Tuesday, January 03, 2006

Microsoft's Advisory on the .WMF Vulnerability

I thought you might want to see this. It's MS' take on the WMF vulnerability.

Either this was published before the full extent of the problem was known or Microsoft is intent on minimizing the impression of danger. (The former is more likely than the latter.) They are insistent that user interaction is a requirement for an exploit to be successful. This is now known to be untrue. An indexing program, such as a desktop search utility (ala Google's) can trigger the exploit. In my own tests, here, I triggered two of the known exploits by using a third-party thumnail generator, as well.

The Internet Storm Center at SANS has an FAQ on the problem. Note that IE users are at more risk than FireFox users, but only just. Almost everyone is vulnerable.

All we can do is to install the unofficial patch and wait for Microsoft to act decisively.

Jack

5 comments:

  1. Anonymous2:23 PM

    The link at the top of your post points back to blogger start page.
    Barb

    ReplyDelete
  2. Huffie3:05 PM

    One interesting thing I noticed was that a test of a true zero-day sample was tossed at almost all major anti-virus programs.

    eTrust and McAfee caught it. Symantec sort of half-caught it.

    All the others, including NOD32, failed to detect the zero-day exploit sample.

    No one should expect their anti-virus to protect them from this one, and that's a point you have to get across to friends and family. I already have one family member having to reinstall XP from scratch.

    ReplyDelete
  3. I'm posting these 2 comments, cause I can't get it to let me log on, I think its a javascript issue. And I've tried all the fixes suggested at help.blogger.com


    "The link at the top of your post points back to blogger start page."
    Barb


    "One interesting thing I noticed was that a test of a true zero-day sample was tossed at almost all major anti-virus programs.

    eTrust and McAfee caught it. Symantec sort of half-caught it.

    All the others, including NOD32, failed to detect the zero-day exploit sample.

    No one should expect their anti-virus to protect them from this one, and that's a point you have to get across to friends and family. I already have one family member having to reinstall XP from scratch."

    Huffie

    ReplyDelete
  4. The NOD32 story is even weirder than Huffie let on.

    First off, it was VERY dependant upon which variation of the first generation exploit you encountered. Some others had the same problem. Everyone seems to have fixed that early on.

    Before the signature updates started being issued for NOD32, the heuristic engine is known to have picked up at least two of the exploits during a safe mode scan of XP SP2 by a tech at our local Best Buy.He sibmitted an example to ESet and was later told exactly what it was via email.

    AV has been a mixed blessing on this one. Better to have it than not, but many of the companies did not keep up with the extremely fluid situation.

    Jack

    ReplyDelete
  5. Huffie4:08 PM

    Better to have it than not, but many of the companies did not keep up with the extremely fluid situation.

    I agree Jack. Of course, the problem is that this thing goes to the core of Windows, and back into code from the "dark ages" before the internet.

    Here's an interesting one for all of you though. I have tested several of the WMF exploits on a fully patched Win98se system with the AV off (wheee!!!)

    The result. Nothing. That's right, nothing. The exploit opens but not a lot happens. For example, exploits written to say crash IE and open Calc.exe do neither.

    It should be noted that the test Win98se system does not have the .DLL that seems to cause the main problem (shimgvw.dll). It wasn't deleted; it just was never on the system to begin with.

    I'm beginning to wonder if Win98 machines may be "sort of" in the clear. It could be that an exploit will only work in Win9x only if specifically crafted for Win9x.

    ReplyDelete

All comments are moderated.

Note: Only a member of this blog may post a comment.