NEW exploit for the WMF vulnerability



Just when you thought we had a good understanding of the recent zero-day WMF (Windows metafile exploit) it’s worse. Sans is reporting on a new variation on the exploit released today. They have gone to yellow (again) to warn people. Here are some details. This exploit was “made by the folks at metasploit and xfocus, together with a anonymous source.”


From SANS

The exploit generates files:

with a random size;
no .wmf extension, (.jpg), but could be any other image extension actually;
a random piece of junk in front of the bad call; carefully crafted to be larger than the MTU on an ethernet network;
a number of possible calls to run the exploit are listed in the source;
a random trailer

What makes it worse is that current IDS rules will likely not stop this new variation. Nor will current antivirus signatures. Also….

Judging from the source code, it will likely be difficult to develop very effective signatures due to the structures of the WMF files.

They suggested re-evaluating any defences against the bug and also mention the unofficial patch at http://www.hexblog.com/2005/12/wmf_vuln.html that I mentioned earlier today.

So in other words batten down the hatches it’s going to be a rocky start to the year in Computer security. Good luck.

–update 7PM EST–
The Security Fix has some coverage as well.

   Send article as PDF   

Similar Posts