Just when you thought we had a good understanding of the recent zero-day WMF (Windows metafile exploit) it’s worse. Sans is reporting on a new variation on the exploit released today. They have gone to yellow (again) to warn people. Here are some details. This exploit was “made by the folks at metasploit and xfocus, together with a anonymous source.”
The exploit generates files:
with a random size;
no .wmf extension, (.jpg), but could be any other image extension actually;
a random piece of junk in front of the bad call; carefully crafted to be larger than the MTU on an ethernet network;
a number of possible calls to run the exploit are listed in the source;
a random trailer
What makes it worse is that current IDS rules will likely not stop this new variation. Nor will current antivirus signatures. Also….
Judging from the source code, it will likely be difficult to develop very effective signatures due to the structures of the WMF files.
They suggested re-evaluating any defences against the bug and also mention the unofficial patch at http://www.hexblog.com/2005/12/wmf_vuln.html that I mentioned earlier today.
So in other words batten down the hatches it’s going to be a rocky start to the year in Computer security. Good luck.
–update 7PM EST–
The Security Fix has some coverage as well.
Related PostsRelated Posts
- More testing on the second WMF exploit After my Windows 98 tests which failed to exploit the system with either the first or the second vulnerability, I started wondering how well the antivirus companies were doing in detecting this second exploit variation. I had setup and updated metasploit so I could test my Windows 98 SE install......
- WMF exploit virus detection revisited Yesterday, when I was testing the WMF exploit against a Windows 98 virtual machine, I sent samples through virus total and the only antivirus product to detect each of them was "TheHacker" from hacksoft. This evening I was revisiting the exploit (with the new rule for metasploit) and saved 20......
- How to Remove Anti-Virus Elite | Anti-Virus Elite Removal Guide Anti-Virus Elite is a rogue antivirus application. These rogue antivirus applications pose as a legitimate security application, but in reality is a scam to try to trick you out of money. They will find and claim that there are multiple security problems with your computer. They will claim that you......
- Kaspersky Internet Security 2010 Features: Keeps your money and identity safe. Protects against bank account fraud. Safeguards against online shopping threats. Safer Wi-Fi connections. Two way personal firewall. Unique Safe Run Mode for questionable applications and websites. Security Application Monitor to give you full picture on programs installed on your PC. Identity Information......
- Evidence Nuker document.write(''); Evidence Nuker is a software that helps you protect your privacy on your computer. It provides a free scan that will show you a listing of deleted files, emails, chat transcripts, audio and video files, temporary internet files, image files (all formats), search histories, clipboard data, passwords, internet......
- My Bankruptcy Papers document.write(''); Bankruptcy is a legal court process that gives debtors a fresh financial start. Through bankruptcy, debts may be eliminated or a debtor may be given additional time to repay debts. Certain debts are not forgiven through bankruptcy. For example, child support, spousal support and some student loans are......
- WMF exploit situation summary…
- Another update to exploit?
- More testing on the second WMF exploit
- WMF exploit unofficial patch
- Antivirus vs. WMF exploit