Another one.....
According to an overnight post at the SANS Internet Storm Center, the link provided at Bugtraq when clicked on successfully drops a Trojan horse program (on) fully patched Windows XP SP2 machines. The Trojan will then download a fake anti-spyware/virus program which asks user to purchase a registered version of software in order to remove threats it claims are resident on the user's machine.
I don't understand why they keep calling this a browser exploit. It is strictly a Windows exploit. How the malicious WMF file is downloaded is irrelevant.
What? Your not supposed to enter your info?
LVM
A simple way of dealing with this until the patch is released is to change the .WMF file type to invoke something other than Windows Fax and Picture Viewer until this issue is resolved.
Ping!
Microsoft Windows WMF Handling Arbitrary Code Execution
***********************
|
I'd imagine Javascript/ActiveX would need to be enabled for web sites to exploit the bug in IE but it doesn't say other than unregistering shimgvw.dll. That file doesn't even show up in Windows 98SE so I'm not sure if that OS is vulnerable, it appears to be XP and Windows 2003 Web Server only.
Start - Run - regsvr32 /u shimgvw.dll
If people would just read the screen they would not go much further. Bad grammar and misspelled words (see the screen shots above) should tip you off that you shouldn't click there.
We do computer repairs - it amazes me at the people who bring their computers in every month (and pay us 49 bucks) to get this crap removed. They click and download EVERYTHING! If it's free it MUST be OK!
We take in at least 490 bucks a week for this stuff.
Some folks just never learn or they don't want to learn.
Of course I am assuming that people who own computers will be able to determine bad grammar and misspelled words. Maybe I give too much credit....
bttt
More from Beta News:
'Really Bad' Exploit Threatens Windows
By Nate Mook, BetaNews
December 28, 2005, 1:30 PM
A new exploit has been discovered in the wild that affects fully patched Windows XP SP2 systems, according to reports by security firms F-Secure and Sunbelt. The malicious code takes advantage of a vulnerability in the WMF graphics rendering engine to automatically download and install malware.
WMF, or Windows Metafile, is a vector based image format used by Microsoft's operating systems. SHIMGVW.DLL is loaded to render the images and contains a flaw that opens the door for a malformed WMF image to cause remote code execution and potentially allow for a full system compromise.
Microsoft previously fixed a vulnerability affecting WMF and EMF files in November. That problem affected Windows 2000, XP and Windows Server 2003.
"We have a number of sites that we have found with this exploit. Different sites download different spyware. We only had a handful of websites using this new exploit but now we are seeing many more using this to install bad stuff. These image files can be modified very easily to download any malware or virus," said Alex Eckelberry, CEO of Sunbelt Software.
"I hit one site with a fully patched XP system last night and it was pretty intense -- it went right through and infected my machine."
F-Secure's Mika Pehkonen warned that, "Right now, fully patched Windows XP SP2 machines are vulnerable, with no known patch." The company is detecting the offending WMF files as W32/PFV-Exploit.A, .B and .C.
"Note that you can get infected if you visit a web site that has an image file containing the exploit. Internet Explorer users might automatically get infected. Firefox users can get infected if they decide to run or download the image file," Pehkonen added.
Microsoft has been notified of the issue and it could opt to issue an emergency patch, apart from its standard Patch Tuesday security bulletins. "We expect Microsoft to issue a patch on this as soon as they can," says F-Secure.
Sunbelt's Eckelberry echoes that sentiment: "Folks, I've seen it with my own eyes and this is a really bad exploit. Be careful out there."
ping
What if you turn off your spyware detection alert?
Ping to those who haven't discovered it yet.