** HEADS UP ** IE vulnerability. EXTREMELY CRITICAL.

[Noia]

juuuuuust a thought...but....does AO verify file content of images in signatures? or in avatars? If I change my av to a linked image with a WMF file renamed to something else...where is the security there? I smell instant XSS amongs other fun tid-bits!

Soda, your ides is novel but won't work properly becuse IE tries to render the file if its been renamed aswell, so a gif/tif/png etc will all still render and exploit. This is thanks to MS's amazingly stupid idea of trying to be clever with error correction and try to assume that the file was named wrong. I have exploited IE machines by renaming a vbscript file to .png and it executed the commands without a hitch....well...not for me.

In sort, I see this as possably having a huge impact due to sneaky deployment on major sites.

- Noia

[.:front2back:.]

Just wondering, are you still vulnerable to this bug, if you turn all the settings to off on your browser, so that it blocks all Ad's, Pictures etc?

[ThePastorGang]

Testing what???

MLF

Forget it, gore gave me an idea.

[ric-o]

Man this is just getting worse...the websites serving up this exploit is growing quickly. Check these posts:

http://sunbeltblog.blogspot.com/2005...otational.html

Ok, here is why this is bad. You don’t have to go to a crack site or a porn site. You got to any site that is using rotational popups from a third party ad network that is spawning Exfol popups, you get exploited.

http://www.f-secure.com/weblog/archi....html#00000754

And finally, you might want to start to filter these domains at your corporate firewalls too. Do not visit them.
toolbarbiz[dot]biz
toolbarsite[dot]biz
toolbartraff[dot]biz
toolbarurl[dot]biz
buytoolbar[dot]biz
buytraff[dot]biz
iframebiz[dot]biz
iframecash[dot]biz
iframesite[dot]biz
iframetraff[dot]biz
iframeurl[dot]biz

[dynamoo]

A couple more reports on that too:
http://blogs.zdnet.com/Spyware/index.php?p=735
http://www.eweek.com/article2/0,1895,1906915,00.asp

If you cast your mind back to last year, there was a case where a major commercial ad network was serving up another exploit: http://www.theregister.co.uk/2004/11...server_attack/ - the fallout from that was pretty nasty.

[ric-o]

Kevin Kean from Microsoft has posted comments on their security response center blog confirming that there WILL be a patch issued for this WMF image vuln...

When we complete this investigation, we’ll do what is best to help protect our customers. We have determined that this vulnerability will be fixed through a security update, and we will release that either through the regular monthly release cycle or out-of-cycle, depending on customer needs.

Right now, we are working very closely with our anti-virus partners and aiding law enforcement with its investigation. We continue to recommend that customers follow our security guidance, including being careful where you browse, never accepting email attachments from unknown senders, keeping your anti-virus software up to date, enabling a firewall and staying current on security updates.

See link http://blogs.technet.com/msrc/archiv...30/416694.aspx

[corrupted_code]

apparently avast! antivirus detects this exploit already and removes it before it even reaches your computer at the moment. interesting, while i havent heard of any other AV's successfully doing so with ease.

We're protected by the latest VPS 0552-1, avast! detects this exploit as Win32:Exdown [Trj] and other AVs do too but avast!'s users are more effectively protected by Web Shield as it scans HTTP traffic in real time so the exploit is stopped before it gets to our machine.

EDIT: forgot to mention that i found this while browsing around the avast! av forums. here's the link to the thread if anybody is curious.

http://forum.avast.com/index.php?topic=18295.0

[ric-o]

I just read a report on Kaspersky's Viruslist blog (Viruslist blog) that earlier reports that unregistering and deleting the SHIMGVW.DLL will NOT protect you - they claim the vuln is in the GDI32.DLL.

Also, F-Secure (source) is reporting that a well known low-level Windows expert, Ilfak Guilfanov, has written and published a fix for free that wont break image functionality that hapens when unregistering the SHIMGVW.DLL. According to F-Secure it injects itself into all processes loading USER32.DLL. Ilfak wrote the program Interactive Dissassembler Pro BTW.

You can download it here: http://www.hexblog.com/2005/12/wmf_vuln.html

I'm installing it now to check it out...try it at your own risk as I cant give any validity at this point in time.

Let's just hope MS gets that patch own SOON as I worry about my friends, family, and coworkers opening all those holiday greeting card emails ....with WMF exploit code.

[corrupted_code]

interesting indeed, but thats only one company claiming that that is the vulnerability during a time where nobody know's for sure. by the way, a new update for a squared users gives them the detection for the windows wmf exploit (couldn't get the screenshot, it updated too fast for me). there aren't a lot of details about how a squared deals with it (not even in forums) so who knows for sure what it will do.

[rcgreen]

They prolly don't wanna put out a patch too soon.
It might break a lotta Adware. </snicker>.