NEW exploit for the WMF vulnerability



Just when you thought we had a good understanding of the recent zero-day WMF (Windows metafile exploit) it’s worse. Sans is reporting on a new variation on the exploit released today. They have gone to yellow (again) to warn people. Here are some details. This exploit was “made by the folks at metasploit and xfocus, together with a anonymous source.”


From SANS

The exploit generates files:

with a random size;
no .wmf extension, (.jpg), but could be any other image extension actually;
a random piece of junk in front of the bad call; carefully crafted to be larger than the MTU on an ethernet network;
a number of possible calls to run the exploit are listed in the source;
a random trailer

What makes it worse is that current IDS rules will likely not stop this new variation. Nor will current antivirus signatures. Also….

Judging from the source code, it will likely be difficult to develop very effective signatures due to the structures of the WMF files.

They suggested re-evaluating any defences against the bug and also mention the unofficial patch at http://www.hexblog.com/2005/12/wmf_vuln.html that I mentioned earlier today.

So in other words batten down the hatches it’s going to be a rocky start to the year in Computer security. Good luck.

–update 7PM EST–
The Security Fix has some coverage as well.

Related Posts

Blog Traffic Exchange Related Posts
  • WMF exploit virus detection revisited Yesterday, when I was testing the WMF exploit against a Windows 98 virtual machine, I sent samples through virus total and the only antivirus product to detect each of them was "TheHacker" from hacksoft. This evening I was revisiting the exploit (with the new rule for metasploit) and saved 20......
  • Disinfecting a PC... part 1 This is the first in a several part series documenting the cleaning of an infected PC. The only real noteworthy item is that it was a dial-up only connection and was rather infested for that. (On par with some of the broadband connected pc's I've seen. It's also an interesting......
  • Antivirus scanning update for WMF I hung on to the last batch of 20 wmf exploit samples I had been working with for the purpose of testing my clamantivirus install against them to see when "full detection" of all 20 had been acheived. Last night, with version 1227 of the daily.cvd database, they were still......
Blog Traffic Exchange Related Websites
  • My Bankruptcy Papers document.write(''); Bankruptcy is a legal court process that gives debtors a fresh financial start. Through bankruptcy, debts may be eliminated or a debtor may be given additional time to repay debts. Certain debts are not forgiven through bankruptcy. For example, child support, spousal support and some student loans are......
  • Free Wireless Access Can Be a Security Problem Free wireless hotspots is a huge security and privacy threat since hackers have the tools to really make life difficult.  Check out the video below. Connecting to a random WiFi hotspot is much like strolling into a bar in a strange part of town. Most likely you'll have a good......
  • Poker Time Get a 100% match bonus up to $200 If you're a poker fan, then there's no better place to wager your stake than at PokerTime. Whether you are a beginner or pro, you'll thoroughly enjoy the wide selection of games that this action-packed poker room has to offer. At......
PDF24    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site