Computer Tips -Tech Info

Tag: IDS

  • Another update to exploit?

    I didn’t see this reported anywhere, but since yesterday when there was an update to the metasploit module for the WMF vulnerability I think there’s been yet another update. I read yesterday that it had been updated and could evade all known IDS signatures. I downloaded the update to continue my Win98 testing. Then today found that there was another update. I haven’t compared the old/new versions but can’t help but wonder if this means more scrambling of antivirus writers for new signatures to keep up.

    (more…)

  • The press covering the WMF bug

    It’s always a strange mix between comedy and frustration to see the main media outlets cover a tech news item. I usually wince and brace myself when I see any tv news outlet take on a computer issue and likewise when I read newspapers and non-tech publications take on anything of the sort. It’s kind of like movies that use extremely fake computers. Sometimes I think it’s because they’re trying to simplify things for the average viewer, but I usually find that approach somewhat condescending because I don’t think grown adults should be treated like little kids. Anyway, I digress… the coverage of this WMF exploit has been, well, interesting. There was…

    (more…)

  • Antivirus scanning update for WMF

    I hung on to the last batch of 20 wmf exploit samples I had been working with for the purpose of testing my clamantivirus install against them to see when “full detection” of all 20 had been acheived. Last night, with version 1227 of the daily.cvd database, they were still detecting 8 out of the 20. Now, the signatures seem to have improved as with version 1228 of daily.cvd clamav detects all 20 as Exploit.WMF.Gen-3 FOUND

    (more…)

  • WMF exploit situation summary…

    Since there’s been quite a bit of flux the last couple of days I thought I’d try to “reset” the situation and give a general overview of where we stand now with regards to the recent WMF zero-day exploit.

    1st there is a vulnerability in the way Windows renders WMF (Windows MetaFile) image files that makes possible an exploitable buffer overflow allowing remote execution. There are at least two exploits for this vulnerability and it is not necessary for the wmf to have a name ending in .wmf (it could masquerade as jpg for instance.) The specially crafted WMF could be in a web page, email (html email), or other document. There are many possible vectors of entry for this.

    (more…)

  • NEW exploit for the WMF vulnerability

    Just when you thought we had a good understanding of the recent zero-day WMF (Windows metafile exploit) it’s worse. Sans is reporting on a new variation on the exploit released today. They have gone to yellow (again) to warn people. Here are some details. This exploit was “made by the folks at metasploit and xfocus, together with a anonymous source.”

    (more…)