myITforum.com
Welcome to myITforum.com Sign in | Join | Help
in Search
Site Home Home Bloggers List Blogs Photos Downloads

Harry Waldron - My IT Forums Blog

Sharing Security Developments, and Best Practices for corporate and home users

Malicious Zero Day Windows Media File Exploits are in-the-wild

Please be careful with sites that you visit and particularly playing WMF (Windows Media File) using Internet Explorer or other browsers.   I believe Microsoft will prioritize and patch this new vulnerability expediently, so please look for upcoming security advisories, workarounds, and ultimately a patch.  In the mean time, follow best practices in only visiting safe sites and keep your AV protection updated as anti-virus vendors will also prioritize security protection for this new in-the-wild exploit.  Finally, the workaround offered by FrSIRT appears promising, as noted at the bottom. 

  STATUS INFORMATION

INTERNET STORM CENTER - YELLOW ALERT

F-SECURE BLOG - GOOD STATUS INFORMATION

SUNBELT BLOG - GOOD STATUS INFORMATION

 

  SECUNIA INFORMATION

Microsoft Windows WMF Handling Arbitrary Code Execution
http://secunia.com/advisories/18255/

Secunia Advisory: SA18255   
Release Date: 2005-12-28

Rating: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched

QUOTE: A vulnerability has been discovered in Microsoft Windows, which can be exploited by malicious people to compromise a vulnerable system.  The vulnerability is caused due to an error in the handling of corrupted Windows Metafile files (".wmf"). This can be exploited to execute arbitrary code by tricking a user into opening a malicious ".wmf" file in "Windows Picture and Fax Viewer" or previewing a malicious ".wmf" file in explorer (i.e. selecting the file). This can also be exploited automatically when a user visits a malicious web site using Microsoft Internet Explorer.

Solution:  Do not open or preview untrusted ".wmf" files and set security level to "High" in Microsoft Internet Explorer.

 

  TREND MICRO INFORMATION

TWO TROJAN HORSE VARIANTS SO FAR

TROJ_WMFXEXE.A

TROJ_WMFMSITS.A

QUOTE: The Windows Picture and Fax Viewer vulnerability is a zero-day exploit that is capable of remote code execution. Zero-day exploits are termed as such because the unpatched vulnerability and its corresponding exploit code are released within the same day. This may pose as a dangerous situation in which a lot of systems may be affected due to the availability of exploit code, and the fact that the vendor has not been given enough time to patch it.

 

  FRSIRT INFORMATION

Microsoft Windows WMF Handling Remote Code Execution Vulnerability
http://www.frsirt.com/english/advisories/2005/3086

FrSIRT Advisory: FrSIRT/ADV-2005-3086
Rated as : Critical
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2005-12-28

Recommended Workaround by FrSIRT: Disable "Windows Picture and Fax Viewer" : on the Start menu, choose Run, and then type "regsvr32.exe /u shimgvw.dll".

Published Dec 28 2005, 04:52 PM by hwaldron

Comments

No Comments

This Blog

Syndication
Copyright - www.myITforum.com, Inc. - 2007 All Rights reserved.
Powered by Community Server (Commercial Edition), by Telligent Systems