A new security exploit for Windows, attached to .WMF files, is floating around the ‘net, Security Focus currently has limited details on this zero-day expoit, ID’d as BID 16074. The bug is capable of remote code execution - which means it can be used to install any virus, trojan, rootkit, or program that the “publisher” sees fit to point it at. The exploit code can infect a machine by viewing a web site with an infected image, opening a folder containing infected files with Windows Explorer, or even when Google Desktop indexes an infected file (thanks to the F-Secure blog for this info). I’m guessing that the exploit code in contained in the WMF file’s headers, since it’s not necessary to open the WMF file to infect a system.

This WMF-exploit can install on fully-patched XP machines, although it appears that McAfee - Exploit-WMF, Symantec - Bloodhound.Exploit.56, TrendMicro - TROJ_WMFIOO.A, and F-Secure - W32/PFV-Exploit have already issued updates for their antivirus programs that will detect the exploit (though most of the attached viruses were already detected).

Since this is a zero-day exploit, there is no patch for the problem available for Windows systems. Vulnerable Windows versions are currently all flavors of Windows XP, that includes Home, Pro, Tablet and Media Center versions. I imagine that Windows 2000 is vulnerable and Windows Vista is probably vulnerable, especially if it has Firefox <1.5 or Opera browsers installed (since both browsers attempt to use “Windows Picture and Fax Viewer” to open WMF files).

I recommend all Network Admins block the following domains at the firewall (obfuscated so hotlinks aren’t auto-created by browser tools or desktop search engines, thanks to F-Secure for the URLs):

• unionseek (dot) com
• crackz (dot) ws
• tfcco (dot) com
• iframeurl (dot) biz
• beehappyy (dot) biz

Article tagged: windows, security, wmf, media, exploit, list, block, blocked, sites

Comment on this post below

You can leave a response, or trackback from your own site.