Sign up for a new account or log in here:
also @ TechSpot: Bill Gates is once again the richest person in the world
Home › News › Industry News
Windows WMF 0-day exploit in the wild
There's a new zero-day vulnerability related to Windows' image rendering - namely WMF files (Windows Metafiles). Trojan downloaders, available from unionseek[DOT]com, have been actively exploiting this vulnerability. Right now, fully patched Windows XP SP2 machines machines are vulnerable, with no known patch.
F-Secure has some information on this as does The Internet Storm Center Note that if you have the Google toolbar installed it is enough to download the file with an "inactive" client (i.e. one that by default does not execute what you download) like wget or similar because the Google toolbar will index the infected file anyway!
It is not mentioned if other operating systems like Windows 2000 or 98 are also vulnerable.
User Comments: 30
Got something to say? Post a comment-
Oh god. An exploit that allows a trojan dropper onto a machine unhindered. That's as good as a full control type vulnerability on an unprotected machine.It never rains but it pours
-
Is this vulnerability through IE or intrinsic to the M$ OS ?
-
I would assume the Microsoft OS as its using Windows Metafiles.This is serious. Hopefully we see a fix soon..
-
Great. Just what I needed this week!
-
This is so annoying! Gah i think i say this every dad as everyday there's more news about viruses. Won't it ever end?
-
The link to the [url=http://isc.sans.org/]Internet Storm Center[/url] in the main article has really good info about this exploit. Basically anything that renders a WMF file is vulernable, this means IE, Windows Explorer, Microsoft picture and fax viewer and google desktop will all automatically infect a machine that accesses these files. There's bound to be dozens more apps that will also be affected. Keep your Antivirus defs up to date.
-
Wow, nice to know, one more trojan microsoft can't deal with. Ouchie, you know, isn't there a more beneficial, way for hackers to channel their energies?
-
This causes a number of issues, including the fact that Google Desktop is affected.
-
nathanskywalker; yea, I've been thinking about that too... Why does not someone create a virus that enables the Firewall in the OS, installs a free antivirus program etc etc etc While it's at it why don't completely remove internet explorer and replace it with Firefox?Think of all the issues that would solve in an instant!Note however that the issue noted in this explit would not be fixed at all anyway by doing all that, puts some light on how serious it really is!
-
Positive viruses? Yes, that idea has been talked about for a while.Machines only do what we tell them to. A human being decides if the consequences of these things are good or bad. Machines don't care.
-
Since we're talking about metafiles, does that mean a user has to specifically be downloading the file? For example clicking a link to a *.wmf file. Or do the metafiles get downloaded automatically just by visiting a site or viewing some type of content?Cause if you have to specifically download the file, just be sure to never download WMF files!Otherwise, I think you can actually go and change how windows/ie/any program handles a *.wmf file, just change the file extension handling, or change the way your system handles the associated MIME types.Might be something to look into...
-
I was just going to ask thatas I do have to use IE sometimeswhats next will need a computer made just for internet browsingcan firefox about :config lock out the wmf files
-
Guys, look at the video just uploaded at SANS (link in the newspost)They infect a machine on purpose... They do not click on anything, just visiting the site is enough...
-
The video shows the user trying to view or download the wmf file itself, at which point it auto-executes. So I'd recommend NOT clicking any links that end with a wmf file.
-
That video is cool, download it.http://www.websensesecuritylabs.com/images/alerts/wmf-mov
e.wmv[Edited by phantasm66 on 2005-12-28 15:03:21] -
[quote]According to F-Secure's blog "Firefox users can get infected if they decide to run or download the image file." [/quote][quote]In my install of Firefox, a dialog box will ask me if I would like to load the image in "Windows Picture and Fax Viewer". If I allow this to happen ("pictures are safe after all" NOT!), the exploit will execute.[/quote]So basically, don't allow this.
-
I downloaded the wmf file to add to my virus collection. It really makes you nervous, just sitting there like a little timebomb.
-
I think its safe to let it install in VMware and see if it works.Though if you watch the movie, its good enough.
-
[b]Originally posted by samstoned:[/b][quote]whats next will need a computer made just for internet browsingcan firefox about :config lock out the wmf files[/quote]Fortunatley I don't use Google or IE. But still, getting infected without actually opening a file is nasty. In the old days you had Win32.Geefo making a mess of your operating system but now a trojan slips quietly through your firewall and steels all your personal information. Anyway Microsoft should be working on a patch by now.
-
Another M$ fault.. and go on
-
Larry Seltzer's article on eweek.com[url]http://www.eweek.com/article2/0,1895,1906211,0
.asp[/url]contains information to registry workarounds, and the link to a mailing list message with URIs for registry patches. The mailing list message URI is:[url]http://lists.grok.org.uk/pipermail/full-disclosure/2
05-December/040699.html[/url]be safe everyone!PS. To the Techspot people, I think it will help -- even a little -- to add the links to the workarounds to your article:http://www.techspot.com/news/19936-windows-wmf-0day-
xploit-in-the-wild.html -
How cow the video link posted by phantasm66 is scary funny. I mean it gives you a false dialog box about spyware then its installs a fake spyware scanner that asks to be paid for. Dang. That is evil. I wonder what happens if you enter credit card info. Identity theft?
-
[b]Originally posted by barfarf:[/b][quote]How cow the video link posted by phantasm66 is scary funny. I mean it gives you a false dialog box about spyware then its installs a fake spyware scanner that asks to be paid for. Dang. That is evil. I wonder what happens if you enter credit card info. Identity theft?[/quote]Spyware Sherriff has been doing that for a while now, the fake spyware scanner will even claim that it finds some "dangerous spyware" in your machine and insists that you buy the full version of it ASAP before the damage spreads.But the possibilities to be infected only for visiting a website is scary. I hope they can solve this problem and release a patch soon.
-
[url]http://ntbugtraq.ntadvice.com/default.aspx?pid=55&did=32
/url]According to a plugin in [url=http://www.x-setup.net/]X-Setup Pro[/url], the following files are executed silently in IE:.aifc.avi.cdf.cnf.dvr-ms.etd.fdf.m3u.mid.midi.mp2v.mpa.mp
2.pdf.pls.rmf.rmi.wal.wax.wm.wmd.wmx.wmz.wpl.wsz.wvx.xdp.x
df.xml.xppl.xpwz.xslSo, basically, if one of these has a vulnerability, anything could happen? -
Surely not all of these.. PDF needs a plugin or an auxiliary program for sure to be handled by IE.
Most Popular
| Trending | Featured |
Featured on Smartphones
Subscribe to TechSpot
Get free exclusive content, learn about new features and breaking tech news.