cancel
Showing results for 
Search instead for 
Did you mean: 

WMF exploit - I have just fallen for it!

N/A

WMF exploit - I have just fallen for it!

I have started the new year thinking that I was fairly PC savvy only to open an e-mail from a
Quote
David Taylor @ Tradersworld.com
(DONT go there!)
The content of the e-mail
Quote
Hello,
John asked me to send out the new website template, I have uploaded the initial design here
and there is a website link, obviously I shall not post it and yes I went there Shockedops:

This can exploit because of a windows error in the display module for WMF images and embedded harmful code can be executed. Even viewing the preview of a WMF camouflaged as a JPG image can install a backdoor on your PC.

Microsoft hasn't provided an official patch so far to close this flaw, and all Windows versions are affected by this problem! WMF exploits also work with limited rights user accounts.

However Castlecops and sunbelt are hosting a temporary fix. http://castlecops.com/a6436-Newest_WMF_Exploit_Patch_Saves_the_Day.html

Hope you aren't as stupid as me!
7 REPLIES
N/A

WMF exploit - I have just fallen for it!

there are three ways to protect against this:

1) unload the dlls
2) use the regpatch
3) download the hotfix from hexblog

if you do all three then reboot you will be safe (or just (3)) so yea, have fun Smiley
N/A

Re: WMF exploit - I have just fallen for it!

Quote

Hope you aren't as stupid as me!


Don't feel to beat up about it, everyone gets caught out from time to time.
Community Veteran
Posts: 1,229
Thanks: 1
Registered: 12-04-2007

WMF exploit - I have just fallen for it!

Sorry to hear you got a nasty. Sad

Could you tell me please, when you say "camouflaged as a JPG image", do you mean the extension ".jpg" is visable in the link, but the true extension is hidden?

What I mean is, one of the first things I do in a list of "hardening" after an install of windows, is to go to "folder options" and un-check "Hide extensions for known file types". What I am asking is were you caught out because you clicked on something that appeared like this:-
    nasty.jpg
But was really this:-
    nasty.jpg.exe
:?:

Or is it a case that you just need to have viewed an infected jpg from a web site? :?

**EDIT**

Hmm never mind, I am looking at some security sites about it, which indicate it is rather more than I was thinking. Shockedops:
N/A

WMF exploit - I have just fallen for it!

it doesnt need any ending at all, for instance any line at all can give it to you.
Community Veteran
Posts: 1,229
Thanks: 1
Registered: 12-04-2007

WMF exploit - I have just fallen for it!

I have been using the tempory fix against these "wmf" exploits for the past few days, but an official fix came via microsoft yesterday. (friday).
Just thought I would let bluebellhouse and any other interested peeps know. (Particularly peeps who don't have windows updates set to auto) Smiley
N/A

WMF exploit - I have just fallen for it!

If you use Windows regardless of what Internet browser you are using - then your computer is very vunerable - if your browser can display pictures - as bluebellhouse has found out.

This exploit takes advantage of the Windows Media Format (WMF). It's not limited to WMF files, e.g., it can occur under any graphical extension (jpg, gif, etc.). You only have to visit a rouge web-site and your computer will be infected - without clicking any links! This also applies to "pictures" embedded within or attached to emails and presumably the same applies to newsgroups.

I understand the exploit uses a Windows feature that has always existed which allows executable code to be contained within .wmf files. However the way this has been implemented - code within any media file is executed. Therefore files with .gif .jpg .png etc... extensions can carry a malicious payload. The worrying thing is how long this has been exploited - as I heard something about infection via jpg file a year or so ago - and rubbished it! However since the publication of this exploit over the Christmas period - use of this exploit has snowballed.

This exploit is currently billed as the worst security hole in Windows history - affecting ALL versions of Windows past and present. More reading and a WMF Vulnerability Checker can be found at - http://www.hexblog.com/2006/01/wmf_vulnerability_checker.html#more .

At the time of this posting Microsoft does not appear to be releasing a fix for Windows98 (earlier versions though probably affected - are no longer supported in any case). For more details and patches for later Windows versions see - Microsoft Security Bulletin MS06-001 at - http://www.microsoft.com/technet/security/Bulletin/MS06-001.mspx
Community Veteran
Posts: 1,229
Thanks: 1
Registered: 12-04-2007

WMF exploit - I have just fallen for it!