Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > "Extremely Critical" New zero-day Windows vulnerability being exploited.

Reply
Thread Tools

"Extremely Critical" New zero-day Windows vulnerability being exploited.

 
 
NIST.org
Guest
Posts: n/a
 
      12-29-2005
F-Secure.com and Secunia.com are reporting a new zero-day vulnerability
currently being exploited through Trojan email messages and allow for
Arbitrary Code Execution. It is related to Microsoft Windows WMF
(Windows Metafiles) handling. Even fully patched Windows XP SP2
machines machines using IE or Firefox are vulnerable.

Update 12/29: F-Secure is reporting that this vulnerability can be
exploited using other image extensions such as BMP, GIF, PNG, JPG,
JPEG, JPE, JFIF, DIB, RLE, EMF, TIF, TIFF or ICO.

There is currently no patch for this vulnerability.

See http://www.nist.org/news.php?extend.50 for more information and
tips on how to block it.

 
Reply With Quote
 
 
 
 
Leythos
Guest
Posts: n/a
 
      12-29-2005
In article <(E-Mail Removed). com>,
http://www.velocityreviews.com/forums/(E-Mail Removed) says...
> F-Secure.com and Secunia.com are reporting a new zero-day vulnerability
> currently being exploited through Trojan email messages and allow for
> Arbitrary Code Execution. It is related to Microsoft Windows WMF
> (Windows Metafiles) handling. Even fully patched Windows XP SP2
> machines machines using IE or Firefox are vulnerable.
>
> Update 12/29: F-Secure is reporting that this vulnerability can be
> exploited using other image extensions such as BMP, GIF, PNG, JPG,
> JPEG, JPE, JFIF, DIB, RLE, EMF, TIF, TIFF or ICO.
>
> There is currently no patch for this vulnerability.
>
> See http://www.nist.org/news.php?extend.50 for more information and
> tips on how to block it.


Vulnerability Note VU#181038
http://www.kb.cert.org/vuls/id/181038

--

(E-Mail Removed)
remove 999 in order to email me
 
Reply With Quote
 
 
 
 
Ludovic Joly
Guest
Posts: n/a
 
      12-29-2005

If a patch is not released fast it's going to get as mad as with rpc
dcom...

 
Reply With Quote
 
Todd H.
Guest
Posts: n/a
 
      12-29-2005
"Ludovic Joly" <(E-Mail Removed)> writes:

> If a patch is not released fast it's going to get as mad as with rpc
> dcom...


Hrmm. I don't know about that. Why do you think so?

I don't know if I understand the present issue completely, but whereas
RPC DCOM was remotely exploitable via the network without user
interaction, this windows metafile dealio would require someone to
receive an email with the file attachment, wouldn't it? And hence
rely on the mailer doing something with it? Or am I underestimating
the severity of the release?

--
Todd H.
http://www.toddh.net/
 
Reply With Quote
 
David H. Lipman
Guest
Posts: n/a
 
      12-29-2005
From: "NIST.org" <(E-Mail Removed)>

| F-Secure.com and Secunia.com are reporting a new zero-day vulnerability
| currently being exploited through Trojan email messages and allow for
| Arbitrary Code Execution. It is related to Microsoft Windows WMF
| (Windows Metafiles) handling. Even fully patched Windows XP SP2
| machines machines using IE or Firefox are vulnerable.
|
| Update 12/29: F-Secure is reporting that this vulnerability can be
| exploited using other image extensions such as BMP, GIF, PNG, JPG,
| JPEG, JPE, JFIF, DIB, RLE, EMF, TIF, TIFF or ICO.
|
| There is currently no patch for this vulnerability.
|
| See http://www.nist.org/news.php?extend.50 for more information and
| tips on how to block it.

The following is a eport of AV software and their detection of this Exploit.

AntiVir 6.33.0.70 12.29.2005 TR/Dldr.WMF.Agent.D
Avast 4.6.695.0 12.29.2005 Win32:Exdown
AVG 718 12.29.2005 Downloader.Agent.13.AI
Avira 6.33.0.70 12.29.2005 TR/Dldr.WMF.Agent.D
BitDefender 7.2 12.29.2005 Exploit.Win32.WMF-PFV.C
CAT-QuickHeal 8.00 12.29.2005 WMF.Exploit
ClamAV devel-20051123 12.29.2005 Exploit.WMF.A
DrWeb 4.33 12.29.2005 Exploit.MS05-053
eTrust-Iris 7.1.194.0 12.29.2005 Win32/Worfo.C!Trojan
eTrust-Vet 12.4.1.0 12.29.2005 Win32/Worfo
Ewido 3.5 12.29.2005 Downloader.Agent.acd
Fortinet 2.54.0.0 12.29.2005 W32/WMF-exploit
F-Prot 3.16c 12.29.2005 security risk or a "backdoor" program
Ikarus 0.2.59.0 12.29.2005 Trojan-Downloader.Win32.Agent.ACD
Kaspersky 4.0.2.24 12.29.2005 Trojan-Downloader.Win32.Agent.acd
McAfee 4662 12.29.2005 Exploit-WMF
Microsoft ?? 12.29.2005 no virus found
NOD32v2 1.1343 12.28.2005 Win32/TrojanDownloader.Wmfex
Norman 5.70.10 12.29.2005 no virus found
Panda 9.0.0.4 12.28.2005 Exploit/Metafile
Sophos 4.01.0 12.29.2005 Troj/DownLdr-NK
Symantec 8.0 12.29.2005 Download.Trojan
TheHacker 5.9.1.064 12.28.2005 Exploit/WMF
Trend Micro 135 12.29.2005 TROJ_NASCENE.D
UNA 1.83 12.29.2005 no virus found
VBA32 3.10.5 12.28.2005 no virus found



--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm


 
Reply With Quote
 
Jbob
Guest
Posts: n/a
 
      12-29-2005
"Todd H." <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>
> I don't know if I understand the present issue completely, but whereas
> RPC DCOM was remotely exploitable via the network without user
> interaction, this windows metafile dealio would require someone to
> receive an email with the file attachment, wouldn't it? And hence
> rely on the mailer doing something with it? Or am I underestimating
> the severity of the release?
>
> --
> Todd H.
> http://www.toddh.net/


NO, NO, NO! Severely underestmated! lol This one infects simply by
visiting a web page with a suspect wmf file. You don't need to click on
anything. If the wmf file is imbedded windows will try an open it. The
full attack vector is still unsure of at this point. There are some
possible work arounds that "MAY" help.


 
Reply With Quote
 
Todd H.
Guest
Posts: n/a
 
      12-29-2005
"Jbob" <(E-Mail Removed)> writes:
> "Todd H." <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> >
> > I don't know if I understand the present issue completely, but whereas
> > RPC DCOM was remotely exploitable via the network without user
> > interaction, this windows metafile dealio would require someone to
> > receive an email with the file attachment, wouldn't it? And hence
> > rely on the mailer doing something with it? Or am I underestimating
> > the severity of the release?
> >
> > --
> > Todd H.
> > http://www.toddh.net/

>
> NO, NO, NO! Severely underestmated! lol This one infects simply by
> visiting a web page with a suspect wmf file. You don't need to click on
> anything. If the wmf file is imbedded windows will try an open it. The
> full attack vector is still unsure of at this point. There are some
> possible work arounds that "MAY" help.


Yikes. That is disconcerting.

Is avoiding the use of IE of any help to this issue, or is everyone on
the platform screwed until a reliable workaround is available?


--
Todd H.
http://www.toddh.net/
 
Reply With Quote
 
Jbob
Guest
Posts: n/a
 
      12-29-2005
"Todd H." <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Yikes. That is disconcerting.
>
> Is avoiding the use of IE of any help to this issue, or is everyone on
> the platform screwed until a reliable workaround is available?
>
>
> --
> Todd H.
> http://www.toddh.net/


I think what we "think" we know so far is that other browsers are less
suspect. It seems the IE will simply try and open the wmf file in Windows
Picutre and FAX viewer whereas Fx will attempt to open it in Windows Media
Player which is not vulnerable. The issue is at this time I'm not sure
anyone knows exactly the attack vector. It started out being thought the
(SHIMGVW.dll) was the one being exploited but not it appears to not
necessarily be the case. See this thread for a good run down.
http://www.dslreports.com/forum/remark,15115819


 
Reply With Quote
 
nemo_outis
Guest
Posts: n/a
 
      12-29-2005
(E-Mail Removed) (Todd H.) wrote in news:(E-Mail Removed):

> "Jbob" <(E-Mail Removed)> writes:
>> "Todd H." <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>> >
>> > I don't know if I understand the present issue completely, but
>> > whereas RPC DCOM was remotely exploitable via the network without
>> > user interaction, this windows metafile dealio would require
>> > someone to receive an email with the file attachment, wouldn't it?
>> > And hence rely on the mailer doing something with it? Or am I
>> > underestimating the severity of the release?
>> >
>> > --
>> > Todd H.
>> > http://www.toddh.net/

>>
>> NO, NO, NO! Severely underestmated! lol This one infects simply
>> by visiting a web page with a suspect wmf file. You don't need to
>> click on anything. If the wmf file is imbedded windows will try an
>> open it. The full attack vector is still unsure of at this point.
>> There are some possible work arounds that "MAY" help.

>
> Yikes. That is disconcerting.
>
> Is avoiding the use of IE of any help to this issue, or is everyone on
> the platform screwed until a reliable workaround is available?



IE, Firefox, mail programs - all are vulnerable to some degree or another.
The full range of vectors for the attack is not yet fully understood and
the workarounds (disabling or redirecting default WMF & EMF file handlers,
deregistering shimgvw.dll, etc.) while helpful, are probably insufficient.
It appears the core graphic-handling DLLs are also susceptible and these,
obviously, cannot be disabled.

This is a nasty one.

Regards,

 
Reply With Quote
 
John Hyde
Guest
Posts: n/a
 
      12-30-2005
on 12/29/2005 2:26 PM nemo_outis said the following:
> (E-Mail Removed) (Todd H.) wrote in news:(E-Mail Removed):
>
>
>>"Jbob" <(E-Mail Removed)> writes:
>>
>>>"Todd H." <(E-Mail Removed)> wrote in message
>>>news:(E-Mail Removed)...
>>>
>>>>I don't know if I understand the present issue completely, but
>>>>whereas RPC DCOM was remotely exploitable via the network without
>>>>user interaction, this windows metafile dealio would require
>>>>someone to receive an email with the file attachment, wouldn't it?
>>>> And hence rely on the mailer doing something with it? Or am I
>>>>underestimating the severity of the release?
>>>>
>>>>--
>>>>Todd H.
>>>>http://www.toddh.net/
>>>
>>>NO, NO, NO! Severely underestmated! lol This one infects simply
>>>by visiting a web page with a suspect wmf file. You don't need to
>>>click on anything. If the wmf file is imbedded windows will try an
>>>open it. The full attack vector is still unsure of at this point.
>>>There are some possible work arounds that "MAY" help.

>>
>>Yikes. That is disconcerting.
>>
>>Is avoiding the use of IE of any help to this issue, or is everyone on
>>the platform screwed until a reliable workaround is available?

>
>
>
> IE, Firefox, mail programs - all are vulnerable to some degree or another.
> The full range of vectors for the attack is not yet fully understood and
> the workarounds (disabling or redirecting default WMF & EMF file handlers,
> deregistering shimgvw.dll, etc.) while helpful, are probably insufficient.
> It appears the core graphic-handling DLLs are also susceptible and these,
> obviously, cannot be disabled.
>
> This is a nasty one.
>
> Regards,
>


Interesting reading, couple of questions if anyone knows:

How does one disable the windows picture and fax viewer in win98 2ed?
Or is there another similar method that will give some protection?
Though my machine is XP, I'm the only "tech support" for several others
with a variety of machines. (The poor slobs, they should get competent
help.)

Once virus checkers are able to see these files, will they necessarily
be checking the files downloaded by a browser for display in a web page?

Thanks
JH
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
New unpatched vulnerability affects all Windows machines Au79 Computer Support 1 11-30-2007 10:39 PM
New exploits out for DNS Vulnerability in Windows Server Au79 Computer Support 0 04-18-2007 12:53 AM
SECURITY Expert Reveals New Vulnerability in Windows XP and 2000 Au79 Computer Support 0 01-21-2006 11:51 PM
New windows vulnerability - you should read this one. news.xtra.co.nz NZ Computing 96 01-10-2006 10:54 PM
New Vulnerability Tammy Firefox 1 09-11-2005 01:05 AM



Advertisments