December 29th, 2005
Update on WMF exploit
Some new approaches have emerged for reducing the risk of being affected by this exploit. One approach involves using Data Execution Prevention (DEP). Explanation of DEP from Microsoft:
Data execution prevention (DEP) is a set of hardware and software technologies that perform additional checks on memory to help protect against malicious code exploits. In Windows XP SP2, DEP is enforced by both hardware and software.
SunbeltBLOG probably has the most updated information. Another attack vector was discovered today as well. This time it’s from rotational ads meaning a user can be infected by going to any site displaying the rotational ads from Exfol/WebExt. McAfee has a good description of Exfol’s adware. Info here on WebExt. Sunbelt has a video of the exploit as well.
Oh, and let’s not forget the most important method of prevention. Go out and buy a Mac, or ditch Windows and start running Linux. TODAY!!! Never mind that you won’t be able to run most of your current applications, or that it will cost you a considerable amount of money and time to make the switch, and the fact there’s a steep learning curve for learning Linux. According to a lot of folks posting in the talkbacks here, it’s a piece of cake and the *only* real solution to the spyware problem.
Update: Lotus Notes has been found to be vulnerable to this exploit. Posted at SANS.
John Herron at NIST.org discovered today that Lotus Notes versions 6.x and higher is vulnerable to the WMF 0-day exploit. In the advisory, located on the NIST website here, John reports that Lotus Notes remained vulnerable even after running the regsvr32 workaround in the Microsoft security advisory.
Folks, unregistering the SHIMGVW.DLL is not a foolproof solution.
I forgot to mention this. I also heard today that SpyAxe is being installed through this exploit. SpyAxe got number one in the top ten rogue anti-spyware list for 2005. More on SpyAxe here.
