Malicious Zero Day Windows Media File Exploits are in-the-wild

Community

Email Notifications

Personal Links

Harry Waldron - IT Security

Security Developments, Software Updates and Best Practices

Please be careful with sites that you visit as a major new security risk has developed. Please be particularly careful downloading or playing WMF (Windows Media File) until this issue is fully resolved. I believe Microsoft will prioritize and patch this new vulnerability expediently, so please look for upcoming security advisories, workarounds, and ultimately a patch. In the mean time, follow best practices in only visiting safe sites and avoid all WMF files in emails or untrusted websites. Keep your AV protection updated as anti-virus vendors will also prioritize security protection for this new in-the-wild exploit.

STATUS INFORMATION

INTERNET STORM CENTER - YELLOW ALERT

F-SECURE BLOG - GOOD STATUS INFORMATION

SUNBELT BLOG - GOOD STATUS INFORMATION

SECUNIA INFORMATION

Microsoft Windows WMF Handling Arbitrary Code Execution
http://secunia.com/advisories/18255/

Secunia Advisory: SA18255
Release Date: 2005-12-28

Rating: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched

QUOTE: A vulnerability has been discovered in Microsoft Windows, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to an error in the handling of corrupted Windows Metafile files (".wmf"). This can be exploited to execute arbitrary code by tricking a user into opening a malicious ".wmf" file in "Windows Picture and Fax Viewer" or previewing a malicious ".wmf" file in explorer (i.e. selecting the file). This can also be exploited automatically when a user visits a malicious web site using Microsoft Internet Explorer.

Solution: Do not open or preview untrusted ".wmf" files and set security level to "High" in Microsoft Internet Explorer.

TREND MICRO INFORMATION

TWO TROJAN HORSE VARIANTS SO FAR

TROJ_WMFXEXE.A

TROJ_WMFMSITS.A

QUOTE: The Windows Picture and Fax Viewer vulnerability is a zero-day exploit that is capable of remote code execution. Zero-day exploits are termed as such because the unpatched vulnerability and its corresponding exploit code are released within the same day. This may pose as a dangerous situation in which a lot of systems may be affected due to the availability of exploit code, and the fact that the vendor has not been given enough time to patch it.

FRSIRT INFORMATION

Microsoft Windows WMF Handling Remote Code Execution Vulnerability
http://www.frsirt.com/english/advisories/2005/3086

FrSIRT Advisory: FrSIRT/ADV-2005-3086
Rated as : Critical
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2005-12-28

WORKAROUNDS THAT ARE EMERGING

These workarounds appear to help some, although they will impact some functionality. For now the best advice is to be careful with all email and website links. Avoid all WMF files, especially from untrusted sites until more is known on this new threat.

EWeek Article: Provides more on shimgvw.dll workaround

Full Disclosure - Shimgvw.dll workaround with *.REG files that can toggle settings on/off

Posted: Dec 28 2005, 09:20 PM by Harry Waldron | with 8 comment(s)