Anonymous wrote:Quit blaming Windows and get a clue!!!
Its not the gun, son!
Its the cowboy!
got it?
In this case the gun was designed with the barrel pointing towards the wielder.
dead horse wrote:The problem happens only when .wmf files are opened by the Microsoft Fax and Image viewer, which has had overflow problems in the past.
Friday, December 30, 2005
WMF, day 3 Posted by Stefan @ 12:29 GMT
The amount of trojans using the zero-day WMF exploit is increasing rapidly.
Many people have now used the REGSRV32 workaround to stop the immediate threat. Some users have come back to us after we quoted Microsoft on the workaround wondering if the workaround really works. The workaround will stop the exploit for Internet Explorer and Explorer even though WMF images are viewed as normal.
What the workaround does not stop against is if you open an exploited file in mspaint. And like always, renaming the file will not make a difference to mspaint. So our suggestion is to not open any pictures with mspaint whatsoever. Perhaps leaving image editors out completely for the rest of the year might be a good idea.
Wednesday, December 28, 2005
<snip>
Note that you can get infected if you visit a web site that has an image file containing the exploit. Internet Explorer users might automatically get infected. Firefox users can get infected if they decide to run or download the image file.
In our tests (under XP SP2) older versions of Firefox (1.0.4) defaulted to open WMF files with "Windows Picture and Fax Viewer", which is vulnerable. Newer versions (1.5) defaulted to open them with Windows Media Player, which is not vulnerable...but then again, Windows Media Player is not able to show WMF files at all so this might be a bug in Firefox. Opera 8.51 defaults to open WMF files with "Windows Picture and Fax Viewer" too. However, all versions of Firefox and Opera prompt the user first.
jscher2000 wrote:No, many say the flaw is in GDI32.dll, shared by many Windows applications for graphics rendering.
The public exploits currently use the Windows Picture and Fax Viewer (SHIMGVW.DLL) as an attack vector affecting users of any Windows-based application that can handle Windows Metafiles. However, disabling the Windows Picture and Fax Viewer will not eliminate this vulnerability as it is currently thought to exist in the Windows Graphical Device Interface library (GDI32.DLL).
We are aware that a new exploit for the WMF vulnerability has been published. This one is much more advanced than the old one, and much more dangerous.
It enables clueless newcomers to easily craft highly variable and hard-to-detect variations of image files. Images that take over computers when viewed. And do this on all common Windows platforms. With no vendor patch for the vulnerability available. Meaning that there are hundreds of millions of vulnerable computers in the net right now.
Making such tools publicly available when there's no vendor patch available is irresponsible. Plain and simply irresponsible. Everybody associated in making and publishing the exploit knows this. And they should know better. Moore, A.S, San and FrSIRT: you should know better.
Anonymous wrote:Quit blaming Windows and get a clue!!!
Its not the gun, son!
Its the cowboy!
got it?