December 28, 2005
New zero day exploit seen in the wild
Posted by Suzi Turner @ 9:45 pm
... a new exploit that affects fully patched Windows XP SP2 machines. Landing on an infected web page can set off the exploit with no user interaction. Firefox and Opera do not prevent this exploit but should prompt the user first. SecurityFocus calls it: Microsoft Windows Graphics Rendering Engine WMF Format Unspecified Code Execution Vulnerability
Microsoft Windows WMF graphics rendering engine is affected by a remote code execution vulnerability. The problem presents itself when a user views a malicious WMF formatted file, triggering the vulnerability when the engine attempts to parse the file. The issue may be exploited remotely or by a local attacker. Any code execution that occurs will be with SYSTEM privileges due to the nature of the affected engine. Microsoft Windows XP is considered to be vulnerable at the moment. It is likely that other Windows operating systems are affected as well.
Sunbelt researchers have collected more than 50 variants of the WindowsMetafiles (WMF) and documented a number of domains running this exploit. Email, blog talkbacks, guestbook links, all could be used to spread this infection. ... F-Secure also says Google Desktop's indexing of metadata of image files can cause the infected file to execute, and gives this warning:
Do note that it's really easy to get burned by this exploit if you're analysing it under Windows. All you need to do is to access an infected web site with IE or view a folder with infected files with the Windows Explorer.
...
Workarounds have been posted at SunbeltBLOG. (
http://sunbeltblog.blogspot.com/2005...f-exploit.html)
...
Reply With Quote
