New Windows Metafile (WMF) 0-day exploit in the wild

whoops... :D

A temporary WMF Exploit patch is available. Started reading about it on Steve Gibson's site:

Security Now
http://www.grc.com/sn/notes-020.htm

More about this WMF Patch can be found on the author's site (Ilfak Guilfanov):

Windows WMF Metafile Vulnerability HotFix
http://www.hexblog.com/2005/12/wmf_vuln.html

Ilfak has also written a little utility named:

WMF Vulnerability Checker
http://www.hexblog.com/2006/01/wmf_v...y_checker.html

Tip: For those of you that have used the CMD:

regsvr32 -u shimgvw.dll

you can now run the CMD:

regsvr32 shimgvw.dll

to restore the "Thumbnail" view in Windows Explorer and Window's Image and FAX viewer.

There's unconfirmed talk that this one runs all the way back to Windows 3.0.

If that's true, and Microsoft stick to their support policy, everyone out there running stuff earlier than Windows 2000 had better start to think about an upgrade.

Both the Internet Storm Center and F-Secure have endorsed Ilfak Guilfanov's unofficial patch (posted above).

MSNBC: Windows PCs face 'huge' virus threat
http://msnbc.msn.com/id/10684853/

Everything that I have read says that Ilfak Guilfanov's patch works and its recommended by everyone.
My question is, someone who has been affected by this exploit, will running the patch solve his problem? I would think so, but I am not 100% sure.

Quote:

---

Originally Posted by imadreamer2

If you have your harddrive partitioned into two or three partitions and you would happen to get hit would you need to format all three partitions or just the c drive? Just in case, it would be nice to know.

---

No, the exploit isn't a virus and doesn't contaminate your system. What it does is take advantage of a flaw in Windows that will allow a hacker to take over your computer. Once you plug that hole, I think you are safe (unless someone tells me otherwise). You would not need to format your computer.

Quote:

---

Originally Posted by usil

My question is, someone who has been affected by this exploit, will running the patch solve his problem? I would think so, but I am not 100% sure.

---

usil, from all that I've read, I know of no evidence that the exploit is fixed with the patch if someone already caught it. Nothing has been stated that it would clean an infected system.

I disagree. I think this patch plugs the vulnerability, not allowing hackers to take advantage of the flaw and hack your computer. But I will research it in more depth.

Relying on DEP is no good:

Quote:

---

"We've tested on AMD and Intel platforms and HW DEP seemed initially to prevent successful exploitation in Internet Explorer and Windows Explorer. However, when testing the latest builds of third party image viewers like Irfanview and XnView HW DEP didn't prevent exploitation, even with HW DEP enabled for all programs. This is because both Irfanview and XnView are packed with ASPack and Windows disables HW DEP for ASPack packed files."

---

http://castlecops.com/a6446-Update_on_WMF.html

I wrote this in another thread, here it is again.
Regarding whether the patch will fix the exploit of someone who is already affected by it, the answer is yes. It will plug the vulnerability, but it won't get rid of the malware. What happens is, your computer is affected by the exploit, allowing rogue anti-spyware programs to install themselves on your computer without asking you. So the patch will plug the hole, not allowing anything else to get installed by remote, but you would still have to get rid of the rogue anti-spyware malware using the conventional methods (HijackThis etc.).

Thanks for the clarification...:)

Microsoft's WMF patch is available early ... get it now.

Microsoft Security Bulletin MS06-001
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (912919)
Published: January 5, 2006

http://www.microsoft.com/technet/sec.../ms06-001.mspx

Note: If you have Automatic Updates enabled, it will install automatically:

https://discussions.virtualdr.com/im.../2006/01/5.gif

About time. Thanks!

No problem. :)

ran the checker at home and it said I wasn't vunerable, tried installing the patch and couldn't.

Using mainly WinMe and Win98Se at home and I see from the MS link that it only affects Win2000, WinXP and Win2003.

I knew there was a reason I haven't upgraded to XP. ;)

Actually, it has been reported that this OS code vulnerability problem goes all the way back to W95. Since Microsoft no longer supports any W9x systems, maybe this is the reason that this fix will not work on those systems. Or maybe there is another reason as to why this vulnerability does not affect W9x systems.

Linda