p2p news / p2pnet: Yesterday, F-Secure reported a new Windows WMF files (Windows Metafiles) zero-day vulnerability, emphasising that supposedly fully protected Windows XP SP2 machines were open to the exploit, and that no patch was on hand.

Bill and the Boyz have now confirmed they’re, “aware of the public release of detailed exploit code that could allow an attacker to execute arbitrary code in the security context of the logged-on user, when such user is visiting a Web site that contains a specially crafted Windows Metafile (WMF) image.”

But, they say, “An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker’s Web site.”

“So far, we’ve only seen this exploit being used to install spyware or fake antispyware / antivirus software on the affected machines,” says F-Secure research director Mikko Hyppönen in a new post, but, “I’m afraid we’ll see real viruses using this soon.”

Microsoft’s bulletin confirms this vulnerability applies to all the main versions of Windows: Windows ME, Windows 2000, Windows XP and Windows 2003, says F-Secure, going on, “They also list the REGSVR32 workaround. It’s a good idea to use this while waiting for a patch. To quote Microsoft’s bulletin:

Un-register the Windows Picture and Fax Viewer (Shimgvw.dll)

1. Click Start, click Run, type “regsvr32 -u %windir%system32shimgvw.dll”

(without the quotation marks), and then click OK.

2. A dialog box appears to confirm that the un-registration process has succeeded.

Click OK to close the dialog box.

Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started

when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.

To undo this change, re-register Shimgvw.dll by following the above steps.

Replace the text in Step 1 with “regsvr32 %windir%system32shimgvw.dll” (without the quotation marks).

This workaround is better than merely trying to filter files with a WMF extension, saysa F-Secure because, “There are methods where files with other image extensions (such as BMP, GIF, PNG, JPG, JPEG, JPE, JFIF, DIB, RLE, EMF, TIF, TIFF or ICO) could be used to exploit a vulnerable machine.

Bottom line, “if an image file with the exploit ends up to your hard drive, Google Desktop will try to index it and will execute the exploit in the process. There are several ways such a file could end up to the local drive. And this indexing-will-execute problem might happen with other desktop search engines too.”

Finally, F-Scure suggests you start to filter the domains beloow “at your corporate firewalls” and “Do not visit them.”

• toolbarbiz[dot]biz
• toolbarsite[dot]biz
• toolbartraff[dot]biz
• toolbarurl[dot]biz
• buytoolbar[dot]biz
• buytraff[dot]biz
• iframebiz[dot]biz
• iframecash[dot]biz
• iframesite[dot]biz
• iframetraff[dot]biz
• iframeurl[dot]biz

Also See:
no patch - New WMF zero-day vulnerability, December 28, 2005
detailed exploit code - Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution, December 28, 2005
new post - WMF, day 2, December 29, 2005

This entry was posted on Thursday, December 29th, 2005 at 5:20 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

HOME

Viewed 11011 times