StarDestroyer.Net BBS

Updated: Code for what Secunia is deeming an "extremely critical flaw" in Windows Metafile Format files is being exploited on fully patched systems

Code for what Secunia is deeming an "extremely critical flaw" in Windows Metafile Format (.wmf) files is in the wild and is now being exploited on fully patched systems by malicious attackers.

Vulnerable operating systems include a slew of Windows Server 2003 editions: Datacenter Edition, Enterprise Edition, Standard Edition and Web Edition. Also at risk are Windows XP Home Edition and Windows XP Professional, making both home users and businesses open to attack.
According to the Sunbelt Software blog, "any application that automatically displays a WMF image" can be a vector for infection, including older versions of Firefox, current versions of Opera, Outlook and all current versions of Internet Explorer on all Windows versions.

"This is a zero-day exploit, the kind that give security researchers cold chills," according to Sunbelt's blog. "You can get infected by simply viewing an infected WMF image."

According to F-Secure, Trojan downloaders are taking advantage of the vulnerability to install Trojan-Downloader.Win32.Agent.abs, Trojan-Dropper.Win32.Small.zp, Trojan.Win32.Small.ga and Trojan.Win32.Small.ev. F-Secure also reports that some of the Trojans install hoax anti-malware programs such as Avgold.

F-Secure traced the exploit to Russian sites, one of which is allegedly registered to former Soviet Union President Mikhail Gorbachev. Sunbelt warns that users are likely to get infected by being directed to one of the sites via spam that offer dirty pictures, free software or other bait.

The attack works by tricking users into opening malicious ".wmf" files in "Windows Picture and Fax Viewer" or by previewing such a file by selecting it in Windows Explorer. The attack can also be triggered automatically when visiting malicious Web sites via Internet Explorer.

Although Secunia deemed the flaw highly critical, at least one security researcher was dismissive of the bug's severity. Pete Lindstrom, research director for Spire Security LLC, said that at this stage in the game, anything that requires user interaction is hardly worth notice.

"There's no such thing as 'extremely critical' when user interaction is required," Lindstrom said. "That's just silly."

For advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internet's Security IT Hub.

But as far as using IE goes, download of malicious software is automatic, happening immediately upon going to the site, pointed out Alex Eckelberry, president of Sunbelt Software.

"There is no user interaction required," he wrote in an e-mail exchange. "You hit the Web site, you get hit immediately. No prompts, nothing."

John Pescatore, an analyst with Gartner Inc., said that this type of attack may be slowed down by requiring users to click on a malicious .wmf file or to go to a malicious Web site, but that doesn't mean it won't spread fast, given users' willingness to click on bait.

"One of these [attacks] where clicking on a URL [is involved], those can spread pretty fast," he said, given users' proclivity to click away.

"We do online consumer studies. Two years ago, 30 percent had fallen for phishing [schemes]. They entered their user name, password or credit card information. This year, many fewer completely fell for them, but they still clicked on the link in the phishing e-mail."

Given the rise of keystroke loggers that can automatically be downloaded onto a user's system after the user visits a malicious site, that means the Web-surfing population is still ripe for phishing, Pescatore said.

"They're still clicking on links, and whenever malicious software gets installed, that's when you get a critical rating, because all sorts of bad things can happen."

According to Secunia, the vulnerability is caused by an error in handling corrupted .wmf files—a graphics file format used to exchange graphics information between Microsoft Windows applications that can hold vector and bit-mapped images.

Secunia confirmed the vulnerability on a fully patched system running Windows XP SP2. The advisory said that Windows Server 2003 SP0 and SP1 systems have also reportedly been affected.

Einhander Sn0m4n wrote:Already posted, just barely.