# Sites exploit Windows image flaw [critical]



## Resolution (Sep 17, 2005)

http://news.bbc.co.uk/1/hi/technology/4566504.stm

Here is the advisory on the exploit...

http://www.us-cert.gov/cas/techalerts/TA05-362A.html

I ran into a website trying to get me to install one of these files (xpl.wmf). I saved it to a test computer (I was curious) and it infected the Hell out of it. It was almost like a service pack for viruses and worms because it installed over a dozen variations of each. The wallpaper was changed and the task manager was locked (it altered the local policies in the registry). It took me about an hour to clean it all (or most of it), and I still get a high CPU usage problem with winlogon.exe. 

Since there is currently no patch available for this exploit, you should watch what you are downloading via websites and emails.


----------



## mimo2005 (Oct 2, 2004)

Thank you .


----------



## Glaswegian (Sep 16, 2005)

Have a look here - there is a workaround of sorts.

http://sunbeltblog.blogspot.com/

MicroBell posted this link for something else but it contains info on the WMF exploit.


----------



## norin (Dec 28, 2004)

wow it scares me to think about how much time people put in to using windows to find out Exploits and such just becuase it is the OS that is most used and widely available. computers are scary.... but we love them. and that's why we are here to help people solve peoples problems... w00t w00t... power to the CompSci specialists!


----------



## MicroBell (Sep 21, 2004)

Until Microsoft issues a patch for this exploit here are a few ways to prevent this WMF exploit from being installed.

*1.* Download a 3rd party patch....
http://www.hexblog.com/2005/12/wmf_vuln.html 
*Note* Patch is for Windows 2000, XP, 2003 ONLY.

*2.* Unregister the DLL.
Procedure: From the command prompt, type *REGSVR32 /U SHIMGVW.DLL*

*3.* Use *IESPYAD* *Note* This has just been updated with the sites that are using this exploit.

Update your Antivirus and use a Firewall!!


----------



## sUBs (May 5, 2005)

*This is no laughing matter. 

If you have not patch your systems yet, DO IT NOW!!!*


----------



## POADB (Jul 28, 2004)

http://sunbeltblog.blogspot.com/

More here ^^


----------



## Spatcher (Apr 28, 2005)

I can't access that HexBlog site....


----------



## Spatcher (Apr 28, 2005)

And I used IESPYAD for ZonedOut. Is that good?


----------



## tetonbob (Jan 10, 2005)

Hmmm...I can't access that site either, now. Direct link for the patch:

http://handlers.sans.org/tliston/wmffix_hexblog13.exe

MS has said it will issue a patch Tuesday Jan10.



> Microsoft has completed development of the security update for the vulnerability. The security update is now being localized and tested to ensure quality and application compatibility. Microsoft’s goal is to release the update on Tuesday, January 10, 2006, as part of its monthly release of security bulletins. This release is predicated on successful completion of quality testing.


From http://sunbeltblog.blogspot.com/

Read more, for those of you with Win98, ME.....(we know you're out there)



> all versions of Windows back to 3.0 have the vulnerability in GDI32. Except for Windows XP and Windows Server 2003, no Windows versions, in their default configuration, have a default association for WMF files, and none of their Paint programs or any other standard programs installed with them can read WMF files...





> So the vulnerability is there on all platforms but it seems that only Windows XP and 2003 are easily exploitable. Unfortunately this still means that majority of Windows computers out there are vulnerable right now. And at least Windows 2000 becomes vulnerable if you're using many of the available third party image handling programs to open image files.


From http://www.f-secure.com/weblog/archives/archive-012006.html#00000764


----------



## Glaswegian (Sep 16, 2005)

I've unregistered the dll file using Grinlers batch file here

http://www.bleepingcomputer.com/forums/index.php?showtopic=39047&pid=211991&st=0&#entry211991

You can also use it to re-register when MS issue their fix.


----------



## tetonbob (Jan 10, 2005)

That's just a fancy method to Option 2 above, I think, Iain.


----------



## tetonbob (Jan 10, 2005)

Google cache link to the original blog. Ilfak's page was suspended temporarily due to overwhelming numbers. A host is being looked into.

http://66.249.93.104/search?q=cache:sTqe9niZhI8J:www.hexblog.com/2005/12/wmf_vuln.html+&hl=en


----------



## sUBs (May 5, 2005)

Mirrors :
http://www.grc.com/miscfiles/wmffix_hexblog14.exe
http://handlers.sans.org/tliston/wmffix_hexblog14.exe
http://castlecops.com/modules.php?name=Dow...p=getit&lid=496
http://csc.sunbelt-software.com/wmf/wmffix_hexblog14.exe
http://www.antisource.com/download/wmffix_hexblog14.exe

Source : www.hexblog.com & www.f-secure.com/weblog

The official hexblog site is facing bandwidth trouble...


----------



## POADB (Jul 28, 2004)

Interview witht he author of the 'unofficial patch'

http://blogs.securiteam.com/index.php/archives/176

Microsofts patch due Jan 10th.


----------



## sUBs (May 5, 2005)

Patch released

http://www.microsoft.com/technet/security/Bulletin/MS06-001.mspx


Alternately...visit http://windowsupdate.microsoft.com


----------



## POADB (Jul 28, 2004)

Patch 5 days early!!!


----------



## nightowl1963200 (Sep 21, 2005)

*FYI.....Trend Micro*

According to a test of a range of antivirus products published on Wednesday, Trend Micro was the only major antivirus vendor that failed to catch a number of malicious files that exploit the new Windows vulnerability.

In the test, administered by independent testing organization AV-Test, 206 malicious files were pushed through virus shields from a number of vendors. Of the top three antivirus companies, Symantec and McAfee caught all bad files, while Trend Micro missed 63, according to the test results, which were e-mailed to CNET News.com. :4-thatsba


----------

