More on the Windows WMF zero-day exploit



There seems to be quite a bit developing on the Windows Meta File (WMF) zero-day (0-day) exploit which was first reported yesterday. Sans has raised their alert level to yellow in an effort to get attention to this problem. It looks like the original site serving the exploit is down, but now it’s being served MANY places. Here are more details from f-secure…


Here are a list of sites to be blocked (from f-secure):

Crackz [dot] ws
unionseek [dot] com
www.tfcco [dot] com
Iframeurl [dot] biz
beehappyy [dot] biz

The bugs are currently detected as W32/PFV-Exploit.A, .B and .C Here’s another note on how nasty it is…

You can get burned even while working in a DOS box! This happened on one of our test machines where we simply used the WGET command-line tool to download a malicious WMF file. That’s it, it was enough to download the file. So how on earth did it have a chance to execute?

(Who would have thought?)

Further they suggest to disable Google Desktop indexing of image files as that seemed to be what zapped the above system….

The test machine had Google Desktop installed. It seems that Google Desktop creates an index of the metadata of all images too, and it issues an API call to the vulnerable Windows component SHIMGVW.DLL to extract this info. This is enough to invoke the exploit and infect the machine. This all happens in realtime as Google Desktop contains a file system filter and will index new files in realtime.
So, be careful out there. And disable indexing of media files (or get rid of Google Desktop) if you’re handling infected files under Windows.

Related Posts

Blog Traffic Exchange Related Posts
  • WMF exploit and Windows 98 Most of the talk on the WMF zero-day has centered on Windows XP, 2000 and 2003. The unofficial patch is available for those three platforms. Microsoft's (eventual) patch will likely be for those as well. Incidents.org had a comment in one of their posts that this would be a "watershed......
  • Windows 98 WMF patch This hopefully will be my last post on the whole WMF exploit stuff.... It's prompted in part by a comment on one of the articles on Windows 98 and the vulnerability. I realized that I hadn't really brought things to a full conclusion for the Windows 98 users. Of course,......
  • How festive - the dasher worm... The securityfix is reporting on a new worm that exploits an older Windows vulnerability. The worm is called dasher and is in at least it's second iteration. Sans noticed an odd increase in port 1025 scans on the tenth of the month which was early activity of this worm. It......
Blog Traffic Exchange Related Websites
  • Corporate Tax Extensions Corporate Tax Extensions! About taxextension.com Authorized IRS e-file Provider taxextension.com is an an Authorized IRS e-file Provider offering tax extension preparation and electronic filing services to consumers and businesses. // < ![CDATA[ google_ad_client = "pub-6633193994067043"; /* 200x90, created 1/21/11 */ google_ad_slot = "5979715700"; google_ad_width = 200; google_ad_height = 90; //......
  • Ever Changing Windows Registry – Here's the Way to Counter Registry Errors Windows registry is information loaded in files to direct the behaviors of operating system and other programs. Any change or deviation just leads to crashes unwanted. Whenever you install few files are registered in Windows registry as program guidance files and during uninstall they are either removed or let remain......
  • REG file parser using the Boost Spirit Parser Framework I would like to thank the people who developed the following projects - they made the implementation of this project easier: I want to say a personal thank you to Silviu Simen for his article "INI file reader using the Spirit library". There was a project in which I took......
www.pdf24.org    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site