Ross
Well-known member
IMPORTANT! Microsoft Windows WMF Zero Day Exploit
"The WMF (Windows Meta File) hides within an HTML file. When the browser renders the picture, the exploit executes a trojan dropper that McAfee calls Downloader-ASE or Generic Downloader.q. The dropper will then download Winhound, a fake anti-spyware/virus program which asks users to purchase a registered version of the software in order to remove the reported threats.
The exploit code attacks a vulnerability in the way in which Windows handles Windows Meta Files resulting in a buffer overflow condition. McAfee and Internet Storm Center are reporting that exploit code exists on at least 2 known web sites. Internet Explorer will automatically launch the "Windows Picture and Fax Viewer". Firefox will ask you if you would like to load the image in "Windows Picture and Fax Viewer". Attackers can exploit the vulnerability remotely or locally and garner system privileges due to the nature of the affected engine."
Vulnerable
Microsoft Windows XP Tablet PC Edition SP2
Microsoft Windows XP Tablet PC Edition SP1
Microsoft Windows XP Tablet PC Edition
Microsoft Windows XP Professional SP2
Microsoft Windows XP Professional SP1
Microsoft Windows XP Professional
Microsoft Windows XP Media Center Edition SP2
Microsoft Windows XP Media Center Edition SP1
Microsoft Windows XP Media Center Edition
Microsoft Windows XP Home SP2
Microsoft Windows XP Home SP1
Microsoft Windows XP Home
Read the entire article here.
Additional Information About This Vulnerability
According to AV-Test, an anti-virus research firm, numerous anti-virus firms were detecting some of the four exploits for the vulnerability that they had at that point. AntiVir, Avast!, BitDefender, Ewido, F-Secure, Fortinet, Ikarus, Kaspersky, McAfee and NOD32 detected all four. (Note from us - we notice "Norton Anti-Virus" is not listed but the free Avast! that we've recommended for over a year is.)
http://news.com.com/Trojan+delivers...ows+PCs/2100-7349_3-6011406.html?tag=nefd.top
http://news.com.com/Trojan+delivers...ows+PCs/2100-7349_3-6011406.html?tag=nefd.top
http://www.eweek.com/article2/0,1895,1906211,00.asp
http://www.kb.cert.org/vuls/id/181038
Microsoft has tested the following workaround. While this workaround will not correct the underlying vulnerability, it will help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.
Un-register the Windows Picture and Fax Viewer (Shimgvw.dll) on Windows XP Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and Windows Server 2003 Service Pack 1
To un-register Shimgvw.dll, follow these steps:
Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK.
A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.
Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.
To undo this change, re-register Shimgvw.dll by following the above steps. Replace the text in Step 1 with "regsvr32 %windir%\system32\shimgvw.dll" (without the quotation marks).
NOTE: No anti-spyware program can protect you if you if do not keep the spyware definitions updated. We recommend installing and using at least two anti-spyware programs. No one program can completely protect you from all the potential spyware and adware threats.
Always keep your common sense with you when you're on the Internet. Don't be lured into installing free software or signing up for a free service if it seems too good to be true. Read the privacy policy and/or Terms of Service or License Agreement of any free software or free service you're considering. As a rule of thumb, free products and free services which have extremely long, difficult-to-understand agreements filled with legal-speak are most often deceptive in nature. Be careful and stay informed
"The WMF (Windows Meta File) hides within an HTML file. When the browser renders the picture, the exploit executes a trojan dropper that McAfee calls Downloader-ASE or Generic Downloader.q. The dropper will then download Winhound, a fake anti-spyware/virus program which asks users to purchase a registered version of the software in order to remove the reported threats.
The exploit code attacks a vulnerability in the way in which Windows handles Windows Meta Files resulting in a buffer overflow condition. McAfee and Internet Storm Center are reporting that exploit code exists on at least 2 known web sites. Internet Explorer will automatically launch the "Windows Picture and Fax Viewer". Firefox will ask you if you would like to load the image in "Windows Picture and Fax Viewer". Attackers can exploit the vulnerability remotely or locally and garner system privileges due to the nature of the affected engine."
Vulnerable
Microsoft Windows XP Tablet PC Edition SP2
Microsoft Windows XP Tablet PC Edition SP1
Microsoft Windows XP Tablet PC Edition
Microsoft Windows XP Professional SP2
Microsoft Windows XP Professional SP1
Microsoft Windows XP Professional
Microsoft Windows XP Media Center Edition SP2
Microsoft Windows XP Media Center Edition SP1
Microsoft Windows XP Media Center Edition
Microsoft Windows XP Home SP2
Microsoft Windows XP Home SP1
Microsoft Windows XP Home
Read the entire article here.
Additional Information About This Vulnerability
According to AV-Test, an anti-virus research firm, numerous anti-virus firms were detecting some of the four exploits for the vulnerability that they had at that point. AntiVir, Avast!, BitDefender, Ewido, F-Secure, Fortinet, Ikarus, Kaspersky, McAfee and NOD32 detected all four. (Note from us - we notice "Norton Anti-Virus" is not listed but the free Avast! that we've recommended for over a year is.)
http://news.com.com/Trojan+delivers...ows+PCs/2100-7349_3-6011406.html?tag=nefd.top
http://news.com.com/Trojan+delivers...ows+PCs/2100-7349_3-6011406.html?tag=nefd.top
http://www.eweek.com/article2/0,1895,1906211,00.asp
http://www.kb.cert.org/vuls/id/181038
Microsoft has tested the following workaround. While this workaround will not correct the underlying vulnerability, it will help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.
Un-register the Windows Picture and Fax Viewer (Shimgvw.dll) on Windows XP Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and Windows Server 2003 Service Pack 1
To un-register Shimgvw.dll, follow these steps:
Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK.
A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.
Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.
To undo this change, re-register Shimgvw.dll by following the above steps. Replace the text in Step 1 with "regsvr32 %windir%\system32\shimgvw.dll" (without the quotation marks).
NOTE: No anti-spyware program can protect you if you if do not keep the spyware definitions updated. We recommend installing and using at least two anti-spyware programs. No one program can completely protect you from all the potential spyware and adware threats.
Always keep your common sense with you when you're on the Internet. Don't be lured into installing free software or signing up for a free service if it seems too good to be true. Read the privacy policy and/or Terms of Service or License Agreement of any free software or free service you're considering. As a rule of thumb, free products and free services which have extremely long, difficult-to-understand agreements filled with legal-speak are most often deceptive in nature. Be careful and stay informed
- I use it almost as much as VR.com!
