'Really Bad' Exploit Threatens Windows

[muckshifter]

By Nate Mook, BetaNews
December 28, 2005, 1:30 PM
A new exploit has been discovered in the wild that affects fully patched Windows XP SP2 systems, according to reports by security firms F-Secure and Sunbelt. The malicious code takes advantage of a vulnerability in the WMF graphics rendering engine to automatically download and install malware.

WMF, or Windows Metafile, is a vector based image format used by Microsoft's operating systems. SHIMGVW.DLL is loaded to render the images and contains a flaw that opens the door for a malformed WMF image to cause remote code execution and potentially allow for a full system compromise.


Microsoft previously fixed a vulnerability affecting WMF and EMF files in November. That problem affected Windows 2000, XP and Windows Server 2003.

"We have a number of sites that we have found with this exploit. Different sites download different spyware. We only had a handful of websites using this new exploit but now we are seeing many more using this to install bad stuff. These image files can be modified very easily to download any malware or virus," said Alex Eckelberry, CEO of Sunbelt Software.

"I hit one site with a fully patched XP system last night and it was pretty intense -- it went right through and infected my machine."

F-Secure's Mika Pehkonen warned that, "Right now, fully patched Windows XP SP2 machines are vulnerable, with no known patch." The company is detecting the offending WMF files as W32/PFV-Exploit.A, .B and .C.

"Note that you can get infected if you visit a web site that has an image file containing the exploit. Internet Explorer users might automatically get infected. Firefox users can get infected if they decide to run or download the image file," Pehkonen added.

Microsoft has been notified of the issue and it could opt to issue an emergency patch, apart from its standard Patch Tuesday security bulletins. "We expect Microsoft to issue a patch on this as soon as they can," says F-Secure.

Sunbelt's Eckelberry echoes that sentiment: "Folks, I've seen it with my own eyes and this is a really bad exploit. Be careful out there."

Workaround ... will disable Windows Picture and Fax viewer, use at your own discretion.

http://www.gameshout.com/news/122005/article2167.htm

 

[muckshifter]

a better way ...

The same effect may be obtained with a registry change. In the Regedit program go to the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes
\SystemFileAssociations\image
\ShellEx\ContextMenuHandlers
\ShellImagePreview

Then delete the default value. To re-enable the feature, go to the same key and set the default value as a REG_SZ to "{e84fda7c-1d6a-45f6-b725-cb260c236066}".

If you unregister shimgvw.dll, Windows Explorer will not display thumbnails anymore. So the registry operation is a much better way.

Enjoy!

 

[muckshifter]

Update ...

http://www.hexblog.com/2006/01/wmf_vulnerability_checker.html#more

 

[muckshifter]

AVG users... be warned that at this time, a fully up to date AVG does not detect these malicious image files.

 

[Ian]

I hope they fix this pronto, as its easy enough to send an infected image file around that people can't detect!

 

[muckshifter]

Wait for Microsoft WMF patch, no thanks!

Posted by George Ou @ 3:12 am



By now, you've probably heard of the unofficial WMF Vulnerability patch by programming genius Ilfak Guilfanov. Some experts say install it now! Others say you better wait till next week for the official patch from Microsoft. Since I've spent a good part of New Years day weekend researching and testing this bug, I would tell you that this vulnerability is so dangerous that you better install the unofficial patch now and then uninstall it when the official Microsoft patch is hopefully released next week.

The highly respected SANS.org has fully vetted the patch and they're so impressed that they've even started hosting copies of the patch on their own website. For your convenience, Guilfanov created an EXE version of the patch which you can find here. For the corporate types that want to install this across the enterprise through Active Directory, they can push out the MSI version repackaged by Evan Anderson of Wellbury Information Services, L.L.C.

If you're wondering why this is such a high priority patch, it's because existing workarounds are weak at best and the exploit is extremely dangerous. There are those who say this isn't anymore dangerous than an Internet worm but worms can't infect you through firewall perimeters. Even Antivirus and Intrusion Detection Systems are having a hard time with the WMF exploits since a group released proof-of-concept code that automatically generates randomized headers and fragmented packets to defeat nearly every AV and IDS signature. With the WMF exploit, you just need to look at an infected image file while surfing the web or checking your email and you're instantly infected with nasty spyware or rootkit. Since there are no official patches available, there was little you could do to protect yourself until now.

YOU HAVE BEEN WARNED

Install the patch

http://blogs.zdnet.com/Ou/index.php?m=

 

[muckshifter]

73 different variants of the threat.

an independent test lab that tracks malware and anti-malware products, has been closely tracking detection of exploits based on the WMF flaw. Below are current numbers as of the morning of January 1, 2006, based on 73 different variants of the threat.


http://www.pcmag.com/article2/0,1895,1907518,00.asp

oops ... AVG users better change AV

 

[V_R]

I just got the patch from Microsoft, seems they released it a week early.

Go and get it now!

 

[muckshifter]

I just got the patch from Microsoft, seems they released it a week early.

Go and get it now!

ah ... so that was what was screaming at me from 'the JMW pc' and it ain't Tuesday yet.