Windows WMF 0-day exploit in the wild

By on December 28, 2005, 12:12 PM
Update: Microsoft has now issued a security advisory on the WMF vulnerability.

There's a new zero-day vulnerability related to Windows' image rendering - namely WMF files (Windows Metafiles). Trojan downloaders, available from unionseek[DOT]com, have been actively exploiting this vulnerability. Right now, fully patched Windows XP SP2 machines machines are vulnerable, with no known patch.

F-Secure has some information on this as does The Internet Storm Center Note that if you have the Google toolbar installed it is enough to download the file with an "inactive" client (i.e. one that by default does not execute what you download) like wget or similar because the Google toolbar will index the infected file anyway!

It is not mentioned if other operating systems like Windows 2000 or 98 are also vulnerable.




User Comments: 30

Got something to say? Post a comment
spike said:
Oh god. An exploit that allows a trojan dropper onto a machine unhindered. That's as good as a full control type vulnerability on an unprotected machine.It never rains but it pours :(
thrudd said:
Is this vulnerability through IE or intrinsic to the M$ OS ? :(
asphix said:
I would assume the Microsoft OS as its using Windows Metafiles.This is serious. Hopefully we see a fix soon..
lordbf1 said:
Great. Just what I needed this week!
mentaljedi said:
This is so annoying! Gah i think i say this every dad as everyday there's more news about viruses. Won't it ever end?
PanicX said:
The link to the [url=http://isc.sans.org/]Internet Storm Center[/url] in the main article has really good info about this exploit. Basically anything that renders a WMF file is vulernable, this means IE, Windows Explorer, Microsoft picture and fax viewer and google desktop will all automatically infect a machine that accesses these files. There's bound to be dozens more apps that will also be affected. Keep your Antivirus defs up to date.
nathanskywalker said:
Wow, nice to know, one more trojan microsoft can't deal with. Ouchie, you know, isn't there a more beneficial, way for hackers to channel their energies?
phantasm66 said:
This causes a number of issues, including the fact that Google Desktop is affected.
Per Hansson said:
nathanskywalker; yea, I've been thinking about that too... Why does not someone create a virus that enables the Firewall in the OS, installs a free antivirus program etc etc etc While it's at it why don't completely remove internet explorer and replace it with Firefox?Think of all the issues that would solve in an instant!Note however that the issue noted in this explit would not be fixed at all anyway by doing all that, puts some light on how serious it really is!
phantasm66 said:
Positive viruses? Yes, that idea has been talked about for a while.Machines only do what we tell them to. A human being decides if the consequences of these things are good or bad. Machines don't care.
vigilante said:
Since we're talking about metafiles, does that mean a user has to specifically be downloading the file? For example clicking a link to a *.wmf file. Or do the metafiles get downloaded automatically just by visiting a site or viewing some type of content?Cause if you have to specifically download the file, just be sure to never download WMF files!Otherwise, I think you can actually go and change how windows/ie/any program handles a *.wmf file, just change the file extension handling, or change the way your system handles the associated MIME types.Might be something to look into...
samstoned said:
I was just going to ask thatas I do have to use IE sometimeswhats next will need a computer made just for internet browsingcan firefox about :config lock out the wmf files
Per Hansson said:
Guys, look at the video just uploaded at SANS (link in the newspost)They infect a machine on purpose... They do not click on anything, just visiting the site is enough...
PanicX said:
The video shows the user trying to view or download the wmf file itself, at which point it auto-executes. So I'd recommend NOT clicking any links that end with a wmf file.
phantasm66 said:
That video is cool, download it.http://www.websensesecuritylabs.com/images/alerts/wmf-mov
e.wmv[Edited by phantasm66 on 2005-12-28 15:03:21]
phantasm66 said:
[quote]According to F-Secure's blog "Firefox users can get infected if they decide to run or download the image file." [/quote][quote]In my install of Firefox, a dialog box will ask me if I would like to load the image in "Windows Picture and Fax Viewer". If I allow this to happen ("pictures are safe after all" NOT!), the exploit will execute.[/quote]So basically, don't allow this.
PanicX said:
I downloaded the wmf file to add to my virus collection. It really makes you nervous, just sitting there like a little timebomb.
phantasm66 said:
I think its safe to let it install in VMware and see if it works.Though if you watch the movie, its good enough.
Handyman said:
[b]Originally posted by samstoned:[/b][quote]whats next will need a computer made just for internet browsingcan firefox about :config lock out the wmf files[/quote]Fortunatley I don't use Google or IE. But still, getting infected without actually opening a file is nasty. In the old days you had Win32.Geefo making a mess of your operating system but now a trojan slips quietly through your firewall and steels all your personal information. Anyway Microsoft should be working on a patch by now.
kokomen said:
Another M$ fault.. and go on
tkteo said:
Larry Seltzer's article on eweek.com[url]http://www.eweek.com/article2/0,1895,1906211,0
.asp[/url]contains information to registry workarounds, and the link to a mailing list message with URIs for registry patches. The mailing list message URI is:[url]http://lists.grok.org.uk/pipermail/full-disclosure/2
05-December/040699.html[/url]be safe everyone!PS. To the Techspot people, I think it will help -- even a little -- to add the links to the workarounds to your article:http://www.techspot.com/news/19936-windows-wmf-0day-
xploit-in-the-wild.html
barfarf said:
How cow the video link posted by phantasm66 is scary funny. I mean it gives you a false dialog box about spyware then its installs a fake spyware scanner that asks to be paid for. Dang. That is evil. I wonder what happens if you enter credit card info. Identity theft?
otmakus said:
[b]Originally posted by barfarf:[/b][quote]How cow the video link posted by phantasm66 is scary funny. I mean it gives you a false dialog box about spyware then its installs a fake spyware scanner that asks to be paid for. Dang. That is evil. I wonder what happens if you enter credit card info. Identity theft?[/quote]Spyware Sherriff has been doing that for a while now, the fake spyware scanner will even claim that it finds some "dangerous spyware" in your machine and insists that you buy the full version of it ASAP before the damage spreads.But the possibilities to be infected only for visiting a website is scary. I hope they can solve this problem and release a patch soon.
Mictlantecuhtli said:
[url]http://ntbugtraq.ntadvice.com/default.aspx?pid=55&did=32
/url]According to a plugin in [url=http://www.x-setup.net/]X-Setup Pro[/url], the following files are executed silently in IE:.aifc.avi.cdf.cnf.dvr-ms.etd.fdf.m3u.mid.midi.mp2v.mpa.mp
2.pdf.pls.rmf.rmi.wal.wax.wm.wmd.wmx.wmz.wpl.wsz.wvx.xdp.x
df.xml.xppl.xpwz.xslSo, basically, if one of these has a vulnerability, anything could happen?
Nodsu said:
Surely not all of these.. PDF needs a plugin or an auxiliary program for sure to be handled by IE.
Mictlantecuhtli said:
Yes, that was just for my Windows.
realblackstuff said:
Guess it won't be long now, before RSS-feeds will also automatically infect you!Time to subscribe to a real newspaper again.
spike said:
lol@RBS. Somehow surreal, but with a large amount of truth.
luismigilbert said:
i use a great antivirus, up to date.. microsoft antispyware.. no problems at all...performance is affected... but that's it...
Craftos said:
I've been hit with that bug right that day. I use Firefox all day but had bad luck with opening one page with IE.In a few seconds I had 4 trojans installed, including Spy Sheriff (sic!)
Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.