Inter Engineering

Home

About Us

Products

Support

Downloads

Resellers

Links

Latest News

Latest Threats

Trainings

Mailing Lists

Latest Τhreats

Zero-day vulnerability in Windows: Hundreds of millions of PCs still at risk!

Inter Engineering warns about the zero-day vulnerability related to Windows' ".wmf” files, which was first reported on December 27 and is still unpatched by Microsoft. Although Microsoft announced that they have completed development of the security update, it is still tested and will not be released until 10th January 2006. At that time Trojan downloaders were seen to actively exploit the vulnerability even with fully patched Windows XP SP2 machines.

This vulnerability is apparently caused by error handling issues for corrupted Windows Metafile files (".wmf"), which are image files used by popular applications. This vulnerability could potentially be exploited to execute arbitrary code, which could be achieved by tricking a user into opening a malicious ".wmf" file in "Windows Picture and Fax Viewer" or previewing a malicious ".wmf" file in explorer (i.e. selecting the file). Users can also be infected, simply by visiting a web site with an image file containing the WMF exploit.

Microsoft's confirms that the vulnerability applies to all the main versions of Windows: Windows ME, Windows 2000, Windows XP and Windows 2003 which means that there are hundreds of millions of vulnerable computers at the moment.

F-Secure Anti-Virus detects the offending ".wmf” files with generic detection either as PFV-Exploit or Exploit.Win32.IMG-WMF.

Speaking about the case, Chief Research Officer at F-Secure, Mikko Hypponen said: "So far, we've only seen this exploit being used to install spyware or fake antispyware and antivirus software on the affected machines. I'm afraid we'll see real viruses using this soon. We've seen 70 different versions of malicious WMF files so far."

For your protection, F-Secure recommends:

1) Make sure your antivirus is up-to-date and enabled. F-Secure Anti-Virus detects right now all known exploit versions, but new ones are popping up. For more details or updates on the WMF vulnerability, please check the F-Secure Viruslab blog:
http://www.f-secure.com/weblog/

2) Apply the Microsoft-recommended REGSVR32 /u shimgvw.dll work-around. It doesn't solve all problems - but it does disable the most obvious ways of exploiting this.
http://www.microsoft.com/technet/security/advisory/912840.mspx

3) Install the unofficial patch from Ilfak Guilfanov, one of the best low-level Windows experts in the world. F-Secure has tested, audited, runs it on all their own Windows machines and can recommend it.
http://www.hexblog.com (works on Windows 2000, XP (SP1 and SP2), XP64, Windows 2003)

On 10th January 2006, Microsoft announced the following 3 patches, which solve the problem:

MS06-001 : http://www.microsoft.com/technet/security/Bulletin/MS06-001.mspx

MS06-002 : http://www.microsoft.com/technet/security/Bulletin/MS06-002.mspx - vulnerability in Embedded Web Fonts

MS06-003 : http://www.microsoft.com/technet/security/Bulletin/MS06-003.mspx - Vulnerability in TNEF Decoding