December 28th, 2005

New zero day exploit seen in the wild

Posted by Suzi Turner @ 9:45 pm

Categories: Spyware/adware warnings

Tags:

I’ve been watching this story off and on all day.  Here’s a summary with pertinent links.

I first saw this posted at SunbeltBLOG –  researchers there documented a new exploit that affects fully patched Windows XP SP2 machines.  Landing on an infected web page can set off the exploit with no user interaction.  Firefox and Opera do not prevent this exploit but should prompt the user first. SecurityFocus calls it: Microsoft Windows Graphics Rendering Engine WMF Format Unspecified Code Execution Vulnerability

Microsoft Windows WMF graphics rendering engine is affected by a remote code execution vulnerability. The problem presents itself when a user views a malicious WMF formatted file, triggering the vulnerability when the engine attempts to parse the file. The issue may be exploited remotely or by a local attacker. Any code execution that occurs will be with SYSTEM privileges due to the nature of the affected engine. Microsoft Windows XP is considered to be vulnerable at the moment. It is likely that other Windows operating systems are affected as well.

Sunbelt researchers have collected more than 50 variants of the WindowsMetafiles (WMF) and documented a number of domains running this exploit. Email, blog talkbacks, guestbook links, all could be used to spread this infection.  In fact, I know someone who got infected by clicking on a user’s homepage link at a forum. F-Secure detects at least 3 different variants named W32/PFV-Exploit.A, .B and .C. F-Secure also says Google Desktop’s indexing of metadata of image files can cause the infected file to execute, and gives this warning:

Do note that it’s really easy to get burned by this exploit if you’re analysing it under Windows. All you need to do is to access an infected web site with IE or view a folder with infected files with the Windows Explorer.

More here from F-Secure. SANS says that rogue anti-spyware app Winhound may be installed and try to dupe users into buying it.  I also had a report of Winfixer being installed and F-Secure mentions AVGold. Microsoft issued a security advisory. Lots more from SANS here, with a link to a video done by Websense Security Labs showing the exploit and Winhound installation.

Workarounds have been posted at SunbeltBLOG.

One of my forum members actually got hit with this exploit before we knew what it was.  I have one of the infected WMF files and just viewing it caused Explorer to crash.  Fortunately for me it did not execute.  WARNING about the various domains in the write ups.  Just opening the web page will set off the exploit. Do not go to them unless you are in a virtual machine or have an expendable computer. Although you Mac and Linux fans might try it and let me know what happens. :-)

If I hadn’t already published the top 10 rogue anti-spyware apps, I think Winhound might have come in number one on the basis of this exploit. This exploit certainly qualifies for a place on the top spyware tricks as well.