WMF 0-day exploit



There seems to be a 0-day exploit involving WMF (Windows Meta File’s) according to SANS. Here’s their lead-in

Just when we thought that this will be another slow day, a link to a working unpatched exploit in, what looks like Windows Graphics Rendering Engine, has been posted to Bugtraq.


It’s important to realize that ANY link or file that originates from somewhere other than your pc should be considered as a possible route for “bad things” to get into your pc. Image file, document, etc. It doesn’t have to be a program file to be “dangerous” it can simply exploit a vulnerability… in this case it’s a vulnerability with Graphics rendering in Windows that’s previously not been documented. According to SANS it can install a trojan dropper on a fully patched Win XP SP2 machine. The dropper then installs Winhound which is one of the “wolves in sheeps clothing” and will urge you to pay to clean up the infection that it will undoubtedly find.

This appears to affect both Internet Explorer/Firefox – as Explorer automatically opens Windows Picture and fax viewer, Firefox asks if it should open Windows Picture and fax viewer (saying yes and opening in Windows picture and fax viewer triggers the exploit.) It’s possible that DEP (Data Execution Prevention) could prevent the exploit from working. It is unclear if software DEP does, or if only hardware DEP prevents this. Again, any file not originating in the local pc (link’s to files included) should be considered as potentially dangerous… (recall the story of the trojan horse…) Be cautious.

Related Posts

Blog Traffic Exchange Related Posts
  • NEW exploit for the WMF vulnerability Just when you thought we had a good understanding of the recent zero-day WMF (Windows metafile exploit) it's worse. Sans is reporting on a new variation on the exploit released today. They have gone to yellow (again) to warn people. Here are some details. This exploit was "made by the......
  • Update on the WMF exploit - more sites to block I haven't checked to see if these are already on other block lists for the WMF exploit, but the following addresses are advised to be blocked (from f-secure).... toolbarbiz[dot]biz toolbarsite[dot]biz toolbartraff[dot]biz toolbarurl[dot]biz buytoolbar[dot]biz buytraff[dot]biz iframebiz[dot]biz iframecash[dot]biz iframesite[dot]biz iframetraff[dot]biz iframeurl[dot]biz The "unregister workaround" is the best at this point because it......
  • WMF exploit situation summary... Since there's been quite a bit of flux the last couple of days I thought I'd try to "reset" the situation and give a general overview of where we stand now with regards to the recent WMF zero-day exploit. 1st there is a vulnerability in the way Windows renders WMF......
Blog Traffic Exchange Related Websites
  • Synchronize config files between computers Hi all, Today, a small hint for Linux users having DropBox running on their computer. I guess everyone knows what DropBox is. . . If not, feel free to have a look there (and win 250 more mos for me and you at the same time). In one word, DB allows to have a......
  • Is it Time to Get a Mammogram? Because breast cancer is so prevalent these days, it is vitally important that you get a mammogram often, which generally means once every one to two years once you are old enough to start having sex. It is vitally important that you begin to take care of your health now,......
  • How to Save Power in Summer Summer is usually synonymous with high electricity costs and as our cities become more overloaded, there has never been a better time to start saving power during these months. It's actually quite easy to start cutting your power costs, and it only takes a few minutes to implement some changes......
PDF24    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site