Just when you thought we had a good understanding of the recent zero-day WMF (Windows metafile exploit) it’s worse. Sans is reporting on a new variation on the exploit released today. They have gone to yellow (again) to warn people. Here are some details. This exploit was “made by the folks at metasploit and xfocus, together with a anonymous source.”
The exploit generates files:
with a random size;
no .wmf extension, (.jpg), but could be any other image extension actually;
a random piece of junk in front of the bad call; carefully crafted to be larger than the MTU on an ethernet network;
a number of possible calls to run the exploit are listed in the source;
a random trailer
What makes it worse is that current IDS rules will likely not stop this new variation. Nor will current antivirus signatures. Also….
Judging from the source code, it will likely be difficult to develop very effective signatures due to the structures of the WMF files.
They suggested re-evaluating any defences against the bug and also mention the unofficial patch at http://www.hexblog.com/2005/12/wmf_vuln.html that I mentioned earlier today.
So in other words batten down the hatches it’s going to be a rocky start to the year in Computer security. Good luck.
–update 7PM EST–
The Security Fix has some coverage as well.
Related PostsRelated Posts
- Disinfecting a PC... part 1 This is the first in a several part series documenting the cleaning of an infected PC. The only real noteworthy item is that it was a dial-up only connection and was rather infested for that. (On par with some of the broadband connected pc's I've seen. It's also an interesting......
- Antivirus scanning update for WMF I hung on to the last batch of 20 wmf exploit samples I had been working with for the purpose of testing my clamantivirus install against them to see when "full detection" of all 20 had been acheived. Last night, with version 1227 of the daily.cvd database, they were still......
- WMF Exploit -- it's worse... This is going to be a rough start to the new year for IT staff and computer users.... There's coverage at Incidents.org, the sunbeltblog and f-secure of the latest twist in what will likely be a BIG mess to clean up. It looks like there's a someone spamming emails to......
- Treasure Isle Marina Treasure Isle Marina is Located in: Treasure Island, CA Phone: 415.981.2416 Website: http://www.treasure-isle.com/ Slips: 107 About the Marina: The marina is located in Clipper Cove, and is considered to be one of the most beautiful harbors in the bay area. As soon as the renovations on the marina and the......
- Spotmau Spotmau PowerSuite is a powerhouse of an application designed to carry out multiple functions that usually only feature in several different products. They are broadly divided into two areas - WinCare and BootCare. Wincare configures and optimizes your computer with a variety of tools such as registry cleaners, junk......
- Dolphin Secure document.write(''); Dolphin Secure is the best way for kids to connect, learn, and explore safely online. With this program parents can breathe easier knowing that they control who their children talk to and what websites they are going to. Using one of a kind fingerprint reading technology, kids can......
- WMF exploit situation summary…
- Another update to exploit?
- More testing on the second WMF exploit
- WMF exploit unofficial patch
- Antivirus vs. WMF exploit