IMPORTANT: WMF Vulnerability Exploited

Re: Windows zero day nightmare exploited

I stand corrected, J.

Thanks for your explaination,

Heeter
 
Last edited:
Re: Windows zero day nightmare exploited

Sure, firefox's resistance to this is a bug in firefox's handling of wmf mimetypes, that actually protects them.
 
Re: Windows zero day nightmare exploited

I agree, I have just read that the patch is not for that issue. Stupid Symantec.
 
Re: Windows zero day nightmare exploited

NetRyder said:
Here's a FAQ on the SANS ISC: http://isc.sans.org/diary.php?storyid=994
Click to expand...
that's a great faq net.

I thought unregistering the dll was enough, we see from the interview that it is not.

we also see firefox only offers little protection and both fixes should be invoked regardless of the browser.

nice link
 
Microsoft sure is quick in handling their extremely critical vulnerabilities.
 
Its a pretty bad exploit, I can't believe they still haven't released an official patch. The spyware it installs is a bitch to remove as well. Why is it that both free OS I use, FreeBSD and Gentoo, release patches in hours, yet the OS I pay hundreds of dollars for cannot. Personally I find it repulsive.
 
Re: Windows zero day nightmare exploited

perris said:
we also see firefox only offers little protection and both fixes should be invoked regardless of the browser.
Click to expand...


Hi J79ZLR,

You mentioned earlier that firefox wouldn't open this type of file. This article mentions that it's more of a Windows problem, than a browser problem.

Hey Guys,

If a machine is infected:

What is the tell-tale signs? What is the fix to remove/repair an infected system?

All I have read about is what a bad bug this is, but cannot find what it does and what we are supposed to do to repair an infected system.

Thanks Guys,

Heeter
 
Re: Windows zero day nightmare exploited

Heeter said:
Hi J79ZLR,

You mentioned earlier that firefox wouldn't open this type of file. This article mentions that it's more of a Windows problem, than a browser problem.
Click to expand...
It is a Windows problem. IE will simply execute the exploit when you visit the malicious site. Firefox has a bug that wrongly handles WMF files, so as a side-effect, it prompts you before opening the file, providing one additional layer of protection. But if you open the file, you're screwed either way, regardless of what browser you're using.

If a machine is infected:

What is the tell-tale signs? What is the fix to remove/repair an infected system?

All I have read about is what a bad bug this is, but cannot find what it does and what we are supposed to do to repair an infected system.
Click to expand...
If a machine is infected, you'll know immediately. It'll look something like this:

exploirt2134asdfs324jkajdfasdf_thumb.jpg


Make sure you have good anti-virus and anti-spyware tools installed (see the list in my post above for detection stats in this particular case).
 
I switched from AVG to Avast just because of this
 
That doesn't make any sense? Use the unofficial patch and unregister the DLL, you cannot expect any antivirus to be able to successfully identify and stop all new variations of this, which do seem to be rapidly increasing.
 
Re: Windows zero day nightmare exploited

Heeter said:
Hi J79ZLR,

You mentioned earlier that firefox wouldn't open this type of file. This article mentions that it's more of a Windows problem, than a browser problem.

Hey Guys,

If a machine is infected:

What is the tell-tale signs? What is the fix to remove/repair an infected system?

All I have read about is what a bad bug this is, but cannot find what it does and what we are supposed to do to repair an infected system.

Thanks Guys,

Heeter
Click to expand...

Here's a video:

http://www.websensesecuritylabs.com/images/alerts/wmf-movie.wmv
 
j79zlr said:
That doesn't make any sense? Use the unofficial patch and unregister the DLL, you cannot expect any antivirus to be able to successfully identify and stop all new variations of this, which do seem to be rapidly increasing.
Click to expand...
While that's certainly true, one can clearly see that some products are better than others, especially due to better heuristic detection techniques in this particular case where variants are springing up rapidly.
Besides that, Avast does seem to consistently perform better than AVG on pretty much every independent test there is out there, so his decision sounds like a good one to me in any case.
 
Last edited:
Grandmaster said:
This is going to be a huge mess...
Click to expand...
Most of us here shouldn't be affected since we know what's involved, but it's definitely a significant threat to the less techie crowd. Seems like it might be a good idea to warn our friends and relatives about this as a follow-up to our New Year's greetings. :D
 
NetRyder said:
Most of us here shouldn't be affected since we know what's involved, but it's definitely a significant threat to the less techie crowd. Seems like it might be a good idea to warn our friends and relatives about this as a follow-up to our New Year's greetings. :D
Click to expand...

Yeah I was about to go tell everyone in the house. I just got done disabling the DLL, and installing the unofficial patch.

So many potential systems could get infected, it's a scary thought.
 
Is it me or does unregistering the dll stop Windows Picture and Fax viewer from working?
 
You must log in or register to reply here.

Members online

No members online now.
Total: 525 (members: 0, guests: 525)

Affiliates

lunarsoft.net techzonez.com

- Contact us to trade links -

OSNN OSNN NTFS XP-erience

Latest profile posts

Steevo
Steevo
Also Hi EP and people. I found this place again while looking through a oooollllllldddd backup. I have filled over 10TB and was looking at my collection of antiques. Any bids on the 500Mhz Win 95 fix?
•••
Steevo
Steevo
Any of the SP crew still out there?
•••
Xie
Xie wrote on Electronic Punk's profile.
Impressed you have kept this alive this long EP! So many sites have come and gone. :(

Just did some crude math and I apparently joined almost 18yrs ago, how is that possible???
•••
N
Nismo83
hello peeps... is been some time since i last came here.
•••
Electronic Punk
Electronic Punk wrote on Sazar's profile.
Rest in peace my friend, been trying to find you and finally did in the worst way imaginable.
•••

Forum statistics

Threads
62,015
Messages
673,494
Members
5,623
Latest member
AndersonLo
Back