Go back to school with your Mac, iPhone and TUAW

SANS posts a comprehensive WMF exploit FAQ

Posted Jan 1st 2006 10:46AM by Marc Orchant

The SANS Internet Storm Center has put together a comprehensive FAQ about the recently announced WMF zero-day exploit that affects all Windows users. Two items of note from the FAQ bear serious attention. The first is that a new variant of the exploit was released last night that makes prevention even more difficult and, as of this writing, has not been successfully blocked by any of the major AV players. Second, and this should make you sit up and take notice if you are not running Windows XP, SANS states the following chilling opinion (emphasis added):

"What versions of Windows are affected?

All. Windows 2000, Windows XP, (SP1 and SP2), Windows 2003. All are affected to some extent. Mac OS-X, Unix or BSD is not affected.

Note: If you're still running on Win98/ME, this is a watershed moment: we believe (untested) that your system is vulnerable and there will be no patch from MS. Your mitigation options are very limited. You really need to upgrade."

SANS has made available an unofficial patch developed by Ilfak Guilfanov. SANS handler Tom Liston examined the patch, verified its effectiveness, and worked with Mr. Guilfanov to extend it to all Windows XP versions. It's unofficial. That means you use it at your own risk. It also means that you need to remove this patch when (and if) Microsoft releases an official patch.

Currently, SANS is recommending that you unregister the .dll used to invoke the Windows Picture and Fax Viewer component and apply this unofficial patch for maximum protection. As SANS warns in the FAQ, you need to consider doing both because it's possible that a malicious script can actually re-register the .dll without you knowing it. You can find the Run... command to unregister the .dll here. If you do follow this advice, remember to re-register the .dll and uninstall the patch before applying an official patch from Microsoft.

This is a bad one folks. The severity of this exploit should not be underestimated and you need to take active measures to protect your system. It still appears that this exploit is primarily being used by fake spyware scammers to infect your PC and then offer to sell you a tool to remove the infection. But the code is in the wild and the rate at which working exploits are proliferating suggests it is only a matter of time before a more malicious payload appears.
Developer Tools
.Net Framework (7)
Alternatives (0)
Dev Tools - General (6)
Visual Studio (6)
Win32 (0)
WinFX (0)
Web Offerings
Gadgets (1)
Internet Explorer (6)
MSN (8)
Office Live (1)
Windows Live (10)
Windows
2000 (0)
Media Center Edition (MCE) (0)
Mobile (5)
Tablet PC Edition (7)
Vienna (0)
Vista (43)
Windows - General (62)
XP (29)
Gaming
PC (3)
XBOX (2)
XBOX 360 (3)
How-To
General How-To's (3)
Tips and Tricks (4)
Tutorials (0)
Office
Access (0)
Excel (1)
FrontPage (1)
InfoPath (1)
Office - General (11)
OneNote (3)
Outlook (6)
PowerPoint (1)
Publisher (0)
Word (2)
Server Systems
BizTalk (0)
Exchange Server (1)
Live Communication Server (0)
Servers - General (0)
Speech Server (0)
SQL Server (0)
Windows Server (1)
Microsoft
Origami Project (16)
Competition (15)
Financial (2)
Legal Issues (7)
News and Info (75)
Trends and Buzz (70)

RESOURCES

RSS NEWSFEEDS

Powered by Blogsmith

Other Weblogs Inc. Network blogs you might be interested in:

Autoblog Latino
Luxist
BloggingStocks
Slashfood
Gadling