Potential new unpatched IE exploit ? ~ Yes...may affect other Browsers also...

Websense Security Labs ^ | Dec 28 2005 11:19AM | Websense Security Labs Blog Staff

[Ernest_at_the_Beach]

Washington Post also comented on this here:

Exploit Released for Unpatched Windows Flaw

[Ernest_at_the_Beach]

Another one.....

[Ernest_at_the_Beach]

From the Washington Post an excerpt:

According to an overnight post at the SANS Internet Storm Center, the link provided at Bugtraq when clicked on successfully drops a Trojan horse program (on) fully patched Windows XP SP2 machines. The Trojan will then download a fake anti-spyware/virus program which asks user to purchase a registered version of software in order to remove threats it claims are resident on the user's machine.

[sigSEGV]

I don't understand why they keep calling this a browser exploit. It is strictly a Windows exploit. How the malicious WMF file is downloaded is irrelevant.

[LasVegasMac]

This application prompts the user to enter credit card information in order to remove...

What? Your not supposed to enter your info?

LVM

[Ernest_at_the_Beach]

Some Detail here:

December 28, 2005
Malicious Website / Malicious Code: Zero-day IE .WMF Exploit

************************************************************

A screen....

***********************************************

[Ernest_at_the_Beach]

This one may fool some people!

[Company Man]

A simple way of dealing with this until the patch is released is to change the .WMF file type to invoke something other than Windows Fax and Picture Viewer until this issue is resolved.

[Lokibob]

AVG finally removed the virus from my computer.( I think).

I quit using ie because of that virus, downloaded firefox. It looks like the new AVG download takes care of winfixer 2005.

[hiredhand]

Ping!

[Ernest_at_the_Beach]

Below is an attached video of a machine being infected with all the components. As you can see several pieces of Potentially Unwanted Software (P.U.S) are installed and by simply viewing the MWF image you are infected without a prompt or warning screen.

This is an example of how P.U.S. (AKA "Greyware") vendors are using known and unknown exploits combined with deception to install code.

http://www.websensesecuritylabs.com/images/alerts/wmf-movie.wmv

[newcthem]

Hope it works for you........I got this crap with Firefox.

[Unrepentant VN Vet]

Not only "strictly a Windows exploit", but apparently also limited to XP w/ SP2.

I guess I'll just have to turn my new firewall settings up another couple of notches (I'm running 2000 Pro SP5), knock off surfing for a bit and go shut off my daughter's XP setup. (Lord, I'm tired of debugging that computer!!)

[Lokibob]

I got it by using "save image as".

Now im upset that firefox can bring it back.

Try AVG free virus killer. It can't hurt, anyway.

[MediaMole]

This has been building for a month or so.

I'm beginning to think that the best option for most people would be a dual-boot system with Windows and Linux. Run Windows for the gaming and the applications that aren't available on Linux and run Linux for internet browsing, e-mail, etc.

Another option is to use a cheap machine solely for the net and keep the important computer off the net or behind a secondary firewall -- only using the net for system updates and browsing extremely trusted sites.

[Ernest_at_the_Beach]

More detail:

Microsoft Windows WMF Handling Arbitrary Code Execution

***********************

Microsoft Windows WMF Handling Arbitrary Code Execution

Secunia Advisory:	SA18255
Release Date:	2005-12-28
Critical:	Extremely critical
Impact:	System access
Where:	From remote
Solution Status:	Unpatched
OS:	Microsoft Windows Server 2003 Datacenter Edition Microsoft Windows Server 2003 Enterprise Edition Microsoft Windows Server 2003 Standard Edition Microsoft Windows Server 2003 Web Edition Microsoft Windows XP Home Edition Microsoft Windows XP Professional
	Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it.
Description: A vulnerability has been discovered in Microsoft Windows, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to an error in the handling of corrupted Windows Metafile files (".wmf"). This can be exploited to execute arbitrary code by tricking a user into opening a malicious ".wmf" file in "Windows Picture and Fax Viewer" or previewing a malicious ".wmf" file in explorer (i.e. selecting the file). This can also be exploited automatically when a user visits a malicious web site using Microsoft Internet Explorer. NOTE: Exploit code is publicly available. This is being exploited in the wild. The vulnerability has been confirmed on a fully patched system running Microsoft Windows XP SP2. Microsoft Windows XP SP1 and Microsoft Windows Server 2003 SP0 / SP1 are reportedly also affected. Other platforms may also be affected. Solution: Do not open or preview untrusted ".wmf" files and set security level to "High" in Microsoft Internet Explorer.

[Ernest_at_the_Beach]

I've been saying that for awhile also....not many people listening though!

[flashbunny]

or if you're just using your computer for web, email, mp3s, photos, etc. Get a mac mini for $500 and stop worry about all the spyware and viruses.

[Reaganwuzthebest]

I'd imagine Javascript/ActiveX would need to be enabled for web sites to exploit the bug in IE but it doesn't say other than unregistering shimgvw.dll. That file doesn't even show up in Windows 98SE so I'm not sure if that OS is vulnerable, it appears to be XP and Windows 2003 Web Server only.

[hiredhand]

Yep...I run Debian Linux. Win-XP runs in VM-Ware on my workstation. I never touch the net with XP.