Just when you thought we had a good understanding of the recent zero-day WMF (Windows metafile exploit) it’s worse. Sans is reporting on a new variation on the exploit released today. They have gone to yellow (again) to warn people. Here are some details. This exploit was “made by the folks at metasploit and xfocus, together with a anonymous source.”
The exploit generates files:
with a random size;
no .wmf extension, (.jpg), but could be any other image extension actually;
a random piece of junk in front of the bad call; carefully crafted to be larger than the MTU on an ethernet network;
a number of possible calls to run the exploit are listed in the source;
a random trailer
What makes it worse is that current IDS rules will likely not stop this new variation. Nor will current antivirus signatures. Also….
Judging from the source code, it will likely be difficult to develop very effective signatures due to the structures of the WMF files.
They suggested re-evaluating any defences against the bug and also mention the unofficial patch at http://www.hexblog.com/2005/12/wmf_vuln.html that I mentioned earlier today.
So in other words batten down the hatches it’s going to be a rocky start to the year in Computer security. Good luck.
–update 7PM EST–
The Security Fix has some coverage as well.
Related PostsRelated Posts
- Opera security patch I saw this earlier today, but had thought it was an issue already covered (just before Thanksgiving there was an opera security update I think.) Anyway... Secunia has an advisory on a security vulnerability in the Opera Web browser. Users are encouraged to upgrade to v. 8.51. The SecurityFix has......
- WMF Exploit -- it's worse... This is going to be a rough start to the new year for IT staff and computer users.... There's coverage at Incidents.org, the sunbeltblog and f-secure of the latest twist in what will likely be a BIG mess to clean up. It looks like there's a someone spamming emails to......
- Network security - how safe is your network? Looking at ARP A while back I did a network security series and one of the points that I mentioned was that it's important to know what is normal for your network. In other words, what machines are NORMALLY connected, what services are normally running, etc. Well, I'm about to start a serious......
- Dolphin Secure document.write(''); Dolphin Secure is the best way for kids to connect, learn, and explore safely online. With this program parents can breathe easier knowing that they control who their children talk to and what websites they are going to. Using one of a kind fingerprint reading technology, kids can......
- Poker Time Get a 100% match bonus up to $200 If you're a poker fan, then there's no better place to wager your stake than at PokerTime. Whether you are a beginner or pro, you'll thoroughly enjoy the wide selection of games that this action-packed poker room has to offer. At......
- Trade Key TradeKey.com was established in 2005 with the aim to facilitate global trade and bring buyers and sellers from all around the world to one common platform. TradeKey.com is the world's leading marketplace which connects traders with worldwide wholesalers, buyers, importers & exporters, manufacturers and distributors in over 220 countries,......
- WMF exploit situation summary…
- Another update to exploit?
- More testing on the second WMF exploit
- WMF exploit unofficial patch
- Antivirus vs. WMF exploit