Malicious Zero Day Windows Media File Exploits are in-the-wild
Please be careful with sites that you visit as a major new security risk has developed. Please be particularly careful downloading or playing WMF (Windows Media File) until this issue is fully resolved. I believe Microsoft will prioritize and patch this new vulnerability expediently, so please look for upcoming security advisories, workarounds, and ultimately a patch. In the mean time, follow best practices in only visiting safe sites and avoid all WMF files in emails or untrusted websites. Keep your AV protection updated as anti-virus vendors will also prioritize security protection for this new in-the-wild exploit.
INTERNET STORM CENTER - YELLOW ALERT
F-SECURE BLOG - GOOD STATUS INFORMATION
SUNBELT BLOG - GOOD STATUS INFORMATION
Microsoft Windows WMF Handling Arbitrary Code Execution
Secunia Advisory: SA18255
Release Date: 2005-12-28
Rating: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched
QUOTE: A vulnerability has been discovered in Microsoft Windows, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to an error in the handling of corrupted Windows Metafile files (".wmf"). This can be exploited to execute arbitrary code by tricking a user into opening a malicious ".wmf" file in "Windows Picture and Fax Viewer" or previewing a malicious ".wmf" file in explorer (i.e. selecting the file). This can also be exploited automatically when a user visits a malicious web site using Microsoft Internet Explorer.
Solution: Do not open or preview untrusted ".wmf" files and set security level to "High" in Microsoft Internet Explorer.
TREND MICRO INFORMATION
TWO TROJAN HORSE VARIANTS SO FAR
QUOTE: The Windows Picture and Fax Viewer vulnerability is a zero-day exploit that is capable of remote code execution. Zero-day exploits are termed as such because the unpatched vulnerability and its corresponding exploit code are released within the same day. This may pose as a dangerous situation in which a lot of systems may be affected due to the availability of exploit code, and the fact that the vendor has not been given enough time to patch it.
Microsoft Windows WMF Handling Remote Code Execution Vulnerability
FrSIRT Advisory: FrSIRT/ADV-2005-3086
Rated as : Critical
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2005-12-28
WORKAROUNDS THAT ARE EMERGING
These workarounds appear to help some, although they will impact some functionality. For now the best advice is to be careful with all email and website links. Avoid all WMF files, especially from untrusted sites until more is known on this new threat.
EWeek Article: Provides more on shimgvw.dll workaround
Full Disclosure - Shimgvw.dll workaround with *.REG files that can toggle settings on/off