IMPORTANT: WMF Vulnerability Exploited

Discussion in 'Windows Desktop Systems' started by Heeter, Dec 29, 2005.

  1. Heeter

    Heeter Overclocked Like A Mother

    Messages:
    2,732
    http://www.theinquirer.net/?article=28590



    Aaargh! Updated No fix for Windows XP SP2

    By INQUIRER staff: Wednesday 28 December 2005, 12:11
    F-SECURE, Bugtraq and a number of other security aware outfits have warned of a zero day vulnerability that's being actively exploited as we write.

    Fully patched Windows XP SP2 machines are vulnerable and there's no known fix as yet.

    A number of trojans are being distributed using the vulnerability, related to Windows' image rendering..............................






    Heeter
     
    jimi_81 likes this.
  2. Mastershakes

    Mastershakes Moderator

    Messages:
    1,721
    Location:
    Montreal
    Re: Windows zero day nightmare exploited

    Workaround until the patch is released:

    According to iDefense, Windows users can disable the rendering of WMF files using the following hack:

    1. Click on the Start button on the taskbar.
    2. Click on Run...
    3. Type "regsvr32 /u shimgvw.dll" to disable.
    4. Click ok when the change dialog appears.

    iDefense notes that this workaround may interfere with certain thumbnail images loading correctly, though I have used the hack on my machine and haven't had any problems yet. The company notes that once Microsoft issues a patch, the WMF feature may be enabled again by entering the command "regsvr32 shimgvw.dll" in step three above.
     
    jimi_81 and Perris Calderon like this.
  3. kcnychief

    kcnychief █▄█ ▀█▄ █ Political User Folding Team

    Messages:
    16,948
    Location:
    Massachusetts
  4. Mastershakes

    Mastershakes Moderator

    Messages:
    1,721
    Location:
    Montreal
    Re: Windows zero day nightmare exploited

    Yay !
     
  5. NetRyder

    NetRyder Tech Junkie Folding Team

    Messages:
    13,256
    Location:
    New York City
    Re: Windows zero day nightmare exploited

    Yeah, this is an ugly one. Already seeing people who are getting infected by it.
     
    jimi_81 likes this.
  6. Mastershakes

    Mastershakes Moderator

    Messages:
    1,721
    Location:
    Montreal
    Re: Windows zero day nightmare exploited

    Someone should create a trojan that just does this command....

    regsvr32 /u shimgvw.dll :)
     
  7. NetRyder

    NetRyder Tech Junkie Folding Team

    Messages:
    13,256
    Location:
    New York City
    Re: Windows zero day nightmare exploited

    An anti-trojan trojan. I like it. :D
     
  8. SPeedY_B

    SPeedY_B I may actually be insane.

    Messages:
    15,800
    Location:
    Midlands, England
    Re: Windows zero day nightmare exploited

    Wouldn't be the first time.
     
  9. kcnychief

    kcnychief █▄█ ▀█▄ █ Political User Folding Team

    Messages:
    16,948
    Location:
    Massachusetts
    Re: Windows zero day nightmare exploited

    [​IMG]
     
  10. kcnychief

    kcnychief █▄█ ▀█▄ █ Political User Folding Team

    Messages:
    16,948
    Location:
    Massachusetts
    Re: Windows zero day nightmare exploited

    A bit scary, that as of yesterday there were already 50 variants :(
     
  11. mlakrid

    mlakrid OSNN BASSMASTER Political User Folding Team

    Re: Windows zero day nightmare exploited

    :bandit: this is more scary
    /BOOT!
     
  12. NetRyder

    NetRyder Tech Junkie Folding Team

    Messages:
    13,256
    Location:
    New York City
  13. NetRyder

    NetRyder Tech Junkie Folding Team

    Messages:
    13,256
    Location:
    New York City
    Re: Windows zero day nightmare exploited

    That number seems to be going up rather quickly. 73 variants have been identified as of today.

    http://www.eweek.com/article2/0,1895,1907102,00.asp
     
  14. Kr0m

    Kr0m Moderator

    Messages:
    1,390
    Location:
    Turtle Island
  15. jimi_81

    jimi_81 Moderator Political User

    Messages:
    820
    Location:
    Stoney Creek, ON, Canada
    Re: Windows zero day nightmare exploited

    so now i know what my website was trying to do.
    it was redirecting me to a wmf file...

    im a little freaked out.. i hope the fallout isnt too severe... the site i run is a recreational soccer site.. since its the offseason, i dont imagine their being more then a handful affected.

    thanks for the updates guys
     
  16. j79zlr

    j79zlr Glaanies script monkey Political User

    Messages:
    2,725
    Location:
    Chicago
    Re: Windows zero day nightmare exploited

    This one is a pest to remove, I just cleaned it off of 4 PC's at my cousins, who have refused/neglected to use Firefox in the past. Now IE is set to HIGH security, and Firefox is their default browser. No choice this time.
     
  17. NetRyder

    NetRyder Tech Junkie Folding Team

    Messages:
    13,256
    Location:
    New York City
    Re: Windows zero day nightmare exploited

    Athlon64's and Intels with EM64T only.
     
  18. Heeter

    Heeter Overclocked Like A Mother

    Messages:
    2,732
    Re: Windows zero day nightmare exploited

    Temporary Fix Until MS comes out with a patch:

    Only applies to any WinXP32/64bit, not tested on any other OS.

    Read about it here

    And Here

    Download


    J79ZLR, I think the problem lays within Windows, It's not a situation that Firefox can avoid.




    Heeter
     
  19. Steevo

    Steevo Spammer representing. Political User Folding Team

    Messages:
    2,566
    Re: Windows zero day nightmare exploited

    I just turned on NX.

    Too bad that the ones at work don't have it save one. But there is no one there that will be browsing the web till tuesday. And they all have AV, and I will be adding the sites and ports to the reject connection list.

    But think about all the soccer mom's and dad's who don't have a thing but the expired McAffee trial and Windows firewall mebey. High speed connections, and no protection. Lets take off our hats in a moment of silence for them.
     
  20. j79zlr

    j79zlr Glaanies script monkey Political User

    Messages:
    2,725
    Location:
    Chicago
    Re: Windows zero day nightmare exploited

    Firefox 1.5 does NOT open WMF files by default without interaction. IE does and so does Opera. Of course you need to unregister that dll for now until MS decides that this problem is actually worthy of a fix.