zero day WMF exploit

[Dave M]

There are reports of a new Windows exploit in the wild with very serious
consequences.
I suggest you take a look at this blog page... Nothing official from Ms yet.
http://sunbeltblog.blogspot.com/2005/12/new-exploit-blows-by-fully-patched.html

Workarounds include:
excluding specific sites using firewalls restricted zones
http://www.averyjparker.com/2005/12/28/windows-metafile-zeroday-exploit/
unregistering SHIMGVW.DLL (other resulting consequences in windows)
http://www.averyjparker.com/2005/12/28/workaround-for-zeroday-wmf-exploit/
disassociating WMF (and possibly EMF) program associations
http://www.averyjparker.com/2005/12/28/another-workaround-for-wmf-exploit/

....all this until Windows patches are created. Sorry, don't kill the
messenger...
Reportedly, MSAS will not fix this exploit, XP system restore might.

 

[Guest]

Microsoft hurry up and fix the bug!

 

[plun]

Thanks Dave

Secunias description as extremely critical.

http://secunia.com/advisories/18255/

Nevertheless it looks like Smitfraud to change background
and fraud users to get useless antispywareapps or creditcardnumbers.

 

[plun]

Hi

And MS Technets advice:

http://www.microsoft.com/technet/security/advisory/912840.mspx

 

[plun]

And F-secures blog about this mess:

http://www.f-secure.com/weblog/

 

[Bill Sanderson]

http://www.microsoft.com/technet/security/advisory/912840.mspx

 

[Guest]

I am reading e-mail in plain text, does this help mitigate the vulnerability?
Yes. Reading e-mail in plain text does mitigate this vulnerability where the
e-mail vector is concerned although clicking on a link would still put users
at risk.

Note In Windows Server 2003, Microsoft Outlook Express uses plain text for
reading and sending messages by default. When replying to an e-mail message
that is sent in another format, the response is formatted in plain text.

I have software DEP enabled on my system, does this help mitigate the
vulnerability?
Yes. Windows XP Service Pack 2 also includes software-enforced DEP that is
designed to reduce exploits of exception handling mechanisms in Windows. By
default software-enforced DEP applies to core operating system components and
services. This vulnerability can be mitigated by enabling DEP for all
programs on your computer.
For additional information about how to “Enable DEP for all programs on your
computerâ€, see the product documentation.

 

[plun]

Hi Franz

Sunbelt has a good blog about this DEP funktion.

http://sunbeltblog.blogspot.com/

And of course Technet:

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2mempr.mspx

--
plun




Franz laid this down on his screen :

 

[Claudio Valderrama C.]

http://www.microsoft.com/technet/security/advisory/912840.mspx

The concrete suggested actions seem to apply only to XP and Server2003. For
the other operating system, the implicit message is "just wait".

I will repeat what I said in another forum and I'm not a marketer: I have
PivX Preempt and it blocks the problem. It injects a DLL to solve the
problem. Preempt is good SW and causes almost no woes (if it install
successfully because from the PivX forums I got that some people never made
it to work), you can get a trial and by the time it expires, probably MS
will have a fix (personally, I purchased its predecessor QwikFix so the same
license applies to Preempt). Whether I can recommend Preempt is gray area:
the product is good but tech support sucks. This seems to be the case with
ZoneAlarm, too IMHO.

C.

 

[Jim Byrd]

See here: http://www.hexblog.com/2005/12/wmf_vuln.html for a temporary fix
until MS issues one.

 

[Bill Sanderson]

Microsoft has since revised their advisory to state that software DEP DOES
NOT mitigate this vulnerability. (relatively few readers of this will have
hardware DEP--only 64-bit processors or the very newest dual core processors
from Intel, I believe)


--