~ U P D A T E :     P A T C H   N O W.  Official patch links inside for Windows MetaFile Exploit ~~~~~~

Page 3 - Seeking answers? Join the AnandTech community: where nearly half-a-million members share solutions and discuss the latest tech.

Zim Hosein

Super Moderator | Elite Member
Super Moderator
Nov 27, 1999
65,386
406
126
More info:

A security vulnerability in Windows could allow malicious software to infect your computer when opening an infected graphic or a malicious Web site. Microsoft is working on a patch, but Windows OneCare is protecting you now from known viruses using this flaw. As long as your Windows OneCare status remains "green" or "yellow" while you're connected to the Internet, Windows OneCare is protecting you. If your status is "red" (at risk), please either take the requested action or go to the Help Center.

To find out more about this vulnerability, please see http://www.windowsonecare.com/secinfo/wmf1228.aspx .

January 3, 2006 Advisory: How to know if you are protected from the WMF vulnerability. :)
 

Anubis

No Lifer
Aug 31, 2001
78,712
427
126
tbqhwy.com
Originally posted by: Medea
Originally posted by: harobikes333
Oooo Thank for the link!

Anyone else use that patch that ISAslot linked?

I'm just going to check before I install something that could mess up my computer


I installed the HotFix ver. 1.3. The updated version is 1.4, but there's no need to install a later version. Ver. 1.4 just added a component for network administrators.

The installation went smoothly (have XP Home) - plus, grc.com is a reputable site so, if I were you, I wouldn't worry about it.

yea i installed this one earlier and posted the link in the other thread
 

DaFinn

Diamond Member
Jan 24, 2002
4,725
0
0
Microsoft already "accidentally" released the fix :D

---
"I heard that Microsoft?s security update for the WMF issue has been posted on the Internet. What?s Microsoft?s response to these postings?"
In our effort to put this security fix on a fast track, a pre-release version of the update was briefly and inadvertently posted on a security community site. There has been some discussion and pointers on subsequent sites to the pre-release security update. Microsoft recommends that customers disregard the postings.

---
This from Q&A from here.
 

Zap

Elite Member
Oct 13, 1999
22,377
7
81
I've also been to a legit site (or so I thought) that brought up the picture/fax viewer. Just did an ALT-F4 as soon as I saw the window open. AFAIK I'm not infected with anything (checked with HijackThis). Are there any telltale signs?
 

SagaLore

Elite Member
Dec 18, 2001
24,036
21
81
Originally posted by: DaFinn
Microsoft already "accidentally" released the fix :D

---
"I heard that Microsoft?s security update for the WMF issue has been posted on the Internet. What?s Microsoft?s response to these postings?"
In our effort to put this security fix on a fast track, a pre-release version of the update was briefly and inadvertently posted on a security community site. There has been some discussion and pointers on subsequent sites to the pre-release security update. Microsoft recommends that customers disregard the postings.

---
This from Q&A from here.

Watch its going to turn out to either be A. a trojan or B. someone renamed the hexblog hotfix. ;)
 

xtknight

Elite Member
Oct 15, 2004
12,974
0
71
With unofficial patch here's what happens with XP SP2/Admin/No SRP (exploit is prevented): http://xtknight.atothosting.com/wmfexploit2.wmv

Mirror to WMF fix: http://xtknight.atothosting.com/wmffix_hexblog14.exe
Mirror to WMF vulnerability tester: http://xtknight.atothosting.com/wmf_checker_hexblog.exe

Ilfak's patch simply adds itself a list of 'to-be-loaded' DLLs. Once his DLL is loaded it injects itself into gdi32.dll and from there prevents the exploit from occurring. Thus it is very easy to uninstall and is less intrusive. It does not dynamically search for a signature within the WMF file. It merely prevents the mechanism by which the exploit is occuring, so this 'padding' and 'gzip encoding' won't help the WMF exploit through Ilfak's DLL.

If you open a directory in a Windows shell-compliant browser filled with a WMF-exploit file renamed as something shimgvw.dll picks up, the exploit will immediately execute.
 

Medea

Golden Member
Dec 5, 2000
1,606
0
0
Ilfak has setup a url which, because of the heavy traffic to hexblog.com, he now has a page which is "reduced to the bare minimum." It contains links to mirrors for the downloads. He also has the MD5 checksum of the different files..

Download WMF vulnerability hotfix





 

Medea

Golden Member
Dec 5, 2000
1,606
0
0
Originally posted by: Zap
I've also been to a legit site (or so I thought) that brought up the picture/fax viewer. Just did an ALT-F4 as soon as I saw the window open. AFAIK I'm not infected with anything (checked with HijackThis). Are there any telltale signs?

HJT is not able to verify if you have the infection. Download the "wmf_checker_hexblog.exe" file. Double-click it and you will get a prompt that your system "seems to be invulnerable" to the exploit - or that it is vulnerable.
 

Medea

Golden Member
Dec 5, 2000
1,606
0
0
One more word of caution:

Do not forget to reboot your computer after you've installed the checker. If you do not reboot it, the checker will tell you that the system is invulnerable while some system processes will still be.
 

Ausm

Lifer
Oct 9, 1999
25,213
14
81
# Think outside the box and hug a penguin? Hey, you could get a Knoppix distro and burn a bootable Linux CD or DVD. I hear penguins are really cold and slippery, though... *flees*

Wise words!


Ausm

 

mechBgon

Super Moderator<br>Elite Member
Oct 31, 1999
30,699
1
0
That's an older one. Scroll down Symantec's page, and you can see that Symantec has links to the patches for that one.

 

InlineFive

Diamond Member
Sep 20, 2003
9,599
2
0
McAfee states that their 4666 definitions are able to detect and remove this vulnerability. What do you people think about this? Doable solution or still shaky?
 

Zap

Elite Member
Oct 13, 1999
22,377
7
81
Originally posted by: Medea
HJT is not able to verify if you have the infection. Download the "wmf_checker_hexblog.exe" file. Double-click it and you will get a prompt that your system "seems to be invulnerable" to the exploit - or that it is vulnerable.

I'm referring to whether I'm already infected, not if I am vulnerable or not. TIA.
 

glugglug

Diamond Member
Jun 9, 2002
5,340
1
81
Didn't see this on your list of preventative measures:

The thumbnail view in Windows explorer or the preview pane that shows up for some filetypes will most likely execute the exploit if you have it enabled and go to a directory where an infected file is saved.

If you suspect you may have it in your web cache (even in firefox) or suspect a downloaded or archive-extracted file of being infected, delete the ENTIRE cache thru the browser or delete the file from the command line. DO NOT select it in windows explorer, even for deletion.
 

glugglug

Diamond Member
Jun 9, 2002
5,340
1
81
Prediction: before January 10 we will see a WMF exploit worm that spreads through AIM or Yahoo IM trying each contact on your buddy list followed by random generated screen names, creating load on many routers with effects similar to SQL slammer.
 

mechBgon

Super Moderator<br>Elite Member
Oct 31, 1999
30,699
1
0
Originally posted by: harobikes333
>_< Ick

So does anyone know how to find out if they have been infected....!? I've installed
this patch: http://www.grc.com/sn/notes-020.htm

But what can I do to make my computer fine again if it did get messed up?
Scan with antivirus software. The exploit is the delivery vehicle, but what was the payload, that's the question. Scan with some online scanners if you need some second and third opinions.
DO NOT select it in windows explorer, even for deletion.
And even if it's not selected, it will still run the exploit, so that's good advice about deleting the whole cache from outside. See my DEP video for a demo.

 

stash

Diamond Member
Jun 22, 2000
5,468
0
0
Prediction: before January 10 we will see a WMF exploit worm that spreads through AIM or Yahoo IM trying each contact on your buddy list followed by random generated screen names, creating load on many routers with effects similar to SQL slammer.

There are already numerous IM worms that do this, and there hasn't been any sort of widespread DoS. As long as the worm requires user action, a widespread DoS is unlikely.