Thoughts on the .wmf 0-day and uses for mischief
For Security enthusiasts out there reading this post, it should be apparent by now that there is a wide spread hosting of malicious .wmf files out there. Those files exploit a vulnerability in the handling of image metafiles in most of the distributions of Windows from WinME up to XP. Here is CERT's advisory
and here is a response
from Microsoft. And of course, the blog
over at F-Secure is just fantastic in researching the propagation/spread and exploitation of the mentioned .wmf files. Jerome Athias
posted a solution on the Full Disclosure list with the following fix:
Note that you can register or unregister shimgvw.dll to enable or
- Disable: Start > Run > regsvr32 /u shimgvw.dll
- Enable: Start > Run > regsvr32 shimgvw.dll
disabling shimgvw in this case will alleviate the problem, and once you've installed Microsoft's update, you can enable it again.
now, I have to wonder if attackers are going to take this opportunity to discover XSS holes in _huge_ community sites like MySpace, Xanga, Livejournal, Blackplanet, etc, modify JS/Spacehero-A
(like GodOfTheNoose), and create moments of mass exploitation by cleverly using vectors such as .swf embed/redirects to infect large amounts of victims. hmm.