There are a number of references out today to a December 31st article (on a study by av-test) about how well antivirus products were keeping up with the shifting signatures of the WMF exploits. There was a list of about 12 products that were at 100% detection. Unfortunately, the important point is that the original article was December 31st. I don’t know if there are new variations in the wild, but I DO know that the metasploit module has changed and currently seems to evade detection from Clamav. (Although clamav has caught up to the most recent batch of the exploit.)
Tag: WMF
-
Official WMF exploit patch leak
It looks like, the Windows patch (or a beta) for the WMF exploit has been leaked online. It sounds as though Steve Gibson got a hold of a copy and has tested it along side the unofficial patch. All seems to go well. He notes that the build date was December 28th. So, they have been on it since very early on. That’s reassuring. It would be nice if their testing process could be a bit streamlined though.
-
Antivirus scanning update for WMF
I hung on to the last batch of 20 wmf exploit samples I had been working with for the purpose of testing my clamantivirus install against them to see when “full detection” of all 20 had been acheived. Last night, with version 1227 of the daily.cvd database, they were still detecting 8 out of the 20. Now, the signatures seem to have improved as with version 1228 of daily.cvd clamav detects all 20 as Exploit.WMF.Gen-3 FOUND
-
Hexblog (WMF unofficial patch) back up
Yesterday the hexblog, which is the site of the person that wrote the unofficial patch for the WMF exploit, was offline for bandwidth over use. Several mirror sites popped up to host the patch. Today the site is back up at http://www.hexblog.com/ in a more minimal form. It’s suggested if you can’t reach the page to try the ip address directly http://216.227.222.95 As the DNS changes are likely still propogating.
-
Another trojan using WMF exploit in SPAM
F-Secure is reporting on another SPAM attack that tries to get people to click on a link to a site with an exploit-crafted WMF file. The message is along the lines of a claimed Professor at Yale announcing the unfortunate vandalism over the New Year holiday, the link purports to be pictures of the act in the “hope that someone may recognize the culprits work”. I’m sure this won’t be the last of that sort….
-
Possible network printing problems with the unofficial WMF patch
The Sunbelt Blog has picked up on a report of some network printing problems with the unofficial WMF exploit patch installed. The first report was on the fulldisclosure list. It is recommended that the patch be tested before rolling out. The variation of software configurations varies by environment…
-
Busy week
Well last week was technically my “vacation” from computer work…. it didn’t quite turn out that way, but I did enjoy what I got to do, although I would much rather the WMF exploit had not come about. The week is shaping up to be quite busy with regards to appointments, so I doubt you should expect as high a rate of posting as there was last week. I’ll do my best to continue to hit the highlights. Thanks for visiting.
-
Microsoft warns against unofficial patch
I didn’t exactly expect a parade staged by Microsoft for the writer of the unofficial patch for this WMF vulnerability, but…. eweek tells us that Microsoft says “beware of unofficial WMF patch” It also mentions that behind the scenes Microsoft officials are furious that the threat has been overblown. Personally, I think they’ve downplayed the issue in their recent security bulletin and frankly, I’ve seen quite a bit of overblown hype. (*virus threatens every windows os shipped since 1990…)
-
WMF Exploit Unofficial patch additional download locations
The unofficial WMF exploit patch now has multiple locations to download from. They’ve apparently run into some bandwidth problems at the main site. Sunbeltblog has an alternate download location, Sans is hosting a download here (direct download link)
-
WMF exploit vs. Windows 98 again…
If you’ve visited here in the last few days, you’ll have noticed that I’ve been trying to test the WMF exploit against a Windows 98 Virtual machine since January 1st. I initially started out with a default install, which didn’t work, (for the exploit), then added irfanview (didn’t work), tried the exploit as a jpg, gif, htm, doc file extension, (didn’t work) and then this morning saw that I’m not the only one that’s been testing this….