Critical Impact: Windows Metafile Flaw a Zero-Day Exploit

 
 
By Lisa Vaas  |  Posted 2005-12-28 Email Print this article Print
 
 
 
 
 
 
 

Updated: Code for what Secunia is deeming an "extremely critical flaw" in Windows Metafile Format files is being exploited on fully patched systems. Researchers are currently tracking thousands of si

Microsoft Corp. has issued a security advisory for what Secunia is deeming an "extremely critical flaw" in Windows Metafile Format (.wmf) that is now being exploited on fully patched systems by malicious attackers. Websense Security Labs is tracking thousands of sites distributing the exploit code from a site called iFrameCASH BUSINESS. That site and numerous others are distributing spyware and other unwanted software, replacing users desktop backgrounds with a message that warns of spyware infection and which prompts the user to enter credit card information to pay for a "spyware cleaning" application to remove the detected spyware.
Vulnerable operating systems include a slew of Windows Server 2003 editions: Datacenter Edition, Enterprise Edition, Standard Edition and Web Edition. Also at risk are Windows XP Home Edition and Windows XP Professional, making both home users and businesses open to attack.
In this fluid attack, researchers have kept up a steady stream of new details about the extent of the exploits reach, with Google Desktop being the latest reported vector. F-Secure reported on Wednesday that Google Desktop tries to index image files with the exploit, executing it in the process. F-Secure reports that this exploitation-via-indexing may wind up occurring with other desktop search engines as well. Google had no immediate comment. To avoid the problem, security experts suggest disabling the features indexing of media files, or to remove Google Desktop altogether.
A workaround called REGSVR32 has been posted and was included in Microsofts advisory. However, it should be noted that as of Thursday evening, some security researchers were reporting that the workaround is not fully successful. The workaround is as follows, as quoted from the advisory: Un-register the Windows Picture and Fax Viewer (Shimgvw.dll) 1. Click Start and then click Run. Type the following command: REGSVR32 /U SHIMGVW.DLL. Click OK. 2. A dialog box appears to confirm that the un-registration process has succeeded.
  • Click OK to close the dialog box. Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer. To undo this change, re-register Shimgvw.dll by following the above steps. Replace the text in Step 1 with "regsvr32 %windir%\system32\shimgvw.dll" (without the quotation marks). F-Secure notes that this workaround beats filtering .wmf files, given that files with other image extensions—such as BMP, GIF, JPG, JPEG, TIFF, etc.—can be used to exploit machines. F-Secure also recommends filtering domains at corporate firewalls. These sites should be listed as off-limits: toolbarbiz[dot]business
  • toolbarsite[dot]biz
  • toolbartraff[dot]biz
  • toolbarurl[dot]biz
  • buytoolbar[dot]biz
  • buytraff[dot]biz
  • iframebiz[dot]biz
  • iframecash[dot]biz
  • iframesite[dot]biz
  • iframetraff[dot]biz
  • iframeurl[dot]business F-Secure notes that its seen 57 versions of this malicious .wmf file exploit as of Thursday, detected as PFV-Exploit. The security firm is predicting that, even though the exploit has only been used to install spyware or fake antispyware/antivirus software thus far, it anticipates that real viruses will start to spread soon. According to the Sunbelt Software blog, "any application that automatically displays a WMF image" can be a vector for infection, including older versions of Firefox, current versions of Opera, Outlook and all current versions of Internet Explorer on all Windows versions. "This is a zero-day exploit, the kind that give security researchers cold chills," according to Sunbelts blog. "You can get infected by simply viewing an infected WMF image." According to F-Secure, Trojan downloaders are taking advantage of the vulnerability to install Trojan-Downloader.Win32.Agent.abs, Trojan-Dropper.Win32.Small.zp, Trojan.Win32.Small.ga and Trojan.Win32.Small.ev. F-Secure also reports that some of the Trojans install hoax anti-malware programs such as Avgold. Next Page: Researchers trace exploit to Russia.



  •  
     
     
     
    Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.
     
     
     
     
     
     
     

    Submit a Comment

    Loading Comments...
     
    Manage your Newsletters: Login   Register My Newsletters























     
     
     
     
     
     
     
     
     
     
     
    Rocket Fuel