New Windows Metafile (WMF) 0-day exploit in the wild

**keywester** · January 1st, 2006, 03:40 PM

whoops...

**SpywareDr** · January 2nd, 2006, 09:21 AM

A temporary WMF Exploit patch is available. Started reading about it on Steve Gibson's site:

Security Now
http://www.grc.com/sn/notes-020.htm

More about this WMF Patch can be found on the author's site (Ilfak Guilfanov):

Windows WMF Metafile Vulnerability HotFix
http://www.hexblog.com/2005/12/wmf_vuln.html

Ilfak has also written a little utility named:

WMF Vulnerability Checker
http://www.hexblog.com/2006/01/wmf_v...y_checker.html

Tip: For those of you that have used the CMD:

regsvr32 -u shimgvw.dll

you can now run the CMD:

regsvr32 shimgvw.dll

to restore the "Thumbnail" view in Windows Explorer and Window's Image and FAX viewer.

**Tuttle** · January 3rd, 2006, 04:55 AM

There's unconfirmed talk that this one runs all the way back to Windows 3.0.

If that's true, and Microsoft stick to their support policy, everyone out there running stuff earlier than Windows 2000 had better start to think about an upgrade.

**SpywareDr** · January 4th, 2006, 06:11 AM

Both the Internet Storm Center and F-Secure have endorsed Ilfak Guilfanov's unofficial patch (posted above).

MSNBC: Windows PCs face 'huge' virus threat
http://msnbc.msn.com/id/10684853/

**usil** · January 4th, 2006, 05:07 PM

Everything that I have read says that Ilfak Guilfanov's patch works and its recommended by everyone.
My question is, someone who has been affected by this exploit, will running the patch solve his problem? I would think so, but I am not 100% sure.

Originally Posted by imadreamer2

If you have your harddrive partitioned into two or three partitions and you would happen to get hit would you need to format all three partitions or just the c drive? Just in case, it would be nice to know.

No, the exploit isn't a virus and doesn't contaminate your system. What it does is take advantage of a flaw in Windows that will allow a hacker to take over your computer. Once you plug that hole, I think you are safe (unless someone tells me otherwise). You would not need to format your computer.

**poppy4** · January 4th, 2006, 05:16 PM

Originally Posted by usil

My question is, someone who has been affected by this exploit, will running the patch solve his problem? I would think so, but I am not 100% sure.

usil, from all that I've read, I know of no evidence that the exploit is fixed with the patch if someone already caught it. Nothing has been stated that it would clean an infected system.

**usil** · January 4th, 2006, 05:21 PM

I disagree. I think this patch plugs the vulnerability, not allowing hackers to take advantage of the flaw and hack your computer. But I will research it in more depth.

**usil** · January 4th, 2006, 05:28 PM

Relying on DEP is no good:

"We've tested on AMD and Intel platforms and HW DEP seemed initially to prevent successful exploitation in Internet Explorer and Windows Explorer. However, when testing the latest builds of third party image viewers like Irfanview and XnView HW DEP didn't prevent exploitation, even with HW DEP enabled for all programs. This is because both Irfanview and XnView are packed with ASPack and Windows disables HW DEP for ASPack packed files."

http://castlecops.com/a6446-Update_on_WMF.html

**usil** · January 4th, 2006, 05:58 PM

I wrote this in another thread, here it is again.
Regarding whether the patch will fix the exploit of someone who is already affected by it, the answer is yes. It will plug the vulnerability, but it won't get rid of the malware. What happens is, your computer is affected by the exploit, allowing rogue anti-spyware programs to install themselves on your computer without asking you. So the patch will plug the hole, not allowing anything else to get installed by remote, but you would still have to get rid of the rogue anti-spyware malware using the conventional methods (HijackThis etc.).

**poppy4** · January 4th, 2006, 06:32 PM

Thanks for the clarification...

**SpywareDr** · January 5th, 2006, 05:05 PM

Microsoft's WMF patch is available early ... get it now.

Microsoft Security Bulletin MS06-001
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (912919)
Published: January 5, 2006

http://www.microsoft.com/technet/sec.../ms06-001.mspx

Note: If you have Automatic Updates enabled, it will install automatically:

**usil** · January 5th, 2006, 05:17 PM

About time. Thanks!

**SpywareDr** · January 5th, 2006, 05:26 PM

No problem.

**Nix** · January 5th, 2006, 06:24 PM

ran the checker at home and it said I wasn't vunerable, tried installing the patch and couldn't.

Using mainly WinMe and Win98Se at home and I see from the MS link that it only affects Win2000, WinXP and Win2003.

I knew there was a reason I haven't upgraded to XP.

**LindaHewitt** · January 5th, 2006, 09:25 PM

Actually, it has been reported that this OS code vulnerability problem goes all the way back to W95. Since Microsoft no longer supports any W9x systems, maybe this is the reason that this fix will not work on those systems. Or maybe there is another reason as to why this vulnerability does not affect W9x systems.

Linda

Thread: New Windows Metafile (WMF) 0-day exploit in the wild

Thread Tools

Search Thread

Display

WMF Exploit: Temporary Patch Available!

Thread Information

Users Browsing this Thread

Posting Permissions