** HEADS UP ** IE vulnerability. EXTREMELY CRITICAL.

[qwertyman66]

Some instant messengers allow people to display pictures from their machines next to the chat window ( MSN Messenger springs to mind ). Does anybody know if this is vulnerable? I would guess it is, but would like to know for sure.

[Tedob1]

qwertyman66

he new vulnerability makes it possible for users to infect their computers with spyware or a virus simply by viewing a web page, e-mail or instant message that contains a contaminated image.

“We haven’t seen anything that bad yet, but multiple individuals and groups are exploiting this vulnerability,” Mr Hyppönen said. He said that every Windows system shipped since 1990 contained the flaw.

from here

[s0nIc]

the exploit still works if the .wmf files were renamed to other image extensions.. like .jpg or .bmp... so filtering .wmf wont 100% work

[hogfly]

No, it doesn't work because they are recognized and therefore executed based on their 'magic' If you filtered by the magic at the border you *may* have a chance of blocking them from the outside. No guarantees though.

[nihil]

Hi,

One thing I haven't seen specifically discussed is whether there is a "minimum size" for one of these image files that potentially contains malicious code?

[dynamoo]

On the Windows 2000 issue..

My desktop PC here is Windows 2000 running Outlook 2000. Outlook can render WMF files embedded in an email message just fine - i.e. not as an attachment, as part of the message body. I guess if you have autopreview then you can infect your PC without even opening the message.

You can also embed WMFs in things like Word documents and other office files. It's been a long time since I've seen DOC files used to carry a malware payload and I guess we're not used to it these days. That'll likely sail past your defences and infect anyone who opens the file.

The thing is that there are just TOO MANY ways that this can get onto your system.

If you are an admin, at the very least you should protect your own PC by deregistering the DLL and installing the unofficial patch. That means that if your organisation does get hit, at least you'll be able to coordinate some sort of response.

[the_JinX]

It seems that 'older' windows versions are not vulnerable afterall..

http://blog.ziffdavis.com/seltzer/ar.../02/39680.aspx

Windows 2000, ME, and 98 are NOT vulnerable

...

They say this is based on actual testing. I have to admit that I have been taking the claims that earlier versions were affected for granted and have only been testing myself on XPSP2. Later tonight I hope to test something earlier.

http://www.hexblog.com/2006/01/wmf_v...y_checker.html
The nice people at hexblog have created a nice little vulnerability checker..

[dynamoo]

I ran the checker on a Windows 2000 SP4 PC and it came out as vulnerable. Also, a legacy NT4 box was also flagged as being vulnerable.

[ByTeWrangler]

Greeting's

I have not read all the 10 pages of the thread but If this is posted before please forgive me. Anyway both Microsoft and SANS have updated their information on the exploit.

SANS advisory is now version 3 (even the unofficial patch is now updated to version 1.3)

Microsoft updated their advisory today

Here are the links

1. http://www.microsoft.com/technet/sec...ry/912840.mspx

2. http://isc.sans.org/

I feel its a must read for all members.

Wishing all of you a very happy, prosperous and SAFE new year.

[kythe]

Originally posted here by the_JinX
It seems that 'older' windows versions are not vulnerable afterall..

http://blog.ziffdavis.com/seltzer/ar.../02/39680.aspx

http://www.hexblog.com/2006/01/wmf_v...y_checker.html
The nice people at hexblog have created a nice little vulnerability checker..

That isn't quite true. While only Windows XP and Server 2003 by default associate handlers with WMF files, in older systems (e.g. Windows 2000) applications may have easily associated WMF files with Windows handlers. For all we know, Microsoft Office may have done so. So it's quite possible that owners of Win2000 boxes are in danger.