More on the Windows WMF zero-day exploit

There seems to be quite a bit developing on the Windows Meta File (WMF) zero-day (0-day) exploit which was first reported yesterday. Sans has raised their alert level to yellow in an effort to get attention to this problem. It looks like the original site serving the exploit is down, but now it’s being served MANY places. Here are more details from f-secure…

Here are a list of sites to be blocked (from f-secure):

Crackz [dot] ws
unionseek [dot] com
www.tfcco [dot] com
Iframeurl [dot] biz
beehappyy [dot] biz

The bugs are currently detected as W32/PFV-Exploit.A, .B and .C Here’s another note on how nasty it is…

You can get burned even while working in a DOS box! This happened on one of our test machines where we simply used the WGET command-line tool to download a malicious WMF file. That’s it, it was enough to download the file. So how on earth did it have a chance to execute?

(Who would have thought?)

Further they suggest to disable Google Desktop indexing of image files as that seemed to be what zapped the above system….

The test machine had Google Desktop installed. It seems that Google Desktop creates an index of the metadata of all images too, and it issues an API call to the vulnerable Windows component SHIMGVW.DLL to extract this info. This is enough to invoke the exploit and infect the machine. This all happens in realtime as Google Desktop contains a file system filter and will index new files in realtime.
So, be careful out there. And disable indexing of media files (or get rid of Google Desktop) if you’re handling infected files under Windows.

   Send article as PDF   

Similar Posts