"Extremely Critical" New zero-day Windows vulnerability being exploited.

Discussion in 'Computer Security' started by NIST.org, Dec 29, 2005.

  1. NIST.org

    NIST.org Guest

    F-Secure.com and Secunia.com are reporting a new zero-day vulnerability
    currently being exploited through Trojan email messages and allow for
    Arbitrary Code Execution. It is related to Microsoft Windows WMF
    (Windows Metafiles) handling. Even fully patched Windows XP SP2
    machines machines using IE or Firefox are vulnerable.

    Update 12/29: F-Secure is reporting that this vulnerability can be
    exploited using other image extensions such as BMP, GIF, PNG, JPG,
    JPEG, JPE, JFIF, DIB, RLE, EMF, TIF, TIFF or ICO.

    There is currently no patch for this vulnerability.

    See http://www.nist.org/news.php?extend.50 for more information and
    tips on how to block it.
    NIST.org, Dec 29, 2005
    #1
    1. Advertising

  2. NIST.org

    Leythos Guest

    In article <>,
    says...
    > F-Secure.com and Secunia.com are reporting a new zero-day vulnerability
    > currently being exploited through Trojan email messages and allow for
    > Arbitrary Code Execution. It is related to Microsoft Windows WMF
    > (Windows Metafiles) handling. Even fully patched Windows XP SP2
    > machines machines using IE or Firefox are vulnerable.
    >
    > Update 12/29: F-Secure is reporting that this vulnerability can be
    > exploited using other image extensions such as BMP, GIF, PNG, JPG,
    > JPEG, JPE, JFIF, DIB, RLE, EMF, TIF, TIFF or ICO.
    >
    > There is currently no patch for this vulnerability.
    >
    > See http://www.nist.org/news.php?extend.50 for more information and
    > tips on how to block it.


    Vulnerability Note VU#181038
    http://www.kb.cert.org/vuls/id/181038

    --


    remove 999 in order to email me
    Leythos, Dec 29, 2005
    #2
    1. Advertising

  3. NIST.org

    Ludovic Joly Guest

    If a patch is not released fast it's going to get as mad as with rpc
    dcom...
    Ludovic Joly, Dec 29, 2005
    #3
  4. NIST.org

    Todd H. Guest

    "Ludovic Joly" <> writes:

    > If a patch is not released fast it's going to get as mad as with rpc
    > dcom...


    Hrmm. I don't know about that. Why do you think so?

    I don't know if I understand the present issue completely, but whereas
    RPC DCOM was remotely exploitable via the network without user
    interaction, this windows metafile dealio would require someone to
    receive an email with the file attachment, wouldn't it? And hence
    rely on the mailer doing something with it? Or am I underestimating
    the severity of the release?

    --
    Todd H.
    http://www.toddh.net/
    Todd H., Dec 29, 2005
    #4
  5. From: "NIST.org" <>

    | F-Secure.com and Secunia.com are reporting a new zero-day vulnerability
    | currently being exploited through Trojan email messages and allow for
    | Arbitrary Code Execution. It is related to Microsoft Windows WMF
    | (Windows Metafiles) handling. Even fully patched Windows XP SP2
    | machines machines using IE or Firefox are vulnerable.
    |
    | Update 12/29: F-Secure is reporting that this vulnerability can be
    | exploited using other image extensions such as BMP, GIF, PNG, JPG,
    | JPEG, JPE, JFIF, DIB, RLE, EMF, TIF, TIFF or ICO.
    |
    | There is currently no patch for this vulnerability.
    |
    | See http://www.nist.org/news.php?extend.50 for more information and
    | tips on how to block it.

    The following is a eport of AV software and their detection of this Exploit.

    AntiVir 6.33.0.70 12.29.2005 TR/Dldr.WMF.Agent.D
    Avast 4.6.695.0 12.29.2005 Win32:Exdown
    AVG 718 12.29.2005 Downloader.Agent.13.AI
    Avira 6.33.0.70 12.29.2005 TR/Dldr.WMF.Agent.D
    BitDefender 7.2 12.29.2005 Exploit.Win32.WMF-PFV.C
    CAT-QuickHeal 8.00 12.29.2005 WMF.Exploit
    ClamAV devel-20051123 12.29.2005 Exploit.WMF.A
    DrWeb 4.33 12.29.2005 Exploit.MS05-053
    eTrust-Iris 7.1.194.0 12.29.2005 Win32/Worfo.C!Trojan
    eTrust-Vet 12.4.1.0 12.29.2005 Win32/Worfo
    Ewido 3.5 12.29.2005 Downloader.Agent.acd
    Fortinet 2.54.0.0 12.29.2005 W32/WMF-exploit
    F-Prot 3.16c 12.29.2005 security risk or a "backdoor" program
    Ikarus 0.2.59.0 12.29.2005 Trojan-Downloader.Win32.Agent.ACD
    Kaspersky 4.0.2.24 12.29.2005 Trojan-Downloader.Win32.Agent.acd
    McAfee 4662 12.29.2005 Exploit-WMF
    Microsoft ?? 12.29.2005 no virus found
    NOD32v2 1.1343 12.28.2005 Win32/TrojanDownloader.Wmfex
    Norman 5.70.10 12.29.2005 no virus found
    Panda 9.0.0.4 12.28.2005 Exploit/Metafile
    Sophos 4.01.0 12.29.2005 Troj/DownLdr-NK
    Symantec 8.0 12.29.2005 Download.Trojan
    TheHacker 5.9.1.064 12.28.2005 Exploit/WMF
    Trend Micro 135 12.29.2005 TROJ_NASCENE.D
    UNA 1.83 12.29.2005 no virus found
    VBA32 3.10.5 12.28.2005 no virus found



    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
    David H. Lipman, Dec 29, 2005
    #5
  6. NIST.org

    Jbob Guest

    "Todd H." <> wrote in message
    news:...
    >
    > I don't know if I understand the present issue completely, but whereas
    > RPC DCOM was remotely exploitable via the network without user
    > interaction, this windows metafile dealio would require someone to
    > receive an email with the file attachment, wouldn't it? And hence
    > rely on the mailer doing something with it? Or am I underestimating
    > the severity of the release?
    >
    > --
    > Todd H.
    > http://www.toddh.net/


    NO, NO, NO! Severely underestmated! lol This one infects simply by
    visiting a web page with a suspect wmf file. You don't need to click on
    anything. If the wmf file is imbedded windows will try an open it. The
    full attack vector is still unsure of at this point. There are some
    possible work arounds that "MAY" help.
    Jbob, Dec 29, 2005
    #6
  7. NIST.org

    Todd H. Guest

    "Jbob" <> writes:
    > "Todd H." <> wrote in message
    > news:...
    > >
    > > I don't know if I understand the present issue completely, but whereas
    > > RPC DCOM was remotely exploitable via the network without user
    > > interaction, this windows metafile dealio would require someone to
    > > receive an email with the file attachment, wouldn't it? And hence
    > > rely on the mailer doing something with it? Or am I underestimating
    > > the severity of the release?
    > >
    > > --
    > > Todd H.
    > > http://www.toddh.net/

    >
    > NO, NO, NO! Severely underestmated! lol This one infects simply by
    > visiting a web page with a suspect wmf file. You don't need to click on
    > anything. If the wmf file is imbedded windows will try an open it. The
    > full attack vector is still unsure of at this point. There are some
    > possible work arounds that "MAY" help.


    Yikes. That is disconcerting.

    Is avoiding the use of IE of any help to this issue, or is everyone on
    the platform screwed until a reliable workaround is available?


    --
    Todd H.
    http://www.toddh.net/
    Todd H., Dec 29, 2005
    #7
  8. NIST.org

    Jbob Guest

    "Todd H." <> wrote in message
    news:...
    > Yikes. That is disconcerting.
    >
    > Is avoiding the use of IE of any help to this issue, or is everyone on
    > the platform screwed until a reliable workaround is available?
    >
    >
    > --
    > Todd H.
    > http://www.toddh.net/


    I think what we "think" we know so far is that other browsers are less
    suspect. It seems the IE will simply try and open the wmf file in Windows
    Picutre and FAX viewer whereas Fx will attempt to open it in Windows Media
    Player which is not vulnerable. The issue is at this time I'm not sure
    anyone knows exactly the attack vector. It started out being thought the
    (SHIMGVW.dll) was the one being exploited but not it appears to not
    necessarily be the case. See this thread for a good run down.
    http://www.dslreports.com/forum/remark,15115819
    Jbob, Dec 29, 2005
    #8
  9. NIST.org

    nemo_outis Guest

    (Todd H.) wrote in news::

    > "Jbob" <> writes:
    >> "Todd H." <> wrote in message
    >> news:...
    >> >
    >> > I don't know if I understand the present issue completely, but
    >> > whereas RPC DCOM was remotely exploitable via the network without
    >> > user interaction, this windows metafile dealio would require
    >> > someone to receive an email with the file attachment, wouldn't it?
    >> > And hence rely on the mailer doing something with it? Or am I
    >> > underestimating the severity of the release?
    >> >
    >> > --
    >> > Todd H.
    >> > http://www.toddh.net/

    >>
    >> NO, NO, NO! Severely underestmated! lol This one infects simply
    >> by visiting a web page with a suspect wmf file. You don't need to
    >> click on anything. If the wmf file is imbedded windows will try an
    >> open it. The full attack vector is still unsure of at this point.
    >> There are some possible work arounds that "MAY" help.

    >
    > Yikes. That is disconcerting.
    >
    > Is avoiding the use of IE of any help to this issue, or is everyone on
    > the platform screwed until a reliable workaround is available?



    IE, Firefox, mail programs - all are vulnerable to some degree or another.
    The full range of vectors for the attack is not yet fully understood and
    the workarounds (disabling or redirecting default WMF & EMF file handlers,
    deregistering shimgvw.dll, etc.) while helpful, are probably insufficient.
    It appears the core graphic-handling DLLs are also susceptible and these,
    obviously, cannot be disabled.

    This is a nasty one.

    Regards,
    nemo_outis, Dec 29, 2005
    #9
  10. NIST.org

    John Hyde Guest

    Re: "Extremely Critical" New zero-day Windows vulnerability beingexploited.

    on 12/29/2005 2:26 PM nemo_outis said the following:
    > (Todd H.) wrote in news::
    >
    >
    >>"Jbob" <> writes:
    >>
    >>>"Todd H." <> wrote in message
    >>>news:...
    >>>
    >>>>I don't know if I understand the present issue completely, but
    >>>>whereas RPC DCOM was remotely exploitable via the network without
    >>>>user interaction, this windows metafile dealio would require
    >>>>someone to receive an email with the file attachment, wouldn't it?
    >>>> And hence rely on the mailer doing something with it? Or am I
    >>>>underestimating the severity of the release?
    >>>>
    >>>>--
    >>>>Todd H.
    >>>>http://www.toddh.net/
    >>>
    >>>NO, NO, NO! Severely underestmated! lol This one infects simply
    >>>by visiting a web page with a suspect wmf file. You don't need to
    >>>click on anything. If the wmf file is imbedded windows will try an
    >>>open it. The full attack vector is still unsure of at this point.
    >>>There are some possible work arounds that "MAY" help.

    >>
    >>Yikes. That is disconcerting.
    >>
    >>Is avoiding the use of IE of any help to this issue, or is everyone on
    >>the platform screwed until a reliable workaround is available?

    >
    >
    >
    > IE, Firefox, mail programs - all are vulnerable to some degree or another.
    > The full range of vectors for the attack is not yet fully understood and
    > the workarounds (disabling or redirecting default WMF & EMF file handlers,
    > deregistering shimgvw.dll, etc.) while helpful, are probably insufficient.
    > It appears the core graphic-handling DLLs are also susceptible and these,
    > obviously, cannot be disabled.
    >
    > This is a nasty one.
    >
    > Regards,
    >


    Interesting reading, couple of questions if anyone knows:

    How does one disable the windows picture and fax viewer in win98 2ed?
    Or is there another similar method that will give some protection?
    Though my machine is XP, I'm the only "tech support" for several others
    with a variety of machines. (The poor slobs, they should get competent
    help.)

    Once virus checkers are able to see these files, will they necessarily
    be checking the files downloaded by a browser for display in a web page?

    Thanks
    JH
    John Hyde, Dec 30, 2005
    #10
  11. NIST.org

    nemo_outis Guest

    John Hyde <> wrote in
    news::

    >
    > Interesting reading, couple of questions if anyone knows:
    >
    > How does one disable the windows picture and fax viewer in win98 2ed?
    > Or is there another similar method that will give some protection?
    > Though my machine is XP, I'm the only "tech support" for several
    > others with a variety of machines. (The poor slobs, they should get
    > competent help.)
    >
    > Once virus checkers are able to see these files, will they necessarily
    > be checking the files downloaded by a browser for display in a web
    > page?
    >
    > Thanks
    > JH
    >



    The first thing you should do is follow MS's workaround (in 912840) and
    disable the WMF viewer using the following command under Start - Run:

    regsvr32 -u %windir%\system32\shimgvw.dll

    You should also go into Explorer and change the file association for EMF
    and WMF file extensions (to some benign program).

    That'll help a lot and it's all you can do right now as far as I know. The
    problem is that mislabelled files can still be opened if you click on them
    (Windows will recognize the file header of a WMF file even if it
    is called, for instance, a JPG file).

    FWIW Firefox, while not immune, has lower suceptibility than IE. With
    Firefox merely opening a "poisoned" site will result in triggering the WMF
    vulnerability; with Firefox nothing will happen unless you deliberately
    click on the "trigger" (but webmasters can be devious in tricking you into
    clicking on things you shouldn't).

    Regards,
    nemo_outis, Dec 30, 2005
    #11
  12. NIST.org

    Ludovic Joly Guest

    "Todd H." wrote:
    >I don't know if I understand the present issue completely, but whereas
    >RPC DCOM was remotely exploitable via the network without user
    >interaction, this windows metafile dealio would require someone to
    >receive an email with the file attachment, wouldn't it? And hence
    >rely on the mailer doing something with it? Or am I underestimating
    >the severity of the release?


    In the case of RPC DCOM, the attacker started from a range of IP
    addresses (typically the ones belonging to a company or organization,
    or a pool of DSL users located in a particular area), scanned it to
    find the machines vulnerable to the attack, and exploited it. This
    resulted (I believe) in the creation of armies of thousands of zombies.

    In the case of this new vulnerability, the attacker is bound to start
    from an email database, and spam the virus with a very high chance of
    successful exploitation. It is less direct than starting from the IP
    addresses, but it can still result in massive exploitation. I have
    recently found an email database with millions of addresses, and if the
    virus takes the contacts stored on an exploited machine and forward
    itself, just imagine...

    Moreover, starting from the IP addresses the attacker would face
    hardened gateways. This is probably why most of the victims of the RPC
    DCOM vuln were individuals. With a scheme of a virus spreading via
    email you can get INTO an organisation.

    Well, let's wait for the patch. And do what we can as a workaround.
    Ludovic Joly, Dec 30, 2005
    #12
  13. NIST.org

    John Hyde Guest

    Re: "Extremely Critical" New zero-day Windows vulnerability beingexploited.

    On 12/29/2005 5:34 PM, nemo_outis wrote:
    > John Hyde <> wrote in
    > news::
    >
    >
    >>Interesting reading, couple of questions if anyone knows:
    >>
    >>How does one disable the windows picture and fax viewer in win98 2ed?
    >>Or is there another similar method that will give some protection?
    >>Though my machine is XP, I'm the only "tech support" for several
    >>others with a variety of machines. (The poor slobs, they should get
    >>competent help.)
    >>
    >>Once virus checkers are able to see these files, will they necessarily
    >>be checking the files downloaded by a browser for display in a web
    >>page?
    >>
    >>Thanks
    >>JH
    >>

    >
    >
    >
    > The first thing you should do is follow MS's workaround (in 912840) and
    > disable the WMF viewer using the following command under Start - Run:
    >
    > regsvr32 -u %windir%\system32\shimgvw.dll


    Yeah, done on all the XP boxes. The win98 SE box I tried it on didn't
    work. Search for "shivgvw.dll" came up empty too. Windows installs
    that just don't have it?

    >
    > You should also go into Explorer and change the file association for EMF
    > and WMF file extensions (to some benign program).


    I'll do that. By benign, do you mean some other image handler? or
    something that just won't do anything with the file? Any suggestions?

    >
    > That'll help a lot and it's all you can do right now as far as I know. The
    > problem is that mislabelled files can still be opened if you click on them
    > (Windows will recognize the file header of a WMF file even if it
    > is called, for instance, a JPG file).
    >
    > FWIW Firefox, while not immune, has lower suceptibility than IE. With
    > Firefox merely opening a "poisoned" site will result in triggering the WMF
    > vulnerability; with Firefox nothing will happen unless you deliberately
    > click on the "trigger" (but webmasters can be devious in tricking you into
    > clicking on things you shouldn't).
    >
    > Regards,
    >
    >
    John Hyde, Dec 30, 2005
    #13
  14. NIST.org

    Frankster Guest

    Trend Micro has a pattern out for this now!

    Auto-updated today to #3.137.00. I run Officescan.

    -Frank
    Frankster, Dec 30, 2005
    #14
  15. NIST.org

    Notan Guest

    Re: Trend Micro has a pattern out for this now!

    Frankster wrote:
    >
    > Auto-updated today to #3.137.00. I run Officescan.


    Please don't change the subject line, when responding to a post.

    It makes it extremely difficult to follow the thread.

    Thanks!

    Notan
    Notan, Dec 30, 2005
    #15
  16. NIST.org

    Frankster Guest

    Re: Trend Micro has a pattern out for this now!

    > Please don't change the subject line, when responding to a post.
    >
    > It makes it extremely difficult to follow the thread.


    Not with my newsreader.

    -Frank
    Frankster, Dec 30, 2005
    #16
  17. David H. Lipman, Dec 30, 2005
    #17
  18. NIST.org

    Notan Guest

    Re: Trend Micro has a pattern out for this now!

    Frankster wrote:
    >
    > > Please don't change the subject line, when responding to a post.
    > >
    > > It makes it extremely difficult to follow the thread.

    >
    > Not with my newsreader.


    It's referred to as being considerate of others.

    Notan
    Notan, Dec 30, 2005
    #18
  19. NIST.org

    Frankster Guest

    Re: Trend Micro has a pattern out for this now!

    > | Auto-updated today to #3.137.00. I run Officescan.
    > |
    > | -Frank
    > |
    >
    > Trend Micro 135 12.29.2005 TROJ_NASCENE.D


    Interesting. Here's what I see on the Trend Micro page...

    TROJ_WMFCRASH.A Low Dec 29, 20053.137.00

    TROJ_NASCENE.C Low Dec 28, 20053.135.00

    I thought this one was the WMFCRASH.A?

    -Frank
    Frankster, Dec 30, 2005
    #19
  20. Re: Trend Micro has a pattern out for this now!

    In article <>, Notan <> wrote:
    >Please don't change the subject line, when responding to a post.


    >It makes it extremely difficult to follow the thread.


    That's what the References: header is for, to provide linking
    through changes of Subject:.

    As best I recall, Usenet guidelines are that one *should* change
    Subject: headings any time that the topic has mutated significantly
    from the original topic, so as to give others a chance to avoid
    messages on topics they are not interested in, and to make it
    easier to find messages related to a particular topic.

    Changing the Subject: heading is not considered disrespectful
    if the new Subject is a good description of the content.


    By the way, -your- messages do not meet the technical standards
    for postings. The technical standards for NNTP (Network News
    Transport Protocol) require that you use a valid email address
    when posting. Not just something that is more or less in
    the right format for an email address. A lot of people ignore
    this technical requirement these days, but there are certainly
    people who consider violation of the technical standards to be
    "disrespectful".
    --
    "law -- it's a commodity"
    -- Andrew Ryan (The Globe and Mail, 2005/11/26)
    Walter Roberson, Dec 30, 2005
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. TechNews

    Extremely Critical IE Vulnerability!!!

    TechNews, Jun 8, 2004, in forum: Computer Support
    Replies:
    3
    Views:
    508
    Duane Arnold
    Jun 9, 2004
  2. Au79
    Replies:
    2
    Views:
    413
    Fuzzy Logic
    Nov 7, 2006
  3. Au79

    Patch Tuesday vulnerability exploited

    Au79, Nov 18, 2006, in forum: Computer Support
    Replies:
    0
    Views:
    399
  4. Au79

    Word hole exploited in zero-day attacks

    Au79, Dec 6, 2006, in forum: Computer Support
    Replies:
    3
    Views:
    385
    Fuzzy Logic
    Dec 7, 2006
  5. Au79
    Replies:
    1
    Views:
    357
Loading...

Share This Page