There is a new danger floating around the Internet right now, a zero-day exploit taking advantage of the Windows Media Format (WMF) vulnerability. Its not limited to WMF files, it is taking the shape of images as well. This exploit is currently billed as the worst infection in history. It can hide rootkits, it can even hide itself.
This is not a joke.
Many antivirus companies can not discover this malware at present. Microsoft is not responding fast enough. Download a brand new WMF vulnerability checker to see if you are susceptible [
Details. However, don't let this stop you from applying two specific workaround patches.
Read the following two articles and install the "Windows WMF Hotfix" followed by de-registering the file "shimgvw.dll". Then reboot. Now, wait with the rest of us for Microsoft and antivirus companies to officially patch this vulnerability and detect/clean it. Spread the word.
Interim WMF Exploit Savior
We've all been following the dramatic story of the whole wmf exploit and how it is easily spoofed into other image types. The last day of 2005 the wmf exploit exploded into other various venues such as instant messages, email, and more. Various tools have been setup to try and catch or filter out the wmf exploit, but last night it has mutated. Newest variations change the header and tail of the wmf exploit making its signature difficult to locate.
Drum roll please...
Ilfak Guilfanov who is being billed as one of the foremost experts in Windows low level technology has released a temporary/interim patch for Windows.
(check often for updates, this is version 1.3)
Technical details: "this is a DLL which gets injected to all processes loading user32.dll. It patches the Escape() function in gdi32.dll. The result of the patch is that the SETABORT escape sequence is not accepted anymore."
Once Microsoft releases an official patch, or if the above doesn't work, you can uninstall it from your Add/Remove Programs menu. It'll be listed as "Windows WMF Metafile Vulnerability HotFix".
The Internet Storm Center gives this patch its stamp of approval:
We have very carefully scrutinized this patch. It does only what is advertised, it is reversible, and, in our opinion, it is both safe and effective.
The word from Redmond isn't encouraging. We've heard nothing to indicate that we're going to see anything from Microsoft before January 9th.
The upshot is this: You cannot wait for the official MS patch, you cannot block this one at the border, and you cannot leave your systems unprotected.
So there you have it, don't trust the firewall filters, don't trust the antivirus vendors, don't wait for Microsoft. Install the patch immediately. If you are running a Windows operating system the patch doesn't support, time to shut it off and wait.
Reply With Quote
