Home › News › Industry News
Windows WMF 0-day exploit in the wild
There's a new zero-day vulnerability related to Windows' image rendering - namely WMF files (Windows Metafiles). Trojan downloaders, available from unionseek[DOT]com, have been actively exploiting this vulnerability. Right now, fully patched Windows XP SP2 machines machines are vulnerable, with no known patch.
F-Secure has some information on this as does The Internet Storm Center Note that if you have the Google toolbar installed it is enough to download the file with an "inactive" client (i.e. one that by default does not execute what you download) like wget or similar because the Google toolbar will index the infected file anyway!
It is not mentioned if other operating systems like Windows 2000 or 98 are also vulnerable.
Related Stories
User Comments (30)
Post a comment|
spike
on December 28, 2005 12:33 PM |
Oh god. An exploit that allows a trojan dropper onto a machine unhindered. That's as good as a full control type vulnerability on an unprotected machine.It never rains but it pours 
|
|
thrudd
on December 28, 2005 12:49 PM |
Is this vulnerability through IE or intrinsic to the M$ OS ?
|
|
asphix
on December 28, 2005 12:54 PM |
I would assume the Microsoft OS as its using Windows Metafiles.This is serious. Hopefully we see a fix soon.. |
|
lordbf1
on December 28, 2005 12:58 PM |
Great. Just what I needed this week! |
|
mentaljedi
on December 28, 2005 1:11 PM |
This is so annoying! Gah i think i say this every dad as everyday there's more news about viruses. Won't it ever end? |
|
PanicX
on December 28, 2005 1:18 PM |
The link to the [url=http://isc.sans.org/]Internet Storm Center[/url] in the main article has really good info about this exploit. Basically anything that renders a WMF file is vulernable, this means IE, Windows Explorer, Microsoft picture and fax viewer and google desktop will all automatically infect a machine that accesses these files. There's bound to be dozens more apps that will also be affected. Keep your Antivirus defs up to date. |
|
nathanskywalker
on December 28, 2005 1:21 PM |
Wow, nice to know, one more trojan microsoft can't deal with. Ouchie, you know, isn't there a more beneficial, way for hackers to channel their energies? |
|
phantasm66
on December 28, 2005 1:27 PM |
This causes a number of issues, including the fact that Google Desktop is affected. |
|
Per Hansson
on December 28, 2005 1:30 PM |
nathanskywalker; yea, I've been thinking about that too... Why does not someone create a virus that enables the Firewall in the OS, installs a free antivirus program etc etc etc While it's at it why don't completely remove internet explorer and replace it with Firefox?Think of all the issues that would solve in an instant!Note however that the issue noted in this explit would not be fixed at all anyway by doing all that, puts some light on how serious it really is! |
|
phantasm66
on December 28, 2005 1:37 PM |
Positive viruses? Yes, that idea has been talked about for a while.Machines only do what we tell them to. A human being decides if the consequences of these things are good or bad. Machines don't care. |
|
vigilante
on December 28, 2005 2:05 PM |
Since we're talking about metafiles, does that mean a user has to specifically be downloading the file? For example clicking a link to a *.wmf file. Or do the metafiles get downloaded automatically just by visiting a site or viewing some type of content?Cause if you have to specifically download the file, just be sure to never download WMF files!Otherwise, I think you can actually go and change how windows/ie/any program handles a *.wmf file, just change the file extension handling, or change the way your system handles the associated MIME types.Might be something to look into... |
|
samstoned
on December 28, 2005 2:11 PM |
I was just going to ask thatas I do have to use IE sometimeswhats next will need a computer made just for internet browsingcan firefox about :config lock out the wmf files |
|
Per Hansson
on December 28, 2005 2:14 PM |
Guys, look at the video just uploaded at SANS (link in the newspost)They infect a machine on purpose... They do not click on anything, just visiting the site is enough... |
|
PanicX
on December 28, 2005 2:46 PM |
The video shows the user trying to view or download the wmf file itself, at which point it auto-executes. So I'd recommend NOT clicking any links that end with a wmf file. |
|
phantasm66
on December 28, 2005 2:57 PM |
That video is cool, download it.http://www.websensesecuritylabs.com/images/alerts/wmf-mov e.wmv[Edited by phantasm66 on 2005-12-28 15:03:21] |
|
phantasm66
on December 28, 2005 3:04 PM |
[quote]According to F-Secure's blog "Firefox users can get infected if they decide to run or download the image file." [/quote][quote]In my install of Firefox, a dialog box will ask me if I would like to load the image in "Windows Picture and Fax Viewer". If I allow this to happen ("pictures are safe after all" NOT!), the exploit will execute.[/quote]So basically, don't allow this. |
|
PanicX
on December 28, 2005 3:27 PM |
I downloaded the wmf file to add to my virus collection. It really makes you nervous, just sitting there like a little timebomb. |
|
phantasm66
on December 28, 2005 3:31 PM |
I think its safe to let it install in VMware and see if it works.Though if you watch the movie, its good enough. |
|
Handyman
on December 28, 2005 3:39 PM |
[b]Originally posted by samstoned:[/b][quote]whats next will need a computer made just for internet browsingcan firefox about :config lock out the wmf files[/quote]Fortunatley I don't use Google or IE. But still, getting infected without actually opening a file is nasty. In the old days you had Win32.Geefo making a mess of your operating system but now a trojan slips quietly through your firewall and steels all your personal information. Anyway Microsoft should be working on a patch by now. |
|
kokomen
on December 28, 2005 4:14 PM |
Another M$ fault.. and go on |
|
tkteo
on December 28, 2005 4:58 PM |
Larry Seltzer's article on eweek.com[url]http://www.eweek.com/article2/0,1895,1906211,0 .asp[/url]contains information to registry workarounds, and the link to a mailing list message with URIs for registry patches. The mailing list message URI is:[url]http://lists.grok.org.uk/pipermail/full-disclosure/2 05-December/040699.html[/url]be safe everyone!PS. To the Techspot people, I think it will help -- even a little -- to add the links to the workarounds to your article:http://www.techspot.com/news/19936-windows-wmf-0day- xploit-in-the-wild.html |
|
barfarf
on December 28, 2005 6:32 PM |
How cow the video link posted by phantasm66 is scary funny. I mean it gives you a false dialog box about spyware then its installs a fake spyware scanner that asks to be paid for. Dang. That is evil. I wonder what happens if you enter credit card info. Identity theft? |
|
otmakus
on December 29, 2005 12:05 AM |
[b]Originally posted by barfarf:[/b][quote]How cow the video link posted by phantasm66 is scary funny. I mean it gives you a false dialog box about spyware then its installs a fake spyware scanner that asks to be paid for. Dang. That is evil. I wonder what happens if you enter credit card info. Identity theft?[/quote]Spyware Sherriff has been doing that for a while now, the fake spyware scanner will even claim that it finds some "dangerous spyware" in your machine and insists that you buy the full version of it ASAP before the damage spreads.But the possibilities to be infected only for visiting a website is scary. I hope they can solve this problem and release a patch soon. |
|
Mictlantecuhtli
on December 29, 2005 1:56 AM |
[url]http://ntbugtraq.ntadvice.com/default.aspx?pid=55&did=32 /url]According to a plugin in [url=http://www.x-setup.net/]X-Setup Pro[/url], the following files are executed silently in IE:.aifc.avi.cdf.cnf.dvr-ms.etd.fdf.m3u.mid.midi.mp2v.mpa.mp 2.pdf.pls.rmf.rmi.wal.wax.wm.wmd.wmx.wmz.wpl.wsz.wvx.xdp.x df.xml.xppl.xpwz.xslSo, basically, if one of these has a vulnerability, anything could happen? |
|
Nodsu
on December 29, 2005 2:48 AM |
Surely not all of these.. PDF needs a plugin or an auxiliary program for sure to be handled by IE. |
Most Popular
| Trending | Featured |
-
iOS 5.1.1 untethered jailbreak tool released, supports 4S, iPad 3
-
After five days, Facebook ranks as worst IPO flop of the decade
-
Rumor: Windows 8 RC will launch June 1, will ship with Adobe Flash
-
Rumor: AMD "Piledriver" FX CPU production to begin Q3 2012
-
Diablo III becomes the fastest-selling PC game in history
Editors' Case Picks
Subscribe to TechSpot
Get free exclusive content, learn about new features and tech breaking news.
