you got a problem with that?

  7. #7
    Precision Processor Super Moderator egghead's Avatar
    Join Date
    May 2002
    Location
    In Your Monitor
    Posts
    3,546
    thanks Curio!

    hated not seeing my pictures in explorer
    ------------------------------------------------------------



  8. #8
    Junior Member sydspirit's Avatar
    Join Date
    Apr 2004
    Location
    The Ether
    Posts
    29
    Hello All.
    Here is the latest on the WMF 0-day exploit. I have applied the previous version patch with no problems(XPpro sp2). This looks and sounds real serious.

    http://isc.sans.org/diary.php
    ...this link will change sometime Monday, Jan 2, just use previous button on bottom of page.

    Here is the updated link, but there is a lot of good info all over SANS website:
    http://isc.sans.org/diary.php?date=2006-01-01
    Last edited by sydspirit; January 2nd, 2006 at 18:23 PM.

  9. #9
    Old, Cranky and Perverted Super Moderator rik's Avatar
    Join Date
    Aug 2003
    Location
    Watching Your every move...
    Posts
    4,687
    Thanks for that link sydspirit. Very eye-opening article.

  10. #10
    Triple Platinum Member Curio's Avatar
    Join Date
    Nov 2004
    Location
    London
    Posts
    899
    In case people haven't really got it yet - this is very possibly the worst problem with windows ever discovered and affects all MS Windows operating systems. If you just ignore it and hope it goes away you are being very silly. The code is already built into a very famous security testing tool which many people have and so can be used to make new variations any time.

    Potentially any image file that opens with the shell extension could be used to compromise a PC and give a remote attacker complete control - or as the hackers like to say 'root your box'.

    Any spam that you accidentally preview in Outlook Express could be your downfall, any image that is cataloged by Google (or another) Desktop Search application any image on any webpage viewed in IE or opened in the Explorer thumbnail view.

    Which is nice.

    BlackIce users will be interested to know that detection is built into the latest update.
    I'm using Windows 7 - you got a problem with that?

  11. #11
    Precision Processor Super Moderator egghead's Avatar
    Join Date
    May 2002
    Location
    In Your Monitor
    Posts
    3,546
    Quote Originally Posted by Curio
    Any spam that you accidentally preview in Outlook Express could be your downfall, any image that is cataloged by Google (or another) Desktop Search application any image on any webpage viewed in IE or opened in the Explorer thumbnail view.
    Nice post. Members must know that they have to apply the patch and unregister the dll right now. This is very serious and it can be used to install the spyware coolwebsearch and if that happens you are messed up. also think if they install the sony rootkit that makes files invisible. Your computer and everything in it and everything you type will be brodcast to unknown third parties over the net and very easilly.

    Curio? Does the exploit work in firefox by simply viewing a picture or is it safe unless you open the file in windows? so is it Internet Explorer only windows only? or is firefox tricked so that any google image search could get yuo infected?

    as sydspirit's link stated that varients of this may overcome the patch or simply intsall an unpatched dll etc....

    another thing many members don't realize is that guys can use messenger to exploit this and they can and will compromise computers to get at webcams
    with that said can this exploit work by just using an infected avatar on msn?
    Last edited by egghead; January 3rd, 2006 at 02:38 AM.
    ------------------------------------------------------------



  12. #12
    Precision Processor Super Moderator egghead's Avatar
    Join Date
    May 2002
    Location
    In Your Monitor
    Posts
    3,546
    here is leo and steve gibsons security now episode that talks about the exploit and states it is now widespread on the net.

    check it out

    "Malicious web sites and malware taking advantage of the Windows metafile flaw are now rampant on the net. All versions of Windows are affected, but Windows 2000 and XP users can download a special fix from Ilfak Guilfanov. Steve recommends downloading and installing this fix as soon as possible."
    http://aolradio.podcast.aol.com/sn/SN-020SE.mp3
    ------------------------------------------------------------



  13. #13
    Hardware guy Super Moderator FastGame's Avatar
    Join Date
    Apr 2002
    Location
    Blasters worm farm
    Posts
    3,416
    I've tested (AV turned off) Sandboxie (Free) with IE on all the various known sites that infect. IE got quite infected, didn't harm PC because the exploits couldn't leave the sandbox. When I exited Sandboxie I cleared the sandbox & PC was back to normal without infection

    Sandboxie and Firefox should be a good combination until MS gets its butt in gear....
    Last edited by FastGame; January 2nd, 2006 at 19:05 PM.

  14. #14
    Member TestMAD's Avatar
    Join Date
    Feb 2005
    Location
    In the local PC parts store.
    Posts
    82
    as long as ppl dont click on the d/l window that comes up from use of this exploit..they should be ok..i should know..ive already used it on an unsuspecting friend.
    AMD64 3800+ w/stock HSF | 2 x PowMax dual fan 550Watt | Gigabyte GA-K8NXP-SLI | GeIL 512MB DDR400 PC3200 Ultra Series Dual Channel Memory | 2 x EVGA 6600 GT 128MB PCI-E on SLI setup | Thermaltake Tsunami Case w/120mm

  15. #15
    Triple Platinum Member Curio's Avatar
    Join Date
    Nov 2004
    Location
    London
    Posts
    899
    What the exploit will do to your PC depends on what the payload is that is used in the particular variant. It doesn't automatically trigger in Firefox I believe - you have to open the image using the PCs preview function. But if you have a desktop search application on your PC then the image will be opened and trigger the exploit when it is catalogged, which I believe will happen whether you viewed it in IE or FF as both have caches.

    Best thing to do is to use Secunia, FRSirt, securityfocus, SANS isc etc... to keep an eye on the situation. Microsoft will come up with something..... probably before Christmas.
    I'm using Windows 7 - you got a problem with that?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •