More on the Windows WMF zero-day exploit



There seems to be quite a bit developing on the Windows Meta File (WMF) zero-day (0-day) exploit which was first reported yesterday. Sans has raised their alert level to yellow in an effort to get attention to this problem. It looks like the original site serving the exploit is down, but now it’s being served MANY places. Here are more details from f-secure…


Here are a list of sites to be blocked (from f-secure):

Crackz [dot] ws
unionseek [dot] com
www.tfcco [dot] com
Iframeurl [dot] biz
beehappyy [dot] biz

The bugs are currently detected as W32/PFV-Exploit.A, .B and .C Here’s another note on how nasty it is…

You can get burned even while working in a DOS box! This happened on one of our test machines where we simply used the WGET command-line tool to download a malicious WMF file. That’s it, it was enough to download the file. So how on earth did it have a chance to execute?

(Who would have thought?)

Further they suggest to disable Google Desktop indexing of image files as that seemed to be what zapped the above system….

The test machine had Google Desktop installed. It seems that Google Desktop creates an index of the metadata of all images too, and it issues an API call to the vulnerable Windows component SHIMGVW.DLL to extract this info. This is enough to invoke the exploit and infect the machine. This all happens in realtime as Google Desktop contains a file system filter and will index new files in realtime.
So, be careful out there. And disable indexing of media files (or get rid of Google Desktop) if you’re handling infected files under Windows.

Related Posts

Blog Traffic Exchange Related Posts
  • More testing on the second WMF exploit After my Windows 98 tests which failed to exploit the system with either the first or the second vulnerability, I started wondering how well the antivirus companies were doing in detecting this second exploit variation. I had setup and updated metasploit so I could test my Windows 98 SE install......
  • Cleaning up after WMF Exploit - summary Can I say enough times that after a bad trojan infestation you should format and reinstall? I've cleaned up the infested image that I "sacrificed" to the WMF exploit and as I've said you're pestware install will likely be somewhat different. An exploit is just the road, the spyware and......
  • WMF Exploit -- it's worse... This is going to be a rough start to the new year for IT staff and computer users.... There's coverage at Incidents.org, the sunbeltblog and f-secure of the latest twist in what will likely be a BIG mess to clean up. It looks like there's a someone spamming emails to......
Blog Traffic Exchange Related Websites
  • Ever Changing Windows Registry – Here's the Way to Counter Registry Errors Windows registry is information loaded in files to direct the behaviors of operating system and other programs. Any change or deviation just leads to crashes unwanted. Whenever you install few files are registered in Windows registry as program guidance files and during uninstall they are either removed or let remain......
  • Creating a Blog Video Online About two years ago, blogging hit a surge that allowed its way into the mainstream, and now everybody is blogging for a wide variety of different reasons. Blogs resemble web-based public diaries of sorts, where the creator can record their thoughts, their opinions, questions and answers and essentially anything else......
  • What is Bankruptcy? Understand the process of bankruptcy before you file the forms by yourself or with an attorney. To start the process of bankruptcy, a person with an unwieldy amount of debt files for bankruptcy in the nearest court. This process is normally done with the help of attorney, a person is......
www.pdf24.org    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site