• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

IMPORTANT: WMF Vulnerability Exploited

Heeter

Overclocked Like A Mother
#1
http://www.theinquirer.net/?article=28590



Aaargh! Updated No fix for Windows XP SP2

By INQUIRER staff: Wednesday 28 December 2005, 12:11
F-SECURE, Bugtraq and a number of other security aware outfits have warned of a zero day vulnerability that's being actively exploited as we write.

Fully patched Windows XP SP2 machines are vulnerable and there's no known fix as yet.

A number of trojans are being distributed using the vulnerability, related to Windows' image rendering..............................






Heeter
 
#2
Re: Windows zero day nightmare exploited

Workaround until the patch is released:

According to iDefense, Windows users can disable the rendering of WMF files using the following hack:

1. Click on the Start button on the taskbar.
2. Click on Run...
3. Type "regsvr32 /u shimgvw.dll" to disable.
4. Click ok when the change dialog appears.

iDefense notes that this workaround may interfere with certain thumbnail images loading correctly, though I have used the hack on my machine and haven't had any problems yet. The company notes that once Microsoft issues a patch, the WMF feature may be enabled again by entering the command "regsvr32 shimgvw.dll" in step three above.
 
#13
Re: Windows zero day nightmare exploited

kcnychief said:
A bit scary, that as of yesterday there were already 50 variants :(
That number seems to be going up rather quickly. 73 variants have been identified as of today.

AV-Test, which tests anti-malware products, has been tracking the situation closely and has, so far, analyzed 73 variants of malicious WMF files. Products from the following companies have identified all 73:

* Alwil Software (Avast)
* Softwin (BitDefender)
* ClamAV
* F-Secure Inc.
* Fortinet Inc.
* McAfee Inc.
* ESET (Nod32)
* Panda Software
* Sophos Plc
* Symantec Corp.
* Trend Micro Inc.
* VirusBuster

These products detected fewer variants:

* 62 — eTrust-VET
* 62 — QuickHeal
* 61 — AntiVir
* 61 — Dr Web
* 61 — Kaspersky
* 60 — AVG
* 19 — Command
* 19 — F-Prot
* 11 — Ewido
* 7 — eSafe
* 7 — eTrust-INO
* 6 — Ikarus
* 6 — VBA32
* 0 — Norman

The difference for the more effective products is likely to be heuristic detection, tracking the threat by identifying the basic techniques of the exploit, rather than looking for specific patterns for specific exploits.
http://www.eweek.com/article2/0,1895,1907102,00.asp
 

jimi_81

Moderator
Political User
#15
Re: Windows zero day nightmare exploited

so now i know what my website was trying to do.
it was redirecting me to a wmf file...

im a little freaked out.. i hope the fallout isnt too severe... the site i run is a recreational soccer site.. since its the offseason, i dont imagine their being more then a handful affected.

thanks for the updates guys
 

j79zlr

Glaanies script monkey
Political User
#16
Re: Windows zero day nightmare exploited

This one is a pest to remove, I just cleaned it off of 4 PC's at my cousins, who have refused/neglected to use Firefox in the past. Now IE is set to HIGH security, and Firefox is their default browser. No choice this time.
 

Heeter

Overclocked Like A Mother
#18
Re: Windows zero day nightmare exploited

Temporary Fix Until MS comes out with a patch:

Only applies to any WinXP32/64bit, not tested on any other OS.

Read about it here

And Here

Download


J79ZLR, I think the problem lays within Windows, It's not a situation that Firefox can avoid.




Heeter
 

Steevo

Spammer representing.
Political User
#19
Re: Windows zero day nightmare exploited

I just turned on NX.

Too bad that the ones at work don't have it save one. But there is no one there that will be browsing the web till tuesday. And they all have AV, and I will be adding the sites and ports to the reject connection list.

But think about all the soccer mom's and dad's who don't have a thing but the expired McAffee trial and Windows firewall mebey. High speed connections, and no protection. Lets take off our hats in a moment of silence for them.
 

j79zlr

Glaanies script monkey
Political User
#20
Re: Windows zero day nightmare exploited

Heeter said:
Temporary Fix Until MS comes out with a patch:

Only applies to any WinXP32/64bit, not tested on any other OS.

Read about it here

And Here

Download


J79ZLR, I think the problem lays within Windows, It's not a situation that Firefox can avoid.




Heeter
Firefox 1.5 does NOT open WMF files by default without interaction. IE does and so does Opera. Of course you need to unregister that dll for now until MS decides that this problem is actually worthy of a fix.
 

Members online

No members online now.

Latest posts

Latest profile posts

Hello, is there anybody in there? Just nod if you can hear me ...
Xie
What a long strange trip it's been. =)

Forum statistics

Threads
61,960
Messages
673,237
Members
89,011
Latest member
grovo_test