There is a new exploit out that uses WMF (windows metafile format) files to infect a computer. All you have to do to get infected is view a webpage that has the image on it, or access an infected image that is on your computer. That means the forums can be a vector for infection too.

The vulnerability can be triggered remotely and gives the attacker full system privileges, according to technical descriptions of the issue. In the last 24 hours, three different Windows Meta Files (WMFs) have been detected trying to use the vulnerability to spread, according to antivirus firm F-Secure.

Google Desktop users have to be particularly careful as the search giant's software indexes any downloaded image file, an action that will cause the exploit to immediately execute, according to security researchers.

Protection

Not foolproof, but your best bets until a patch is released are:

- Use a non IE browser. (1.0.6+ of FireFox will at least prompt to save/open if you download an infected file from the web, IE automatically loads up Picture & Fax viewier, executing the exploit).

- Don't save and open untrusted image files.

Use up-to-date antivirus that detects the exploit (NOD32 - http://www.eset.com)

- Disable explorer thumbnail/autoparsing of images (explained here)

- Any other app that indexes your hd can trigger the exploit when it touches an infected file (Google Desktop indexing your temp internet files for example).

- obligatory "don't use windows"

- Processors that support DEP / noexecute in hardware seem to stop this cold. (confirmed on AMD64 and Pentium D with DEP turned on for all programs and services) - there are ways around DEP, but it should stop almost all variants.

It seems that R1CH has hacked a quick patch. Use at your own risk, YMMV, etc.
Explaination - Overview - Technical

R1CH posted:

Only replace a version '5.1.2600.2770 (xpsp_sp2_gdr.051005-1513)' gdi32.dll.

1. Download http://r-1.ch/gdi32.zip
2. Extract to windows/system32/dllcache. Yes to overwrite.
3. Rename windows/system32/gdi32.dll to gdi32.old
4. Copy windows/system32/dllcache/gdi32.dll to windows/system32/
5. Reboot.

You also need to disable Windows File Protection (hex editing required, not for the weakhearted) because WFP/Windows Update will try to roll back to the vulnerable November 2005 version (KB896424)

Great :/
Thanks for the heads up Low :).

so if I block .wmf on my proxy I should be sort of ok, yeh ?

click Start -> Run and type regsvr32 /u shimgvw.dll then press OK

That pretty much sums up the solution.

I've already come across a site attempting this exploit :/

^^ That won't fix it unfortunately.. there is more to it.

not if they rename it to .gif or something trog.

Basically we are left vulnerable until M$ bring out a patch.... HURRY UP!!

anyone else have problems with nod? after I installed it my internet wouldn't work s*** wouldn't load. qgl loaded a blue page and just sat there waiting for the ad server, I couldn't load up the web page that's on my own machine ffs.

http://isc.sans.org has all the info you'll need to survive the possible storm this bug will bring.

Yeah, ran into it last night after deliberately searching for it (hitting random sites). Took about 45 secs to find. Symantec detected it at the same time and 1.5 Firefox did at least give me the option as to whether I wished to download it (which duh of course I didn't + I'd already applied the hexblog patch, deregistered shimgvw.dll and disabled ACDSEE from recognising .WMF).

last edited by HERMITech at 10:23:21 05/Jan/06

hmmm Mcafee still dont have any mention of it on there site.

Edit: acctually they do but they ahve it listed as low risk.

-- January 3, 2006 --
Exploit-WMF detection was enhanced in today's DAT release, version 4666, to proactively protect against exploits that may use slightly different WMF properties. As always, McAfee AVERT urges customers to update to the latest DAT files.

To date, McAfee is aware of over 120,000 McAfee VirusScan Online customers who have reported detecting Exploit-WMF files attempting to execute on their systems.

A kit program was recently discovered, which is believed to be responsiable for the first wave of Exploit-WMF files. It's known as the WMFMaker trojan.

thats from the McAfee site

last edited by Irhabi at 11:34:45 05/Jan/06

Irhabi, now that I think about it, the delivery method I ran into may have been detected via a different trigger method (ie, using a known trojan to try an load etc) as it was detected as a trojan. I'd have to check my logs again to tell you just which one