WMF exploit through indexing software



One of the vectors that has been mentioned early on is the infection of a system through the WMF exploit even when the exploited file was downloaded through a dos command shell. At first this seemed absurd, but it appeared that Google Desktop search was indexing files dynamically and once the file was downloaded it indexed the file and triggered the vulnerability. There is word that Microsoft’s indexing service does likewise – although Microsoft has only said that they’re “looking into reports”. Incidents.org is saying that they think this may be the giant white elephant no one is talking about. I certainly would shudder to think if machines on a network are indexing a network share and manage to subvert every machine running an indexing share….


Along the same lines… in the Kaspersky labs viruslist blog, they note that they suspect the vulnerability isn’t actually within shimgvw.dll even though unregistering it works around the problem in some cases. They note that given that other apps can be exploited EVEN WITH THE unregister workaround, that the flaw is likely in gdi32.dll

This makes sense in light of the third party patch that I reported on earlier. That patch works around the problem by disabling the SETABORT escape functionality in gdi32.dll (Who knows this could be the foundation of an official Microsoft patch, although there may be other breakage from this disabling.)

Related Posts

Blog Traffic Exchange Related Posts
  • Microsoft fixes security fix.... Well, for the second month in a row (I don't recall one in March..) Microsoft has re-released a patch for Windows. This time it's the Flash patch (which really falls under 3rd party software). They've re-worked the version detection of the update in an attempt to solve all the problems......
  • Oracle's April patches late.... Oracle released 36 patches in mid-April as part of their quarterly patch cycle.... unfortunately, not all of the patches were released. Apparently they hadn't finished testing and users were advised to look for the updates around the first of May. Well, guess what - they're not out yet and the......
  • How to Remove SysDefence | Sysdefence Removal Guide Sysdefence is another rogue antivirus application from the wini family. This family of rogues has been quite prolific lately and typically is pushed on computer users through aggressive trojans that will appear on web pages masquerading as an update for flash player or a video codec for a video that......
Blog Traffic Exchange Related Websites
  • Free Success Ebook: "How to Attract Success" by F. W. Sears – RARE Classic Ebook Download // < ![CDATA[ var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www."); document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E")); // ]]> // < ![CDATA[ try { var pageTracker = _gat._getTracker("UA-11989331-1"); pageTracker._trackPageview(); } catch(err) {} // ]]> When we first attempt to train our minds to displace these old negative,......
  • Lending Club Files S1 with SEC Lending Club has filed an S1 with the SEC (link to S1 filing). It looks to be similar in nature to the Prosper filed an S1 reported here on 10/30/2007. This continues the Lending Club quiet period started on 4/8/2008. Originally I had guessed 7 months to 1.5 years for......
  • 4 Things to Look For in a Coin Collector Shop There are hundreds of different coin collector shops in every state, with each coin collector shop claiming to be the best shop for finding your coins. There are positives and negatives to working with each shop – pros and cons that you would not figure out if you do not......
en.pdf24.org    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site