WMF Zero-Day Exploit
Straight_Man
Geeky, in my own wayNaples, FL Icrontian
There is a flaw in the way that Winodws XP (SP1 AND SP2) handles WMF files. This flaw is unpatched and being used widely now. Here's some links:
The links are from SANS Institute, a VERY respectable source.
Here's Microsoft's Security Bulletin link: http://www.microsoft.com/technet/security/advisory/912840.mspx
If there are questions I will reply in this thread.
Great information at two sites:
Internet Storm Center: http://isc.sans.org
FSecure: http://www.f-secure.com/weblog/archives/archive-122005.html#00000752#00000752
Other news stories:
http://news.zdnet.com/2102-1009_22-6011406.html?tag=printthis
http://www.theregister.co.uk/2005/12/29/wmf_trojan_alert/print.html
http://www.eweek.com/print_article2/0,1217,a=168152,00.asp
http://www.eweek.com/print_article2/0,1217,a=168161,00.asp
http://blogs.washingtonpost.com/securityfix/2005/12/update_on_the_c.html
http://www.techweb.com/wire/security/175700769
CERT Tech Alert:
http://www.us-cert.gov/cas/techalerts/TA05-362A.html
The links are from SANS Institute, a VERY respectable source.
Here's Microsoft's Security Bulletin link: http://www.microsoft.com/technet/security/advisory/912840.mspx
If there are questions I will reply in this thread.
0
Comments
Microsoft's work-around has you de-registering the shimgvw.dll. While this may help reduce the chance of getting bit, it doesn't do anything for the real problem. That dll calls gdi32.dll which has an Escape() functionality in it through a SetAbortproc function and there in lies the ability to execute whatever code they want with full priviledges.
I saw some infestations around Dec 28th that looked like spyware/malware symptoms without any real data trails as to what they were. Systems were unuseable after the desktop loaded and even saw a DSL router refuse to talk to the ISP. Quick and dirty fixes were a restore to a checkpoint and immediately start watching the security sites ( like those listed above by Straight_Man )
Since the exploit code was published on the web ( and is still easy to find ) anyone interested can start playing with trying to compromise a machine. The sophisticated out there will use their executable code to execute a downloader which will go out and retrieve a trojan or keylogger or a zombie program or who knows what. The novice out there will probably just trash your machine.
Microsoft says it is now testing a patch/fix and will release on the 10th of January. There is an 'unofficial' patch that works and works well by Ilfak Guilfanov. Look for links to it through above sites as his site became unuseable due to the many hits. They have mirrored it at many security sites.
Be very very careful out there as all it takes is to open a folder with an infected file in it or if an indexing program reads the file the code will execute. If that image file is part of a web page your brilliant Windows OS will indeed execute the imbedded code.
Standard practice of staying off questionable sites and not opening unsolicited attachments apply as usual, but be aware that a trusted site that has been compromised can get you.
Needless to say I also checked windows update for security updates and installed the 3rd party WMF fix. I also installed Firefox 1.5, SpyBot S&D as well as AdAware Personal and told her to not use Kazaa anymore as it's pretty easy to become infected from it. I don't think it will be long until the computer is screwed up again though with everyone in the house using that computer, lol.
The WMF vulnerability is definitely NOT one you want to take lightly. I'd say this is the most serious flaws in recent times because it affects so many people, regardless if you are behind a router or are patched up to date, have a firewall, anti-virus, etc. My advice to everyone is to use the 3rd party WMF patch immediately and if you have a processor that supports it (like the AMD64 ones): enable full DEP protection (Control Panel > System > Advanced > Performance > Settings > Data Execution Prevention).
Also, Microsoft has promised a patch for this on Tuesday the 10th. Seems a little slow if you ask me...
http://www.microsoft.com/technet/security/Bulletin/MS06-001.mspx
7 days for a Microsoft fix ???
They may have the word security erased from their dictionaries but they sure understood the severity of the 'feature' they left in that dll.
I'm not sure, I run XP x64 Edition and didn't have any issues enabling full DEP protection. Can anyone confirm that DEP requires x64 + 64-bit CPU w/ NX?
That patch WAS scheduled for Tuesday the 10th with two other Criticals-- however, SANS efforts, law enforcement efforts (law enforcement computers were getting infected), and strong customer demand led to the emergency release. All computers that have been on today that have automatic update on should HAVE the patch now.