Update on WMF exploit

Update on WMF exploit

Summary: Some new approaches have emerged for reducing the risk of being affected by this exploit. One approach involves using Data Execution Prevention (DEP).

SHARE:
TOPICS: Malware
11

Some new approaches have emerged for reducing the risk of being affected by this exploit. One approach involves using Data Execution Prevention (DEP).  Explanation of DEP from Microsoft:

Data execution prevention (DEP) is a set of hardware and software technologies that perform additional checks on memory to help protect against malicious code exploits.  In Windows XP SP2, DEP is enforced by both hardware and software.

SunbeltBLOG probably has the most updated information. Another attack vector was discovered today as well.  This time it's from rotational ads meaning a user can be infected by going to any site displaying the rotational ads from Exfol/WebExt. McAfee has a good description of Exfol's adware. Info here on WebExt. Sunbelt has a video of the exploit as well.

Oh, and let's not forget the most important method of prevention.  Go out and buy a Mac, or ditch Windows and start running Linux. TODAY!!!  Never mind that you won't be able to run most of your current applications, or that it will cost you a considerable amount of money and time to make the switch, and the fact there's a steep learning curve for learning Linux.  According to a lot of folks posting in the talkbacks here, it's a piece of cake and the *only* real solution to the spyware problem.

Update: Lotus Notes has been found to be vulnerable to this exploit.  Posted at SANS.

John Herron at NIST.org discovered today that Lotus Notes versions 6.x and higher is vulnerable to the WMF 0-day exploit. In the advisory, located on the NIST website here, John reports that Lotus Notes remained vulnerable even after running the regsvr32 workaround in the Microsoft security advisory.

Folks, unregistering the SHIMGVW.DLL is not a foolproof solution.

I forgot to mention this.  I also heard today that SpyAxe is being installed through this exploit.  SpyAxe got number one in the top ten rogue anti-spyware list for 2005. More on SpyAxe here.

Topic: Malware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

11 comments
Log in or register to join the discussion
  • The Cost of Switching

    The cost of switching? The cost of any new single system can be
    seen as comparable and competitive to any other single system.
    The "cost" as the author puts it, comes not from the switch, but
    from the fact you have to consider it. It comes from needing to
    purchase a complete second system because the cash spent on
    the first is not recoverable. If your current systems were seen as
    adequate, switching wouldn't even enter the discussion. Clearly,
    this isn't the case. When it comes to the cost of switching, well
    that's just a simple business decision. The cost of maintaining
    the current system is weighed against the cost of the new and
    amoritized over time.

    The assertion of the security contingent is that it costs less to fix
    the current systems than to "presumably" prevent the problem.
    Windows people might get hosed either way but lets not be
    dissmissive of viable alternatives bacause we have to consider
    adding a competitive recoverable cost to a useless unrecoverable
    one. A new generation of users are in the position to make their
    own decisions about technology. They watch these
    developments with interest. Do you think they want the grief? Do
    you think they are beholden or too heavily invested in a massive
    kludge?

    Alternatively, if the costs of computing are seen as
    unrecoverable, because the wrong choice had been made years
    ago and it's too late to change course, I suppose we could
    allways reconsider old pad and pencil.
    Harry Bardal
  • Just a stab or attemp for OU traffic "I guess"

    With specious comments & FUD.

    As most who use linux every day know .... (if you want to.... it is just 1's & 0's)

    Yes it is easy to live without MS at all....

    And just as easy with a Mac as well...

    And anybody can make the switch TODAY!! (if they want to)
    (Ignorance is bliss, I guess) It may take time and it can even be "Free" both "gratis" & "libre".

    Everyone has to start somewhere......(it appears ZD/cnet has taken the wrong tack)

    But if you do not investigate for yourself, you will never know, and have to wait for trendy marketing............

    Why can you not run any of your current Apps?.. more FUD?

    Are you talking about... personal, corporate, scientific, enterprise?

    It seems to me the best apps are cross platform or even web based.
    Moz/Firefox, Opera, Open/StarOffice, Gimp, Inkscape, Srcibus, Mathmatica, ProE,
    Maya etc.......

    Still if DOS or win32 API is your bag/need then can easily be done...
    dosemu, WINE, CrossOver, Cedgra, David etc..

    Every really useful app or tool is crossplatform or equivelent is available.

    Or even:

    "or that it will cost you a considerable amount of money and time to make the switch, "

    Why.... no different from upgrading & changing from your previous system
    95/98> NT/2k> XP etc. or
    Office 4 > 97 > 2k > XP > 2k3 > 12 etc...

    Seems to me all the same......

    And again:

    "and the fact there's a steep learning curve for learning Linux. "

    for those who only who think they "know" windows.

    Causal user does not care. (Equally greek or geek to them)
    Experienced user does not care (understanding of fundemetals & grasp of the Abstact)
    Windows user cares not because knows no better....


    no different than learning windows.. Yet Another Computer.. YAC....
    LazLong
  • simple solution-use mozilla/firefox w/ adblock plugin, add *.wmf and *.emf

    This should prevent the files w/ wmf & emf extensions from being downloaded altogether.

    This would be handy for IE...
    ~doolittle~
    • adding extensions to adblock

      Sorry to sound stupid but how? Adblock appears now in my extensions, but it has no place for me to specify files to be blocked as far as I can see. Or am I misunderstanding?
      tedkrever@...
      • tools -> adblock -> preferences

        Then under "new filter" just make the two entries, one for "*.wmf" then hit add, then rinse and repeat for "*.emf".
        ~doolittle~
        • ALSO WRONG

          This is again, very bad advice. The WMF vulnerability can be exploited with file types other than WMF - please review http://isc.sans.org/diary.php?rss&storyid=992 for the most up-2-date info. Upping you level of DEP protection, while also unregistering hte appropriate DLL looks like the best solution for the time being. TREAD WITH CAUTION
          jmanico
          • unofficial patch info & download

            Here are some other resources, since a lot of servers are flooded & timing out...

            info:
            http://www.f-secure.com/weblog/#00000761
            http://www.hexblog.com/2005/12/wmf_vuln.html

            patch download:
            http://handlers.sans.org/tliston/wmffix_hexblog13.exe
            http://www.hexblog.com/security/files/wmffix_hexblog13.exe
            ~doolittle~
    • WRONG

      This is bad and innacurate advice. There are several new attack vectors that render this advice worthless. Review at http://isc.sans.org/diary.php?rss&storyid=992 and defend yourself the right way!
      jmanico
      • unofficial patch info & download

        Here are some other resources, since a lot of servers are flooded & timing out...

        info:

        http://www.f-secure.com/weblog/#00000761
        http://www.hexblog.com/2005/12/wmf_vuln.html

        patch download:

        http://handlers.sans.org/tliston/wmffix_hexblog13.exe
        http://www.hexblog.com/security/files/wmffix_hexblog13.exe
        ~doolittle~
  • WMF 0-day vulnerability is not a bug, it's a feature

    http://www.f-secure.com/weblog/#00000761
    ~doolittle~
  • RE: Update on WMF exploit

    http://www.analogstereo.com/ferrari_330_owners_manual.htm
    hhh_forums