Thursday, December 29, 2005 8:10 AM cmosby

SANS - Internet Storm Center - Update on Windows WMF 0-day 12/29/05

Trend Micro has renamed previously discovered Trojans that use the 0-day exploit, and have a listing for a fourth. 

TROJ_NASCENE.A

TROJ_NASCENE.B

TROJ_NASCENE.C

TROJ_NASCENE.D

TROJ_WMFCRASH.A

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

 Handler's Diary December 29th 2005

* Update on Windows WMF 0-day (NEW)

Published: 2005-12-29,
Last Updated: 2005-12-29 11:23:53 UTC by Chris Carboni (Version: 1)


Update 23:00 UTC:  The vulnerability seems to be within SHIMGVW.DLL.  Unregistering this DLL  (type REGSVR32 /U SHIMGVW.DLL at the command prompt or in the "Start->Run" Window, then reboot) will resolve most of the vulnerability, but will also break your Windows "Picture and Fax Viewer", as well as any ability of programs like "Paint" and "Explorer" to display thumbnails of any picture and real (benign) WMF files.

Update 23:19 UTC: Not that we didn't have enough "good" news already, but if you are relying on perimeter filters to block files with WMF extension from reaching your browser, you might have a surprise waiting for you. Windows XP will detect and process a WMF file based on its content ("magic bytes") and not rely on the extension alone, which means that a WMF sailing in disguise with a different extension might still be able to get you.
Filed under: , , ,

Comments

No Comments