There's a new zero-day vulnerability related to Windows' image rendering - namely WMF files (Windows Metafiles). Trojan downloaders, available from unionseek[DOT]com, have been actively exploiting this vulnerability. Right now, fully patched Windows XP SP2 machines machines are vulnerable, with no known patch.
The exploit is currently being used to distribute the following threats:
Trojan-Downloader.Win32.Agent.abs
Trojan-Dropper.Win32.Small.zp
Trojan.Win32.Small.ga
Trojan.Win32.Small.ev.
Some of these install hoax anti-malware programs the likes of Avgold.
Note that you can get infected if you visit a web site that has an image file containing the exploit. Internet Explorer users might automatically get infected. Firefox users can get infected if they decide to run or download the image file.
In our tests (under XP SP2) older versions of Firefox (1.0.4) defaulted to open WMF files with "Windows Picture and Fax Viewer", which is vulnerable. Newer versions (1.5) defaulted to open them with Windows Media Player, which is not vulnerable...but then again, Windows Media Player is not able to show WMF files at all so this might be a bug in Firefox. Opera 8.51 defaults to open WMF files with "Windows Picture and Fax Viewer" too. However, all versions of Firefox and Opera prompt the user first.
As a precaution, we recommend administrators to block access to unionseek[DOT]com and to filter all WMF files at HTTP proxy and SMTP level.
F-Secure Anti-Virus detects the offending WMF file as W32/PFV-Exploit with the 2005-12-28_01 updates.
We expect Microsoft to issue a patch on this as soon as they can.
Courtesy : F-secure
__________________________________
Update : Microsoft, CERT wake up to zero day threat
SOFTWARE GIANT Microsoft has released a statement about the zero day WMF vulnerability and has confirmed there is a problem.
It said in a statement that it is investigating the reports of the problem and will provide more information when it has finished its inquiries.
Software affected, it said, includes Windows 2000 SP 4, Windows XP SP1 and 2, Windows XP Pro X64 edition, Windows Server 2004 for Itanium, Windows Server 2003 SP1, Windows Server 2003 with SPI for Itaniums, Windows Server 2003 X64 edition, and Windows 98, Windows 98 SE, and Windows ME.
It gives general advice about how to protect yourself in the advisory, here. The US Computer Emergency Readiness Team (CERT) have also issued a bulletin, here. That says that while the new vulnerability may be similar to one Microsoft has already released patches for, publicly available exploit code has been discovered that may affect systems that have been patched that way. Google Desktop may be another potential attack vector, and it adds that CERT doesn't know yet of a practical solution to the problem.
The exploit is currently being used to distribute the following threats:
Trojan-Downloader.Win32.Agent.abs
Trojan-Dropper.Win32.Small.zp
Trojan.Win32.Small.ga
Trojan.Win32.Small.ev.
Some of these install hoax anti-malware programs the likes of Avgold.
Note that you can get infected if you visit a web site that has an image file containing the exploit. Internet Explorer users might automatically get infected. Firefox users can get infected if they decide to run or download the image file.
In our tests (under XP SP2) older versions of Firefox (1.0.4) defaulted to open WMF files with "Windows Picture and Fax Viewer", which is vulnerable. Newer versions (1.5) defaulted to open them with Windows Media Player, which is not vulnerable...but then again, Windows Media Player is not able to show WMF files at all so this might be a bug in Firefox. Opera 8.51 defaults to open WMF files with "Windows Picture and Fax Viewer" too. However, all versions of Firefox and Opera prompt the user first.
As a precaution, we recommend administrators to block access to unionseek[DOT]com and to filter all WMF files at HTTP proxy and SMTP level.
F-Secure Anti-Virus detects the offending WMF file as W32/PFV-Exploit with the 2005-12-28_01 updates.
We expect Microsoft to issue a patch on this as soon as they can.
Courtesy : F-secure
__________________________________
Update : Microsoft, CERT wake up to zero day threat
SOFTWARE GIANT Microsoft has released a statement about the zero day WMF vulnerability and has confirmed there is a problem.
It said in a statement that it is investigating the reports of the problem and will provide more information when it has finished its inquiries.
Software affected, it said, includes Windows 2000 SP 4, Windows XP SP1 and 2, Windows XP Pro X64 edition, Windows Server 2004 for Itanium, Windows Server 2003 SP1, Windows Server 2003 with SPI for Itaniums, Windows Server 2003 X64 edition, and Windows 98, Windows 98 SE, and Windows ME.
It gives general advice about how to protect yourself in the advisory, here. The US Computer Emergency Readiness Team (CERT) have also issued a bulletin, here. That says that while the new vulnerability may be similar to one Microsoft has already released patches for, publicly available exploit code has been discovered that may affect systems that have been patched that way. Google Desktop may be another potential attack vector, and it adds that CERT doesn't know yet of a practical solution to the problem.
