Friday, December 30, 2005
Thoughts on the .wmf 0-day and uses for mischief
For Security enthusiasts out there reading this post, it should be apparent by now that there is a wide spread hosting of malicious .wmf files out there. Those files exploit a vulnerability in the handling of image metafiles in most of the distributions of Windows from WinME up to XP. Here is CERT's advisory and here is a response from Microsoft. And of course, the blog over at F-Secure is just fantastic in researching the propagation/spread and exploitation of the mentioned .wmf files. Jerome Athias posted a solution on the Full Disclosure list with the following fix:
now, I have to wonder if attackers are going to take this opportunity to discover XSS holes in _huge_ community sites like MySpace, Xanga, Livejournal, Blackplanet, etc, modify JS/Spacehero-A (like GodOfTheNoose), and create moments of mass exploitation by cleverly using vectors such as .swf embed/redirects to infect large amounts of victims. hmm. ¶ 12/30/2005 12:11:00 AM
Note that you can register or unregister shimgvw.dll to enable ordisabling shimgvw in this case will alleviate the problem, and once you've installed Microsoft's update, you can enable it again.
disable WPFV:
- Disable: Start > Run > regsvr32 /u shimgvw.dll
- Enable: Start > Run > regsvr32 shimgvw.dll
now, I have to wonder if attackers are going to take this opportunity to discover XSS holes in _huge_ community sites like MySpace, Xanga, Livejournal, Blackplanet, etc, modify JS/Spacehero-A (like GodOfTheNoose), and create moments of mass exploitation by cleverly using vectors such as .swf embed/redirects to infect large amounts of victims. hmm. ¶ 12/30/2005 12:11:00 AM