__/ [Malware Magnet] on Saturday 31 December 2005 00:41 \__
> Severity: High
> 29 December, 2005
> Yesterday, we published an alert about a dangerous new exploit circulating
> on the Internet. By enticing one of your users into visiting a Web site
> containing a maliciously crafted Windows MetaFile (.WMF) formatted picture,
> an attacker could remotely exploit this vulnerability to gain complete
> control of your user's computer. So far, the exploit has only been seen
> using maliciously crafted .WMF files. However, a new detail has come to
> light that may help attackers significantly increase the scope of this
> Last night, a researcher named David Byrne warned in a Bugtraq post that if
> an attacker renamed his malicious .WMF file to a different graphics file
> extension (2), the exploit still works. When Windows opens a picture that
> it can tell is in WMF format, it processes the picture using the .WMF
> graphics rendering engine regardless of the picture's file extension. In
> other words, files named with extensions like .JPG, .GIF, .BMP, and many
> others may actually contain a .WMF formatted image, and can trigger this
> To verify Byrne's post, we tested this method. Even after we renamed a
> malicious .WMF file to a .JPG file, the exploit still executed fine in a
> fully patched Windows XP SP2 machine. Furthermore, you don't even have to
> click on the malicious image for it to execute. If you use a thumbnail view
> in Windows, just browsing to the directory containing the malicious image
> file triggers this exploit.
> While blocking files with a .WMF file extension will protect you from the
> current versions of this exploit discovered in the wild, attackers will
> surely learn of this new renaming technique.
> Microsoft has not responded to this exploit yet. It remains unpatched.
> However, Microsoft has posted a Security Advisory on this issue and might
> patch soon.
> ~Watchguard LiveSecurity, Watchguard Technologies, Inc.
...Just wait until this exploit begins to circulate by massive waves of spam.
With this exploit lying about, zombies will be easy to accumulate and then
be used for larger-scale mass mailing. Older versions of Outlook will
automatically render WMF files, regardless of the sender's status. This
means that just being /sent/ an E-mail, not even handling it in any way, can
have your computer hijacked. This is yet worse than Sony's rootkit threat
where you have to put a CD into the tray and push.
As for another intersting tidbit, my main site has been attacked by 1000-2000
zombies every day for the past 2-3 months. is there place for more? If so,
where is it headed? Will Windows suffer from complete banishment among some
Anthony Scott Clark, 21, of Beaverton admitted to working with several
other people to take control of 20,000 computers. According to the US
Department of Justice, Clark in 2003 exploited a vulnerability in Windows -
big surprise there - to gain access to the computers and knock eBay and
other sites offline via DDoS (distributed denial of service) attacks.