Windows Zero Day Exploit

“There is a zero day exploit out there with regard to WMF files (SpyWare). Be very careful opening WMF files. You can read more by going to the following links:

http://sunbeltblog.blogspot.com/2005/12/new-exploit-blows-by-fully-patched.html

I highly recommend running Microsoft Anti-Spyware (beta). http://www.microsoft.com/athome/security/spyware/software/default.mspx

It will not prevent the exploit, but it will alert you to the fact that you have the exploit.

[url]http:\\isc.sans.org[/url]

http://www.f-secure.com/weblog/

Websence Labs has a video showing what it looks like if a system gets exploited by the WMF-0 exploit:
http://www.websensesecuritylabs.com/images/alerts/wmf-movie.wmv

Hopefully, within a day or two, anti-virus and spyware companies will come out with a tool to block or remove this exploit. As of right now, they have not come out with this and it could be delayed because of the holidays.
OK...so maybe this should be in the chatter category, but I wanted everyone to know about it, even if they had chatter blocked.
last edited: 12/28/05 8:00:34 PM”

“spybot search and destroy removes it... you might want to be careful running software by the same company that makes the software the exploit affects...”

““spybot search and destroy removes it... you might want to be careful running software by the same company that makes the software the exploit affects...”
juztyn2
8:08:03 PM
12/28/05
ignore this user

Granted Microsoft needs to be better at closing the holes in their software but they are exactly who I would want fixing the problem. Who better to fix a problem than the creator of the system and the weaknesses that came with it. If Microsoft wasn't around Apple and/or *nix would be getting attacked all the time instead.
last edited: 12/28/05 9:16:31 PM”

“I run several anti-spyware programs, not just Microsoft's Anti-Spyware.

justyn2, I am curious where you got your information that Spybot removes this. The latest Detection Rules available for Spybot is from two days before Christmas, 12/23/05. This exploit was just discovered today, 12/28/05. Sorry to put you on the spot, but did you actually read any of the information provided in my links?

With that in mind, I have to disagree with you. Spybot does not remove this exploit.”

“Thanks for the heads up ski.”

“looks like firefox 1.5 is immune,, good thing it's all I use.Exploits are easy for the hackers mostly because everybody seems to want the fancy stuff instead of the basics, and not learn how their systems work,, pretty pictures and all.I'm also sure they've managed to work up some viruses and spyware for other systems than windows too, the only reason you never hear about it is that no one makes detection software for them either,, so they may have problems and no way to know it,,,,,”

“More information:

Updated: Critical Impact: Windows Metafile Flaw a 'Zero-Day
Exploit'

http://www.eweek.com/article2/0,1895,1906177,00.asp?kc=ewnws122905dtx1k0000599

News: Workaround, Protections Emerge for WMF Exploit

http://www.eweek.com/article2/0,1895,1906211,00.asp?kc=ewnws122905dtx1k0000599

If you unregister shimgvw.dll, Windows Explorer will not display thumbnails anymore. The registry operation is a much better way.

http://isc.sans.org/diary.php?storyid=975”

“Thanks for the update skiracer.”

“

Who doesn't love spyware!? Aren't you tired of your computer running too fast? And how many times have you found yourself wishing that more people had all your personal information? Privacy is a thing of the past, now that we have Spyware to keep our honest and useful advertising community informed of our browsing habits. GO SPYWARE!”

“This from eWeek.com:

Full Article: http://www.eweek.com/article2/0,1895,1906965,00.asp?kc=ewnws123005dtx1k0000599

Exploits of the WMF (Windows Metafile Format) flaw continued on Thursday as advertising networks took advantage of the vulnerability to spread their "products."

Several security lists and Weblogs warned that the Exfol adware network was presenting coded WMF images on rotating banner ads.

Researchers said that sites running pop-up advertisements from the network will infect viewers with vulnerable systems.

***** begin quote *****
"You don't have to go to a crack site or a porn site," observed a posting on the blog of firewall vendor Sunbelt Software USA, of Clearwater, Fla.

"You go to any site that is using rotational popups from a third party ad network that is spawning Exfol popups, you get exploited," the posting continued.
***** end quote *****

What this basically means is that if one of the pop-up ad vendors which are used here decide to take advantage of this exploit, everyone visiting the TrailTalk site could become infected.”

“I don't know if it was through this exploit or not, but my boss got nailed with the "Spy Sheriff" virus on Thursday when he typed in a url from memory - he may have typed the wrong address. It was nasty.”

“...but it had a happy ending. My boss is very superstitious and figured he was being punished for making us work the day after New Year’s Day. After he got infected, he decided to give us the day off. Yay!

I think I'll send him a virus every few weeks.”

“LOL”

“I use this: http://www.prevx1.com/ additionally to spybot and adaware. I did download it during their beta try so I got the final version free for a year, but I had no spyware since I use it. Well, besides those damn cookies.”

“mmmm, cookies.......”