Reply With QuoteGlad I use firefox.Originally Posted by Curio
There is a nice page detailing the WMF 0-day exploit that is currently in use here http://www.f-secure.com/weblog/archi...ve-122005.html which has a list of some domains you might not like to visit. As of so far no viruses have been seen to be using the exploit but with the exploit to virus life being so short now I would expect to see a variant of Sober or Netsky using the exploit within a week or two.
At the moment (as usual) it is being used to install spyware and scam antispyware on peoples PCs. I won't try to explain the exploit just look at the link article for more details. It appears to be the one used for the modified SpyAxe nagger I posted about previously.
Last edited by Curio; December 29th, 2005 at 10:37 AM.
I'm using Windows 7 - you got a problem with that?
Glad I use firefox.
Here's some more info and work around for the exploit WMF 0-day
Avast! users can use URL Blocking in WebShield to block all *.wmf files.
See the nasty in action (safe) http://www.websensesecuritylabs.com/.../wmf-movie.wmv
Can work through Firefox. Especially notable is it will trigger even if you don't view it at all (by for instance just doing a save as on the link) if you have google desktop search installed, it's trggered when GDS catalogs it - woohoo!
I'm using Windows 7 - you got a problem with that?
Workarounds:
Microsoft has tested the following workaround. While this workaround will not correct the underlying vulnerability, it will help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.
Un-register the Windows Picture and Fax Viewer (Shimgvw.dll) on Windows XP Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and Windows Server 2003 Service Pack 1
To un-register Shimgvw.dll, follow these steps:
1. Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK.
2. A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.
Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.
To undo this change, re-register Shimgvw.dll by following the above steps. Replace the text in Step 1 with “regsvr32 %windir%\system32\shimgvw.dll” (without the quotation marks).
The clever man that does IDA Pro has made a patch that disables the vulnerable function in the dll while retaining all the other usefulness of picture rendering in the OS shell. Basically this means unregistering the dll is not necessary.
Can be downloaded here http://www.hexblog.com/security/file..._hexblog13.exe which is nice. It works for w2k SP4 onwards I think - check the page at http://www.hexblog.com/2005/12/wmf_vuln.html
I'm using Windows 7 - you got a problem with that?
Hello All.
Here is the latest on the WMF 0-day exploit. I have applied the previous version patch with no problems(XPpro sp2). This looks and sounds real serious.
http://isc.sans.org/diary.php
...this link will change sometime Monday, Jan 2, just use previous button on bottom of page.
Here is the updated link, but there is a lot of good info all over SANS website:
http://isc.sans.org/diary.php?date=2006-01-01
Last edited by sydspirit; January 2nd, 2006 at 18:23 PM.
Thanks for that link sydspirit. Very eye-opening article.
In case people haven't really got it yet - this is very possibly the worst problem with windows ever discovered and affects all MS Windows operating systems. If you just ignore it and hope it goes away you are being very silly. The code is already built into a very famous security testing tool which many people have and so can be used to make new variations any time.
Potentially any image file that opens with the shell extension could be used to compromise a PC and give a remote attacker complete control - or as the hackers like to say 'root your box'.
Any spam that you accidentally preview in Outlook Express could be your downfall, any image that is cataloged by Google (or another) Desktop Search application any image on any webpage viewed in IE or opened in the Explorer thumbnail view.
Which is nice.
BlackIce users will be interested to know that detection is built into the latest update.
I'm using Windows 7 - you got a problem with that?
I've tested (AV turned off) Sandboxie (Free) with IE on all the various known sites that infect. IE got quite infected, didn't harm PC because the exploits couldn't leave the sandbox. When I exited Sandboxie I cleared the sandbox & PC was back to normal without infection
Sandboxie and Firefox should be a good combination until MS gets its butt in gear....
Last edited by FastGame; January 2nd, 2006 at 19:05 PM.
Nice post. Members must know that they have to apply the patch and unregister the dll right now. This is very serious and it can be used to install the spyware coolwebsearch and if that happens you are messed up. also think if they install the sony rootkit that makes files invisible. Your computer and everything in it and everything you type will be brodcast to unknown third parties over the net and very easilly.
Curio? Does the exploit work in firefox by simply viewing a picture or is it safe unless you open the file in windows? so is it Internet Explorer only windows only? or is firefox tricked so that any google image search could get yuo infected?
as sydspirit's link stated that varients of this may overcome the patch or simply intsall an unpatched dll etc....
another thing many members don't realize is that guys can use messenger to exploit this and they can and will compromise computers to get at webcams
with that said can this exploit work by just using an infected avatar on msn?
here is leo and steve gibsons security now episode that talks about the exploit and states it is now widespread on the net.
check it out
"Malicious web sites and malware taking advantage of the Windows metafile flaw are now rampant on the net. All versions of Windows are affected, but Windows 2000 and XP users can download a special fix from Ilfak Guilfanov. Steve recommends downloading and installing this fix as soon as possible."
http://aolradio.podcast.aol.com/sn/SN-020SE.mp3
as long as ppl dont click on the d/l window that comes up from use of this exploit..they should be ok..i should know..ive already used it on an unsuspecting friend.
AMD64 3800+ w/stock HSF | 2 x PowMax dual fan 550Watt | Gigabyte GA-K8NXP-SLI | GeIL 512MB DDR400 PC3200 Ultra Series Dual Channel Memory | 2 x EVGA 6600 GT 128MB PCI-E on SLI setup | Thermaltake Tsunami Case w/120mm
What the exploit will do to your PC depends on what the payload is that is used in the particular variant. It doesn't automatically trigger in Firefox I believe - you have to open the image using the PCs preview function. But if you have a desktop search application on your PC then the image will be opened and trigger the exploit when it is catalogged, which I believe will happen whether you viewed it in IE or FF as both have caches.
Best thing to do is to use Secunia, FRSirt, securityfocus, SANS isc etc... to keep an eye on the situation. Microsoft will come up with something..... probably before Christmas.
I'm using Windows 7 - you got a problem with that?
Posting Permissions
Bookmarks