Results 1 to 18 of 18
December 28th, 2005, 02:34 PM #1Warning: Nasty Windows Exploit
This is *nasty* - a flaw in the WMF graphics file format that can lead to code being executed on your PC.. there's no patch and it's quite likely that your anti-virus vendor doesn't have a fix for it.
The evil thing is that WMF files can be embedded in most types of email message, i.e. it does NOT have to be an attachment. You can get infected just by viewing the graphic in a preview pane.
Web browsers are vulnerable too, and most likely Firefox and Mozilla.
http://www.f-secure.com/weblog/ (this tells you some sites to block)
http://isc.sans.org/ has the latest news (Infocon is set to Yellow which means this is a serious threat)
December 28th, 2005, 02:42 PM #2
Dynamoo, Thanks for the info. This is not good. I have some network computers to check.
December 28th, 2005, 03:02 PM #3
Good thing I'm an Apple user.
- ScottHatred stirs up strife, But love covers all transgressions.
December 28th, 2005, 03:16 PM #4
December 29th, 2005, 01:57 PM #5
It's possible that this could spread via email, or even potentially sneak onto Windows-based web servers. Microsoft have published a workaround here: http://www.microsoft.com/technet/sec...ry/912840.mspx
Un-register the Windows Picture and Fax Viewer (Shimgvw.dll) on Windows XP Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and Windows Server 2003 Service Pack 1
To un-register Shimgvw.dll, follow these steps:
1. Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK.
2. A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.
Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.
To undo this change, re-register Shimgvw.dll by following the above steps. Replace the text in Step 1 with “regsvr32 %windir%\system32\shimgvw.dll” (without the quotation marks).
December 30th, 2005, 12:09 AM #6
- Join Date
- November 26th, 2005
Thanks for the heads up DynamooThe Best Forums
Nothing in the world can take the place of persistance. Talent will not; nothing is more common than unsuccessful men with talent. Genius will not; unrewarded genius is almost a proverb. Education will not; the world is full of educated derelicts. Persistance and determination are omnipotent.
January 3rd, 2006, 01:18 AM #7
Microsoft still hasn't released a fix, but here's a workaround that disables the exploit:
January 3rd, 2006, 08:03 AM #8
I hope you've all put up Google Firefox referrals on your popular pages.... It's a GREAT time for it...
January 3rd, 2006, 09:41 AM #9
FYI, I don't think Firefox is immune. This is a Windows bug, not an IE bug.
January 3rd, 2006, 09:43 AM #10
The reports I've seen indicate that since it involves code in the Windows Fax and Picture viewer, Firefox handled it differently... But I'm no expert... I and they could be wrong.
The local IT reporters here in Rochester have been pushing both Thunderbird and Firefox as fixes. Hope they are right.
Last edited by Noth; January 3rd, 2006 at 09:44 AM. Reason: spelling
January 3rd, 2006, 09:47 AM #11
Firefox doesn't disp;ay WMF files automatically, it'll prompt for a download. But you can rename the WMF to JPG and it's still potentially dangerous because Windows checks the content of the file, rather than the extension.
There's an unofficial patch here:
which seems to be OK.
Microsoft are going to have a patch for next week they hope, so it's just a question of surviving until then (assuming their patch actually works)
January 3rd, 2006, 09:49 AM #12
I see, I see. So we got part of the story here. Thanks for clearing that up.
January 3rd, 2006, 10:00 AM #13
It looks like you might be right, at least for newer versions of Firefox. Still, you can get infected through email, messenger programs, and even Google Desktop. Using Firefox won't protect in those areas.
Here's the wikipedia entry for the exploit:
(There's some discussion about Firebox there.)
January 3rd, 2006, 10:04 AM #14
How long before the NY Times blames this on cookies?
January 3rd, 2006, 10:21 AM #15Originally Posted by Noth
January 3rd, 2006, 01:18 PM #16
January 4th, 2006, 01:26 AM #17
- Join Date
- January 18th, 2005
- St Clair Shores MI.
Lets put the blame right where it belongs..... right on the backsides of the S/W droiven affiliates seeking infestation routes to sucker punch merchants. You heard me right! Every network and AM salvating on newly discovered exploit routines by affiliates shoving Adware/Spyware/Info scraping applications up the consumers butts should get hung up by their thumbs. I sure hope the CPA networks, major networks and every BHO and phoney anti-??? program gets huge fines over this one.
Don't expect this one to go away soon as the exploiters and the money trail is getting the full Federal, Security firm and Microsoft attention.
F-Secure first reported the zero-day vulnerability on Dec. 27. Microsoft does not plan to issue a patch until Jan. 10. In the meantime, virus writers could have a field day with the vulnerability, according to security experts. The vulnerability is related to Windows' WMF files. Windows metafiles are image files used by popular applications, such as Microsoft Word. So far WMF exploits typically have been used to install spyware and adware, although the threat of virus and worm exploits remains.
"So far, we've only seen this exploit being used to install spyware -- or fake antispyware and antivirus software -- on the affected machines," F-Secure Chief Research Officer Mikko Hypponen said. "I'm afraid we'll see real viruses using this soon. We've seen 70 different versions of malicious WMF files so far."
The WMF exploit has been used with a clear criminal motivation ( all affiliate based) to install spyware and to dupe ordinary consumers into purchasing fake security products for their computers, Hypponen pointed out.
Users can be infected simply by visiting a Web site with an image file containing the WMF exploit. Internet Explorer users are at the greatest risk of automatic infection, while Firefox and Opera browser users are prompted with a question whether they'd like to open the WMF image or not. They get infected too if they answer "Yes."
Anyone monitizing these Adwhore cyber terrorists need to go back to their old day jobs of funding the child sex slavery business.Webmaster's... Mike and Charlie
"What have you done today to put real value into a referral click...from a shoppers viewpoint!"
January 4th, 2006, 02:38 AM #18
wow see what a week of boring to no news does it makes a minor exploit like this seem like the end of the world.
If any of you are worried that this will ruin your systems. Stay off the internet until the 10th when MS will place the patch on Windows Update.
Or just keep your anti virus, anti-spyware defs up to date and be happy.
By JCrooks - AffiliateWindow in forum Promotions, Sales, and Coupons on Affiliate WindowReplies: 0Last Post: October 25th, 2013, 03:10 PM
By superCool in forum Midnight Cafe'Replies: 5Last Post: March 23rd, 2012, 02:24 PM
By John Powell in forum Midnight Cafe'Replies: 0Last Post: January 8th, 2009, 10:36 AM
By MnemonicGuy in forum Midnight Cafe'Replies: 1Last Post: July 25th, 2008, 12:03 PM
By John Powell in forum Programming / Datafeeds / ToolsReplies: 6Last Post: April 20th, 2007, 01:49 PM