Network Security & Hardware - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Critical Impact: Windows Metafile Flaw a Zero-Day Exploit



 By: Lisa Vaas
2005-12-28
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


  Table of Contents:
  1. Critical Impact: Windows Metafile Flaw a Zero-Day Exploit
  2. ' '

Rate This Article:
Poor Best
Critical Impact: Windows Metafile Flaw a Zero-Day Exploit
( Page 1 of 2 )

Updated: Code for what Secunia is deeming an "extremely critical flaw" in Windows Metafile Format files is being exploited on fully patched systems. Researchers are currently tracking thousands of siMicrosoft Corp. has issued a security advisory for what Secunia is deeming an "extremely critical flaw" in Windows Metafile Format (.wmf) that is now being exploited on fully patched systems by malicious attackers.

Websense Security Labs is tracking thousands of sites distributing the exploit code from a site called iFrameCASH BUSINESS.

That site and numerous others are distributing spyware and other unwanted software, replacing users desktop backgrounds with a message that warns of spyware infection and which prompts the user to enter credit card information to pay for a "spyware cleaning" application to remove the detected spyware.

Vulnerable operating systems include a slew of Windows Server 2003 editions: Datacenter Edition, Enterprise Edition, Standard Edition and Web Edition. Also at risk are Windows XP Home Edition and Windows XP Professional, making both home users and businesses open to attack.

In this fluid attack, researchers have kept up a steady stream of new details about the extent of the exploits reach, with Google Desktop being the latest reported vector.

Resource Library:
F-Secure reported on Wednesday that Google Desktop tries to index image files with the exploit, executing it in the process. F-Secure reports that this exploitation-via-indexing may wind up occurring with other desktop search engines as well.

Google had no immediate comment. To avoid the problem, security experts suggest disabling the features indexing of media files, or to remove Google Desktop altogether.

A workaround called REGSVR32 has been posted and was included in Microsofts advisory. However, it should be noted that as of Thursday evening, some security researchers were reporting that the workaround is not fully successful.

The workaround is as follows, as quoted from the advisory:

Un-register the Windows Picture and Fax Viewer (Shimgvw.dll)

1. Click Start and then click Run. Type the following command: REGSVR32 /U SHIMGVW.DLL. Click OK.

2. A dialog box appears to confirm that the un-registration process has succeeded.

  • Click OK to close the dialog box.

    Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.

    To undo this change, re-register Shimgvw.dll by following the above steps. Replace the text in Step 1 with "regsvr32 %windir%\system32\shimgvw.dll" (without the quotation marks).

    F-Secure notes that this workaround beats filtering .wmf files, given that files with other image extensions—such as BMP, GIF, JPG, JPEG, TIFF, etc.—can be used to exploit machines.

    F-Secure also recommends filtering domains at corporate firewalls. These sites should be listed as off-limits: toolbarbiz[dot]business

  • toolbarsite[dot]biz
  • toolbartraff[dot]biz
  • toolbarurl[dot]biz
  • buytoolbar[dot]biz
  • buytraff[dot]biz
  • iframebiz[dot]biz
  • iframecash[dot]biz
  • iframesite[dot]biz
  • iframetraff[dot]biz
  • iframeurl[dot]business

    F-Secure notes that its seen 57 versions of this malicious .wmf file exploit as of Thursday, detected as PFV-Exploit. The security firm is predicting that, even though the exploit has only been used to install spyware or fake antispyware/antivirus software thus far, it anticipates that real viruses will start to spread soon.

    According to the Sunbelt Software blog, "any application that automatically displays a WMF image" can be a vector for infection, including older versions of Firefox, current versions of Opera, Outlook and all current versions of Internet Explorer on all Windows versions.

    "This is a zero-day exploit, the kind that give security researchers cold chills," according to Sunbelts blog. "You can get infected by simply viewing an infected WMF image."

    According to F-Secure, Trojan downloaders are taking advantage of the vulnerability to install Trojan-Downloader.Win32.Agent.abs, Trojan-Dropper.Win32.Small.zp, Trojan.Win32.Small.ga and Trojan.Win32.Small.ev. F-Secure also reports that some of the Trojans install hoax anti-malware programs such as Avgold.

    Next Page: Researchers trace exploit to Russia.





      Reader Comments: Critical Impact: Windows Metafile Flaw a Zero-Day Exploit
    >>> Be the FIRST to comment on this article!
     


     
     
    >>> More Network Security & Hardware Articles          >>> More By Lisa Vaas
     


    • x}r㶲s\@♵M=ҔlcؖI*EBc")JN~b:?qtMJ=gq2Kht7F;?{{~$rȥklJ'{>D{{}.`So92p=z#m)>M3ȩ 5w5Gl&r{'At=NN5%cjA]k&#{F}_&2z5o0 fE1;F}9D@~5{ss!&2}<K;=$?*B#]2HXަðuɷ~{Xd;YBT|HJk4ًʏᐨqGOad^x/4;U'iS[wSա(v2%v+n /@Z#\DȁYRh=3d#7t#25ARZ@[4HmCc`pm׃) TQ3C}bݳt#Գu|ף&Z!&$f v?ǭ QI&qO-%F^yy̧ u"˭Uֶg5^q7ܙcgtZEؘ*ozcn1LjX=:/yӝfؖqwh ݑJ5(GJ\S#罨}m˙=ZӼNϿt/iR^ϯs$Qw;wܖu`*.'7nG:ZA\`'H|'[oDR*rP8$ȇ¤;|5 P%oJV4E; KHR ӘS$hICF/XTU![ǽSҺnoNΏoڭ3$oIJ5<JEӀH Zzb"=[W۳KiK:7}")|vg5MP\̱8ڪV׏`Kė6O^ljM[CyC0-ߕRMRs~8>_8Z/'$'mDO{_ `HBi۲ܺʑ\ yɽaXY|Dͼ94o o$E@;- u +Uko:`Kc7 t$u_ϝ5Hr Ca)#p?c݃EpJq䰉kYSl \o4x M2Xʅ U >hI,E[!fLK$o# yf\B(PHQ&NUIR]E6\a>PY?vwܬ,U$*Դ޹-~4Ң[sQ}iuOnK/364>pX.B2iK1.pJ۫Z\U*%(YRS_* rϏM[ԑApl uu~L>(NP'}2= 5٤>'>D#ʠ:괱\Vc4@!D&M`Ah>[W l= sX¤>$քzNJ$nh-DCwMPIeg!@uOAL΃bromM~ҁ4}мa yjS?!Tfgg,zu= | w)Gk:GT[-[X6x G͙A }RN\Qo@Ч dQJ ds4.'P(BHP!9k \99 łP^KHX-Zp։p (=HpGn_-KEs㕰TL飲B ^/_ 2[3CE外ɴa6"[9yDU#BU`B]ᛦLMam`DݞrA+żMCFqI\ZUj@5YQ%[gCa3#A' f߄#&SXhƏT E Bf 'KhWf3&ᠸN4Sy%2KXհݙ6|bҳ%=?p)J.C_kUzqroc* s%rG|增5 JxP?3LeDf{oMʒJ2畔UInY(hJSIդ LyO)nEcwBQm㔜Ġ;F]S9tNִ/NJd-Yhވյ݋$a/gsP*ouR@[FޒymE[Zu;Hi K-CAsB`}.E:G7dJ Ւxڇ]{gТuXjrA71 Kۊ7q}4EiZ\-ssV84@ r; poIN*V*g3SĝzP\"ҝz}@nzStgOچhpc׏pJa1e.6BSbg`m1LL=F˸iBqmX@XR@GS\KמO,n,{KYkyOّRB|vj XZڇa*Ϩfl:l=_>wļZB_wa՚o&rI)jy#lq-Zʠby>dcMWѹr='Ks:EZ"3 _npf Z*"&~~~049 Kg>f}4~Bn)p*L>Bmfw`lrG#JREu ج{ Qքa'M}tcyy~V>Ѐ!as`E . ZK DrAa T+c..'7].D 6~Î'"%t1ڥs!b*/W+g \|;OgjZ(T+1:ʪZJkVv2o{ѷzpY-w^_>^Z3;|d2,` |LZ<|˰#U` |BZUPQ"+ȣY vx WMUp`wyv4>t@qDR `j@$p LM{6jJvg `\練~,pO$+yZD]bRXEG?znqmM)D{p)?F]S؇Qgm/ RU *~mڧu^ߜ%]pHA М'#8CMA;eZS4xn |:Ra{ތ9"zfnހWIJ(L\,Qi}gשgS!'܎0sԵиdNsl s \'!k̀X'v-7Y4Pp2Z]*WlUVj嬕Vwr½: ߀*?\qca#2"s=?_lVa%lwN:"WA ұg /3_wj<]~oL4>J>hG2cdQHVz 4g2<]c>q?/c~h)T"l߸X,W̑'^`SZ>2>lz tq:tFU4*H!I?랪Q Quzd*+ZR> +8r9-h2+#4+}a n? 1wTIV+Gs;Ÿʊg b|p}6'G{zt(j>eWԄƸ2;b9[FIdiyV}m4eP$6Pq'$X˴I> O wA*}7*\FIvSITTzogMWT~ZUuUI䦳T.jZl[)Uʹf>"iq?C@! H\}TK(,~w9ـo |\V*Zd>C`t>X86 #"Ԅ֟; ˕~W?l)ɁHHD>D^kF{ynxB gz Dssb^f>Q*o[/Ix]S0:_ 3ax e#$hQ²}w>Ǝ:W=yپ|LXWm_wu;WuXyEG߫KKxVq/RCR:"iMթԾl~h[,/LhdN\I1>`d˙]=/bo F]z孀 wzΥsټо_>\tn%#rѾjI^zkQ\#gRꐅG!pUV&fSڎ6N #Z[=80K-T_p@ښҹ9mpbAkNZ _k5Wy.'7,e8Z;ᘝW_a[,$"0.tWtr}}E9l{B*q^_4?G2sE1^SF(+bK)"$DY |EiM_f bt8Din_ 4~ y*~y:~4~OK0wfIb^+f+ƭՓN۟H‐ Nv}hq_,@#ppFPxc`sA\|jeԉ(%T \ '{-~=w`RvPR)&\z*I;ɰ˼ ݖ6p 9G 2)!MN]F0RL PlO&y=%lQ1 i(KBi%lbTH{RoO{ݼ4<1ޥ]WxvImc%1fcg[e c KQk I"\) -|8SB[,H T䵤 W[YgUH.~B/R L8)Dz@0PH吜ZC>j^w&Zyr@g?KظN*4bl_@ݮnaeѼ̱nf ~{OjК}NFxDucLA95'~t1޶a ~] js7Ž&n[ eȥG֛q="~o'w.z@z@Px~YnIU9<|M--^Ss>\Eu@OKtG]_Q{O{쭐ki\hdS֛12~!u'Ldј@.lvx6tY~'AXy VorH9w@rq&c/$`-ݺܭ1³D`GHA|G˩gA km9ntBqVE0p1-%8\bulE;cCƓdǟ۲&ZP|=ߎ93{K4j p_r w^  ߅?@՞ ' 2>Xl_2d]'G//6M&7K.n;(  yg?o=Nm›wYK% ,Co 0%"6RSItYī1%^F-L#GP;#^~)xA`/:G3H IRY^*ܡ{>zCx94;.6шb;`9|'Cv$cuUydAE~t w q~␉ ShE^+%&W+xF?n7=>`įz6C&T> ?; j=NʥANt'E @[NƉm5BAŤR0!R^:Ǘ=^^Q[O@g"B.ic-c&4kjʂ?4s6L"̩!H I" v4%$Dm/?%yذ$&oetOS~v&Qכ~"chBVY2~Vp$C$VQt=!X $4Pi'zI*m֕nf }m$ݗn/B.0ܠ/ug쁈, FtC_LȢDye"be]JD>eIQ%-_|n(GֺmJ5MTT%bP) ,BG@^%펋 Oz v- ߖJ/N["aN02$_jY u/AV3LUDxgHE[OEحV5tD=QQih'~V1#DZDT|]i6j뉯|Ac'/}ZNƞ;ҵ=C vKԪժ6@R `AN @LD[U~'b\)MYG,pk*.l oooo֯okմ>˫0WI r.MKesP|T0a*rNi_g}fTiNr~֧vV`[ K&UiKcHc!uϺC BRvmKZXO!-l` $l{q-v[xe8hj-)Ŭ`x>p>9(ną?+ayS[;[G~}0ScOz}|(`=9_.{!5^ ԖtbfVI!YnJݱ-@.>ny>GX#`Х{FZn;]ua_byj$ 8 W8~ >a% +_y!ޞƳAlI/osNRԓN/gq 5T~>lV|%dP56rV_rL{f类C(&1ذkqCXzc)iKvK6bK\7S%I\j9hx^RjًZ96Y $ l x$jM/r´.umˤTa@z(=AT~C`_[%zѰkcے_ۊ 7Z.] gh0nKԝO;#d\S'ĞŷXG"DcoZkcPG7͹~OH7uwi&U_!ll4Xka6`ePgv\O*VX]꒰.c7[ 72m^cs?͐bcz)vhXoذz»':N ͣllUO(`{䕋ϣ@좻AwFS*$!Ƴ>q /#jLbYb ,A}zq.Yg"HP >n#oXa*Iκ$-/Nn˛l]ދ~ig ɬ_gטsL\xiԝ<WX/߃s<̜E(6A(ʦ5=6[7o"ZvmYޣ.Ez^Zf}-ֽC4@@m @ȼ=MԬE5VfX)l%"Q0McaqX32*& #w$X$%䧺rMz@B sZ'5^"Ҷދ8oq,iP|UcX-'I!O:h^4bd@.]h #} Z;`C(KnτOg|3Ӹ{l`!tq,o~A@( })V2ӢCṉ?SvgG5* I7~^cij7}v ˟* O2y¢ojS~e vf4~Su&:E[鏉|X= ? MHa7VEO )I¢XtOf 2E $BtU<э;@g;!"偟wE. FVVrc[aBSQ1}!sHLHjVM ,ξa1.yWG`*׶'^g=D ǹp`1%'0mg#sWF%5{H JH 4GCX^ Q>0"U4CuX]QR[,oT-D9"'"KIH*]^| ~8,2dR  /(_7D \sj61)R>&sj§VQjj~zr_ZRӂ,w)do=0:է[cķlek[`ɣS#ԄV&pU) & PZ`oh1* 3rS#66J=!v XMRkW,s3[in--aaZW$v\rQ DC>$&Eb W 2iգih'\YjJEUP=jXs.{ ρF#~إ5;L<EIRG $y '-bWd"$@;_b΂@jv/Z^릋V <;Cym!g`ك$ :w`i%Ǘ٭48! ȅLu C*A]؅Պ]ֽ'_M}C4-l  \Q-vr)GwFuUW)tcDT2Oa@P-S.bX"aR1XQ?eMZs Қ ;^C.B'Q?=wBbZ!E!*"c3"&lm/u z: :k?,P Y Gώ3sУ4ϓ}^P"Wa]ΰ"@[ g o c qwnbI *͕$\}~gf6!`6u}``yP0л;L'ӣ0Su:`Xf`Lܳ)ul9t:W@Lg>򳉁t39r3RS¤vxyX-n@<Pt4'FHg}tl >܇>Rh̘_[*uUԾRk]j)q^]y} YV^"?9ӄ\I H ?$-G쎆dS|K:>ދXwsмL:7InZ-x=i_ڝ+rܺ)lkE‰/WQwqIYu}Ӿg^CoT_ }eP,eJe)3S9mꌸ4dȀW.}QPY\mĝ]ϟ^wSv}Y QB_MӄJOA~j؊Km9 g%8ٝ/_)9q Χ65n1LczQe r!>E.Z'=ҹjJk%ꋲ Nj!_ ȿYJmfw [ 88me@3Y~>@?dG>kOsiF>?ϴ25~f/EK|+#c~.aY\f粋Oe}^f%e}"^e?@?2/!2#*c~2 *c:NF; :!_>3_gԿɠ.1.1_/z1>A|ߧ}}-ff--m%:IX gk8=Rgr z)A^dկ?e,#@~Nɠ2lc3\.2sܿw2~RAi_tN qʕx^S_xښ薽VqۭMnX_KG{2Pi +{ yH 2 r hxWYdbd b{Xe?~VP枔u]CRMj. {%])2-XѦZ}5y^9* t!Ⱦ>ŧ͉s=h0 .Ð0ۿyʼn?k2xq08@ ۓg ح⡠ϻH#~k0.: 7X.[Zxţ;ZWueaPcqdm8oCd x\$ωޕO>w{P[qЙqE?֢@)+zyXk-g4o}e\ ㌠Ǜv3K :!E٤^`l}Uq8 5&pJ!J81| H-M3wN88 an-gjoQ^ܺ]} N* X2qdxa{:՞/{fw\;a[ƈDM[I6ɑt,tkl21sHP,CV|c&½0t;AWÄ.ҡ|oPر0Nnp[b2 rBL=of'-K'7F461)$ fK_ZOn3 &`T8;&m 'Y Ałv3&F"gu#\RoT˹,Hb z"ѱsFK)3mFVX"u׌dzԦӱFm_kτ x{pT S >v U^{3D3$0z< @SĠ)deF&V3n,=GIDπjUMj΢ْ?SzOmw1=vĺKBt|tm{Xj9#b~` ;BI<`-<>lB*9"ZӷςeքzLT zʲ ៴;Xl3%^z'O֒gֶ CBv|"eI.~9MT~3)UXw|6(68BOh wGw ,AQ6I cS 1&,ڍ,Gw U|ٱs9abZ)qFhۧ75Z@<}ic%p'!M ԱSw O 7g}74|֦J:Wݞ얯 o} 8lo.l4=`6f@(Fђ[P?hFqoI 9:5-  `⍈me@6iRH\*,xf 4 vkf㿜9;[r,#<[^ҵlAt=] vE pMg+_N1y,BL IQy6;|,݀bZ"ND׊rI)9=O.*LH6c?pft@˭]Ag"a?#ahCgyba*<"e}%Ix+)/,π.ȟ(#}M.t8bG@xT,ﺽV/PuzY}TcɦgFK+,O{(F18p;\}ҹ`g`=nT Ks(ӹ9mA0}u}!Yu+ߴeF5<#@5̺J4&_)zҢpL岞Ԕbգ{7t p5J,?-۔́5M\"GZ/%!xzP'r"3dv%VMظӝ_3a-dƆIkcm]jY(fj)