WMF exploit through indexing software
One of the vectors that has been mentioned early on is the infection of a system through the WMF exploit even when the exploited file was downloaded through a dos command shell. At first this seemed absurd, but it appeared that Google Desktop search was indexing files dynamically and once the file was downloaded it indexed the file and triggered the vulnerability. There is word that Microsoft’s indexing service does likewise – although Microsoft has only said that they’re “looking into reports”. Incidents.org is saying that they think this may be the giant white elephant no one is talking about. I certainly would shudder to think if machines on a network are indexing a network share and manage to subvert every machine running an indexing share….
Along the same lines… in the Kaspersky labs viruslist blog, they note that they suspect the vulnerability isn’t actually within shimgvw.dll even though unregistering it works around the problem in some cases. They note that given that other apps can be exploited EVEN WITH THE unregister workaround, that the flaw is likely in gdi32.dll
This makes sense in light of the third party patch that I reported on earlier. That patch works around the problem by disabling the SETABORT escape functionality in gdi32.dll (Who knows this could be the foundation of an official Microsoft patch, although there may be other breakage from this disabling.)
Popularity: 1% [?]
Related Posts - Exploits in the wild and other news After perusing the Sans.org handlers diary, there are a few things brewing that should be known. Exploits are in the wild for some of the vulnerabilities addressed by this weeks Microsoft patchfest. There is a Veritas Backup Exec vulnerability and it appears that the Beta of Vista has a network......
- WMF exploit unofficial patch Sans is talking about the unofficial patch for the WMF vulnerability. One of their handlers has helped with it to extend it to work on XP SP 1 and Windows 2000. They've also looked at the patch thoroughly and it sounds as though it's very well done. We want to......
- Oracle's April patches late.... Oracle released 36 patches in mid-April as part of their quarterly patch cycle.... unfortunately, not all of the patches were released. Apparently they hadn't finished testing and users were advised to look for the updates around the first of May. Well, guess what - they're not out yet and the......
Related Websites - Lending Club Files S1 with SEC Lending Club has filed an S1 with the SEC (link to S1 filing). It looks to be similar in nature to the Prosper filed an S1 reported here on 10/30/2007. This continues the Lending Club quiet period started on 4/8/2008. Originally I had guessed 7 months to 1.5 years for......
- Working after Receiving Social Security at Age 62 There are sound financial reasons for waiting to your full retirement age to claim Social Security retirement benefits. Delaying Social Security until age 70 can enhance those benefits even more. Nevertheless, many baby boomers will determine that they must or should begin receiving benefits at age 62. Unfortunately, many retirees......
- Microsoft Security Advisory (2286198): Vulnerability in Windows Shell Could Allow Remote Code Execution Vulnerability in Windows Shell Could Allow Remote Code Execution Published: July 16, 2010 Version: 1.0 General Information Executive Summary Microsoft is investigating reports of limited, targeted attacks exploiting a vulnerability in Windows Shell, a component of Microsoft Windows. This advisory contains information about which versions of Windows are vulnerable as......
Similar Posts
- New IM worm using WMF vulnerability
- Zotob details
- WMF exploit situation summary…
- Microsoft releases official VML patch!!
- More on the Windows WMF zero-day exploit