Results 1 to 12 of 12
  1. #1
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Dangerous WMF files

    A new exploit involving WMF files is circulating. It is described in the following articles, but in brief, if Windows tries to render this file in Internet Explorer or Outlook Express or Outlook or the Windows XP Picture and Fax Viewer, bad things can happen to your computer. In the case of Firefox, rendering in the browser apparently does not trigger the vulnerability but if the image is downloaded and rendered through other software, it could be triggered.

    eEye Digital Security Research Team Vulnerability Alert, Dec 29, 2005
    Microsoft Security Advisory (912840): Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution.
    US-CERT Vulnerability Note VU#181038
    Secunia - Advisories - Microsoft Windows WMF "SETABORTPROC" Arbitrary Code Execution

    WMF files are most commonly used for clip art or other "vector-based" art formats, and rarely for ordinary web illustrations. Thus, you could consider temporarily blocking WMF files in a variety of ways. These include ad-blockers, e-mail program attachment blocking, and firewall and antivirus file-extension blocking. The third and fourth articles suggests that WMF files renamed to JPG or GIF could trigger the same vulnerability, which is troubling and makes workarounds very difficult.

    Some AV vendors say they are working on blocking it:

    Symantec: Bloodhound.Exploit.56 (updated 12/28)
    McAfee: Exploit-WMF - need DAT file #4661 or later (updated 12/29)
    Trend Micro: TROJ_WMFCRASH.A - "coming soon"

    At this point, I haven't researched the above any further, and I'm starving for dinner, but comments and suggestions are welcomed. <img src=/S/smile.gif border=0 alt=smile width=15 height=15>

  2. #2
    Plutonium Lounger
    Join Date
    Nov 2001
    Posts
    10,550
    Thanks
    0
    Thanked 7 Times in 7 Posts

    Re: Dangerous WMF files

    > comments and suggestions are welcomed

    The Symantec link that you provided says that they detect this virus with their 28th December updates, and rates it as a low threat that is easy to remove - so I feel reasonably relaxed.

    StuartR

  3. #3
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: Dangerous WMF files

    Looks as though most of the other majors are good now: http://www.eweek.com/article2/0,1759,1907102,00.asp

  4. #4
    Silver Lounger
    Join Date
    Jan 2001
    Location
    Swanzey, New Hampshire, USA
    Posts
    1,707
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Dangerous WMF files

    Here is an excellent source for information and a couple of "fixes": How to protect yourself from the Windows Metafile Vulnerability

    Also, for those using Kaspersky AV (all versions) there is a patch available that blocks ALL variations of this exploit. You can read about this "patch" and download the one that applies to your particular KAV version here: KAV Windows Meta File (WMF) patch.

    Jeff
    Jeff
    simul iustus et peccator

  5. #5
    Plutonium Lounger
    Join Date
    Nov 2001
    Posts
    10,550
    Thanks
    0
    Thanked 7 Times in 7 Posts

    Re: Dangerous WMF files

    I've now read a bit more about this exploit, and I think you were right to be alarmed. All the AV tools can do is recognise the existing exploits, but this is a gaping security hole with no patch, so new exploits may come out faster than the AV vendors can release updates.

    StuartR

  6. #6
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: Dangerous WMF files

    Also, there is a "temporary patch" that will block the feature of WMF files that allow for the troubling type of code execution. It is linked from this article at a trusted site:

    SANS Internet Storm Center Handler's Diary, Jan. 3, 2006 - http://isc.sans.org/diary.php

    The whole page is interesting, but the section regarding the MSI installer is the key one for getting the patch. This patch will need to be uninstalled using Add/Remote programs when Microsoft issues the "real" patch next Tuesday. (So far, I've installed on two laptops and am not seeing any ill effects.)

  7. #7
    3 Star Lounger
    Join Date
    Jan 2001
    Location
    Phoenix, Arizona, USA
    Posts
    265
    Thanks
    1
    Thanked 0 Times in 0 Posts

    Re: Dangerous WMF files

    GRC (Gibson Research Corporation) also has the following to offer: http://www.grc.com/sn/notes-020.htm. Worthwhile reading IMHO.
    Ed
    "Somebody left the cork out of my lunch." - W. C. Fields

  8. #8
    Administrator
    Join Date
    Mar 2001
    Location
    St Louis, Missouri, USA
    Posts
    23,579
    Thanks
    5
    Thanked 1,057 Times in 926 Posts

    Re: Dangerous WMF files

    Here's some interesting reading from an MS source: Jesper's Blog : Conscientious Risk Management and WMF.

    Joe
    Joe

  9. #9
    Administrator
    Join Date
    Mar 2001
    Location
    St Louis, Missouri, USA
    Posts
    23,579
    Thanks
    5
    Thanked 1,057 Times in 926 Posts

    Re: Dangerous WMF files

    Yet another comment from a name we should recognize - <A target="_blank" HREF="http://www.edbott.com/weblog/?p=1196">Ed Bott's Windows Expertise
    Joe

  10. #10
    Platinum Lounger
    Join Date
    Jan 2001
    Posts
    3,788
    Thanks
    0
    Thanked 1 Time in 1 Post

  11. #11
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: Dangerous WMF files

    Excellent. I can only guess at the pressure that must have been applied by large corporate customers to make this happen so quickly.

  12. #12
    Uranium Lounger
    Join Date
    Mar 2001
    Location
    New Jersey
    Posts
    6,684
    Thanks
    1
    Thanked 11 Times in 11 Posts

    Re: Dangerous WMF files

    Nah... it's just "Trustworthy Computing". <img src=/S/hmmn.gif border=0 alt=hmmn width=15 height=15>
    <IMG SRC=http://www.wopr.com/w3tuserpics/DocWatson_sig.gif>

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •