Microsoft patch for WMF flaw to be released Jan 10

[+M2Ys4U Subscriber¹]

indeed, if an infected image made its way into an advert distrobution service then bang, so many people could be effected

[viciv]

WindowsXP-KB912919-x86-ENU.exe is out and it is working fine on my computer.

thanks jcbeyond for the info :)

[yisman]

Better late than never I guess :p

It only takes common sense to avoid the vulnerability. Firefox will ask you to download and run the dodgy .wmf, and other browsers probably do too. It's only IE that will automatically run the file...but IE users deserve to get exploited anyway.

That's great. :rolleyes: Some of us are actually anti-spyware and anti-viruses, and don't want to see anyone get infected. The fact is, most people use IE, and I hardly blame them. It came with the OS.

Plus, Firefox has plenty of its own problems, as I've noticed.

indeed, if an infected image made its way into an advert distrobution service then bang, so many people could be effected

Exactly. :yes:

That's why I think this is so critical.

[_Pablo]

The WMF problem isn't actually an exploit as such (as in a buffer overrun etc) it's actually working the way it was supposed to. WMF files can contain code which is automatically executed if WMF rendering fails. So you just make a corrupt WMF file which you know will fail to render and then add your code to the abort procedure within the WMF file. A WMF file can be renamed to just about anything and IE or Windows Explorer will look at the contents to determine the file type, so any file could be suspect.

Now because it's simply a valid WMF file, anti-virus programs can't go simply quarantiening every WMF file so it needs to scan the payload and if someone creates a nasty worm with enough variants quickly enough then AV isn't going to be able to update it's definititions quick enough to keep up with the releases of the variants - hence AV isn't enough and a patch is required.

Now then, if MS have said it'll be a week before an official patch is available then that will surely act as a red rag to all those who would exploit this hole - the message is to get your spyware/virus/worm out within the week and enjoy are a very large vulnerable audience! If you were particularly set on maximum infection imagine a variant that targetted web content - you get the virus and it starts hunting down any JPEG files in the same folder or subfolders as .html/.htm/.php/.asp etc and infects one or two of those JPEG files - if you are lucky malicious fellow or fellowette you could find your way onto lots of web servers and make a big tasty worm for dinner!

[Schmoove]

Since my last post I've gone and rearched this. Interesting stuff, but again this still comes down to public awareness though. Who many 'normal' users open every email they get? I'd say at least the majority, which is why they need to be tought if you don't know the sender or if the email is suspecious, don't open it.

The public awareness you talk about is an utopia and therefore a nice thing to strife for, but not a solution.

There are always people who "don't know"..... and therefore the problem remains.

If everbody in the world used condoms we wouldn't have aids.... but not everyone does. Not everybody likes condoms, not everybody knows how to properly use it, not everyone has access to condoms.

Public awareness is not a full-proof solution.

[ichi]

The WMF problem isn't actually an exploit as such (as in a buffer overrun etc) it's actually working the way it was supposed to.

Indeed. It's a nasty desing flaw that has been there for what... 10 years?

[Jon]

To the people claiming that they've always assumed images are safe... did you miss the JPEG rendering vulnerability that appeared as MS04-028? Remember the fun trying to identify all GDI32.dlls?

This was in September 2004, so if you've been keeping up you should have stopped blindly trusting image files quite a while ago ;)

[Dukeicon]

You might've read elsewhere about the Windows Meta File (WMF) vulnerability discovered on December 27th. It didn't last long at all for the first worm exploiting it to make its debut on MSN Messenger.

The worm spreads using a link to a file named xmas-2006 FUNNY.jpg. The image is in fact an HTML page linking to a malicious wmf file (Exploit.Win32.IMG-WMF), which will download and execute a vbs file which is detected as Trojan-Downloader.VBS.Psyme.br... which in turn will download an Sdbot (Backdoor.Win32.SdBot.gen). Are you still following?

Source: Mess.be

[Grope for Luna]

Beta version here:

http://www.proantivirus.com/ftp/WindowsXP-...919-x86-ENU.zip

Info

http://www.proantivirus.com/en/viruses/vir...tail.php?ID=554

Delete if this is against any rules.

[Banzai]

To the people claiming that they've always assumed images are safe... did you miss the JPEG rendering vulnerability that appeared as MS04-028? Remember the fun trying to identify all GDI32.dlls?

This was in September 2004, so if you've been keeping up you should have stopped blindly trusting image files quite a while ago ;)

Missed that one, did the patch come out before the exploit for that one though?

[Slimy]

It's a little disturbing that MS isn't moving more quickly here. This is a key vulnerability.

Would you have rather them releasing a patch that didn't work for all or caused something else to **** up? They can take as long as the want, as long as it works. I'm not an idiot who visits warez/porn sites all the time :pinch:

[amrinders87]

Since my last post I've gone and rearched this. Interesting stuff, but again this still comes down to public awareness though. Who many 'normal' users open every email they get? I'd say at least the majority, which is why they need to be tought if you don't know the sender or if the email is suspecious, don't open it.

Exaclty. People make these stupid mistakes and then blame Microsoft. I have yet to be infected by viruses, spyware/adware eve since I learned about this stuff.

Edited January 5, 2006 by amrinders87

[ichi]

Would you have rather them releasing a patch that didn't work for all or caused something else to **** up? They can take as long as the want, as long as it works. I'm not an idiot who visits warez/porn sites all the time :pinch:

You don't need to browse warez/porn sites, as I said earlier there're already "trusted" sites with this wmf exploit embeded. It might be even possible to attach a rigged wmf in this forum, disguised as jpg.

[Jon]

Ichi that's something I've been pondering at work the past few days. People trust forum content without question. Sticking it as a users avatar or sig, or even just in a 'January Desktops' thread woulbd be painful but short lived...assuming you can get hold of the admins.

Hitting adverts on the front page would be far more effective.

[cep_head]

Beta version here:

http://www.proantivirus.com/ftp/WindowsXP-...919-x86-ENU.zip

Info

http://www.proantivirus.com/en/viruses/vir...tail.php?ID=554

Delete if this is against any rules.

anyone know how real this is?

could this patch have leaked like most other ms beta stuff or should one wait?

just wandering since this is such a big deal and all.

[McoreD]

WindowsXP-KB912919-x86-ENU.exe is out and it is working fine on my computer.

thanks jcbeyond for the info :)

Unfortunately this doesn't work with Server 2003. So have to wait till Jan 10th.

[Alexandre]

Official Security Update:

Windows XP

http://www.microsoft.com/downloads/info.as...layLang%3dpt-br

Windows Server 2003

http://www.microsoft.com/downloads/info.as...layLang%3dpt-br

Windows 2000

http://www.microsoft.com/downloads/info.as...%3fFamilyID%3da

[yisman]

Would you have rather them releasing a patch that didn't work for all or caused something else to **** up? They can take as long as the want, as long as it works. I'm not an idiot who visits warez/porn sites all the time :pinch:

No, they can't take as long as they want. Every day they wait, hundreds of people get infected.

I think they just put out a patch, which is good.

You don't need to browse warez/porn sites, as I said earlier there're already "trusted" sites with this wmf exploit embeded. It might be even possible to attach a rigged wmf in this forum, disguised as jpg.

:yes: Exactly.

[BiGdUsTy]

This patch is on windows update right now.

[Skeeterific53]

http://www.microsoft.com/technet/security/...n/MS06-001.mspx

Patch Release.