Visualizza versione completa : W32/PFV-Exploit - MS Windows WMF Handling Arbitrary Code Execution

28-12-2005, 13.29.46

A vulnerability has been discovered in Microsoft Windows, which can be exploited by malicious people to compromise a vulnerable system.
The vulnerability is caused due to an error in the handling of corrupted Windows Metafile files (".wmf"). This can be exploited to execute arbitrary code by tricking a user into opening a malicious ".wmf" file in "Windows Picture and Fax Viewer" or previewing a malicious ".wmf" file in explorer (i.e. selecting the file). This can also be exploited automatically when a user visits a malicious web site using Microsoft Internet Explorer...

Info: http://secunia.com/advisories/18255/


New WMF 0-day exploit

There's a new zero-day vulnerability related to Windows' image rendering - namely WMF files (Windows Metafiles). Trojan downloaders, available from unionseek[DOT]com, have been actively exploiting this vulnerability. Right now, fully patched Windows XP SP2 machines machines are vulnerable, with no known patch...

Info: http://www.f-secure.com/weblog/archives/archive-122005.html#00000752

29-12-2005, 16.11.46
aliases: Bloodhound.Exploit.56 (Symantec), Exploit-WMF (McAfee), Exploit/Metafile (Panda Software)

info: http://alerta-antivirus.red.es/virus/detalle_virus.html?cod=5625

Occhio alle attuali varianti "A,B,C,D,E" del Trojan Virus "NASCENE". ;)

30-12-2005, 16.15.08
The amount of trojans using the zero-day WMF exploit is increasing rapidly. Many people have now used the REGSRV32 workaround to stop the immediate threat. Some users have come back to us after we quoted Microsoft on the workaround wondering if the workaround really works. The workaround will stop the exploit for Internet Explorer and Explorer - even though WMF images still show as normal...

Leggi: http://www.f-secure.com/weblog/

30-12-2005, 18.44.03
Security Web site Secunia gave the vulnerability its highest severity ranking of "extremely critical." Security firm F-Secure on its blog claimed to have seen at least three different computer worms that exploit the security hole. It refers to the worms as W32/PFV-Exploit.A, .B and .C.

Leggi: http://www.technewsworld.com/story/fRQgP2WIHYkzSU/Hackers-Target-Windows-Vulnerability.xhtml

Akonix Security Center Identifies First WMF File Vulnerability Spreading Over Instant Messaging

SAN DIEGO--(BUSINESS WIRE)--Jan. 3, 2006--Akonix Systems, Inc. today identified a new instant messaging (IM) worm named IM-Worm.Win32.Kelvir.WMF.A, which takes advantage of a leading IM network to spread the newly discovered Windows Meta File (WMF) vulnerability on users' PCs. The Akonix Security Center classified the worm as medium risk and is working with its IM network partner to immediately protect customers against this threat...

Leggi: http://biz.yahoo.com/bw/060103/20060103005765.html?.v=1

30-12-2005, 18.50.28
Mike Reavey, operations manager for Microsoft's Security Response Center, called the flaw "a very serious issue."

Leggi: http://www.msnbc.msn.com/id/10651414/

F-SECURE: WMF Vulnerability Workaround:
Solo per WinXP e 2003 ;)

Download: http://support.f-secure.com/enu/home/downloads/WMF_FIX.EXE

Info: http://support.f-secure.com/enu/home/wmf_download.shtml

02-01-2006, 17.18.11
Ilfak Guilfanov
Mr Guilfanov (11/12/66) graduated from Moscow State University in 1987. He holds a B Sc. in Mathematics. Ilfak is IDA Pro's architect and main developer. Ilfak maintains a blog devoted to IDA, Decompilation, and related IT security stuff such as vulnerability research. Mr Guilfanov lives and works in Liège, Belgium, since the late 90s.


Ilfak Guilfanov has released an updated version of his unofficial patch for the Window's WMF issue. We have reverse engineered, reviewed, and vetted the version here. Note: If you've already successfully installed the patch, this new version adds nothing new. It only adds code to make it able to install on some other very specific configurations and code to recognize when the patch has already been installed.

(Note: the version information in the installation script indicates that this is version 1.2 - but it really IS version 1.3... the version info in the install script is incorrect...)

Download: http://handlers.sans.org/tliston/wmffix_hexblog14.exe

WMF Hotfix Installer: http://accentconsulting.com/downloads/WMF_Hotfix_Installer.msi

Frequently Asked Questions about WMF Hotfix: http://www.hexblog.com/security/wmffix_faq.html

Info: http://isc.sans.org/


Conscientious Risk Management and WMF

Leggi: https://blogs.technet.com/jesper_johansson/archive/2006/01/02/416762.aspx

03-01-2006, 17.19.23
Report says a newly discovered flaw could expose hundreds of millions of Windows PCs to virus...

Leggi: http://money.cnn.com/2006/01/03/technology/windows_virusthreat/index.htm?cnn=yes

Which platforms can really get hit by WMF?

Leggi: http://www.f-secure.com/weblog/

04-01-2006, 10.24.40
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution.

Leggi: http://www.microsoft.com/technet/security/advisory/912840.mspx

Windows flaw spawns flurry of attacks
"We estimate 99 per cent of computers worldwide are vulnerable"...

Leggi: http://software.silicon.com/os/0,39024651,39155320,00.htm

04-01-2006, 10.30.48
la patch microsoft arriva il 10 gennaio

04-01-2006, 10.34.09
Microsoft was hustling to fix a flaw that left its Windows operating platform vulnerable to attacks from hackers, the company announced. "It is even worse than a critical flaw," Rob Helm, director of research at Directions on Microsoft in the state of Washington, told AFP...

Leggi: http://www.physorg.com/news9545.html

Install Bootleg Patch, Windows Users Urged
Windows users are being urged by some security experts to secure their machines using an unofficial patch, to fix a vulnerability that allows computers to be compromised through the mere viewing of an image file. The vulnerability, which is already being actively exploited by more than 100 hacker-controlled web sites and in spam attacks, enables malicious payloads to be executed on Windows PCs when images in the Windows Meta File format are viewed...

leggi: http://uk.news.yahoo.com/04012006/221/install-bootleg-patch-windows-users-urged.html

04-01-2006, 12.19.13
E' praticamente impossibile filtrare questo tipo di attacco bloccando le immagini in formato WMF al firewall aziendale o con un antivirus, perché il codice dell'attacco è dissimulabile in mille modi differenti (rendendo impossibile il riconoscimento tradizionale degli antivirus) e la trappola funziona anche se l'estensione data all'immagine non è WMF: potreste ricevere un'immagine di nome "buon anno.jpg" e pensare che sia sicura, mentre in realtà è in formato WMF, e Windows la aprirebbe e la eseguirebbe. Quindi è inutile pensare "non apro i file WMF": potreste aprirli senza saperlo...

...Se vi state chiedendo che cosa sto facendo io per evitare le infezioni prodotte da questa falla, la risposta è semplice. Uso un Mac e il mio sito gira su una macchina Linux.

Ciao da Paolo...

Leggi: http://attivissimo.blogspot.com/

04-01-2006, 13.17.25
Le appliance UTM di WatchGuard offrono protezione Zero-Day contro l’ultima vulnerabilità di Microsoft

...I clienti di WatchGuard possono difendersi da questa nuova minaccia bloccando le immagini formattate maliziosamente con Windows MetaFile (.WMF) grazie alla protezione “Zero-Day” offerta dal’Intelligent Layered Security, in particolare le funzionalità HTTP e SMTP proxy...

Leggi: http://www.areapress.it/vediarticolo.asp?id=13024

04-01-2006, 13.21.33
La falla scoperta in Windows riguarda l'elaborazione dei metafile. Settimana prossima la patch ufficiale, mentre si è aperto un dibattito sull'applicazione di un rimedio alternativo

Leggi: http://www.cwi.it/showPage.php?template=articoli&id=14227

04-01-2006, 13.35.41

As expected, Ilfak's WMF vulnerability suppression patch, and his WMF vulnerability testing utility, both interact smoothly and seamlessly with Microsoft's forthcoming official security update. Ilfak's code can be left running while installing Microsoft's security update, then safely removed forever once the system has rebooted from the update. Also, Ilfak's vulnerability tester properly recognizes the system's true WMF vulnerability condition under every combination of patch installations (either Ilfak's, Microsoft's, both, or neither). So, you may use Ilfak's solutions with confidence while Microsoft completes their extensive compatibility and regression testing for this forthcoming security update. Once the update is ready, install Microsoft's update, then safely remove Ilfak's patcher.

WMF Test: http://www.grc.com/miscfiles/wmf_checker_hexblog.exe

Info: http://www.grc.com/sn/notes-020.htm

Intervista Radio a Steve Jobs (Gibson Research) su efficacia Ilfak Patch: http://media.grc.com/sn/SN-020SE.mp3

06-01-2006, 15.18.58
Microsoft release WMF patch

Microsoft has decided to release a patch for the Windows WMF flaw in response to what it described as "strong consumer sentiment" for an early fix to the problem. Enterprise customers who are using Windows Server Update Services should have received the update automatically, the company said in a statement. Manual downloads are available here.

Download MS PATCH: http://www.microsoft.com/technet/security/bulletin/ms06-001.mspx

Leggi: http://www.pcadvisor.co.uk/news/index.cfm?newsid=5503

Disintallate la Patch non ufficiale, riavviate il sistema, successivamente installate la patch di Microsoft. ;)

06-01-2006, 15.39.34

After enduring much criticism for deciding to wait until Patch Tuesday next week to issue a fix for the Windows Metafile exploit that's been making the rounds, Microsoft reversed itself and released the WMF patch on Thursday. Microsoft released the WMF patch a couple of days after it had leaked to the Web.

Sito Web: http://www.microsoft-watch.com/