Secunia, Kaspersky and others have alerts up today about a new vulnerability in the way Windows handles Metafile files (*.wmf). It's a bad one: it has the highest possible risk rating, there aren't patches yet, and there are known exploits in the wild that take advantage of the hole.

According to Kaspersky, it hits IE and "may function in Firefox if certain conditions are met." The AV company's post lists two Web sites that attempt to install a Trojan using the hole.

Both notices strongly caution against opening any untrusted *.wmf files and recommend setting your IE security setting to "High." And of course keep your AV programs updated.

:source: Source: http://blogs.pcworld.com/staffblog/archives/001149.html

there is a bug in firefox 1.5 that opens these wmf files in windows media player otherwise anything that will send a wmf file to the picture viewer will need to be treated with caution.

exploit code (http://www.frsirt.com/exploits/20051228.ie_xp_pfv_metafile.pm.php) looks like a simple buffer overflow.

You can try unhooking the part of Windows that views those image files. To do this, click Start -> Run and type regsvr32 /u shimgvw.dll then press OK. You will get a confirmation message. To undo this, repeat but type regsvr32 shimgvw.dll instead. Note: This only has a minimal benefit - it only disables the image viewer itself. It doesn't prevent against viewing the exploit image in Internet Explorer, for example. Messing around with this is at your own risk

good for me i have no antivirus. :D

good for me i have no antivirus. :D
the link that tarzan posted is not a real fix to the problem.

here is a fix from the somethingawful.com forum. it seems to work just fine, and should be good enough until Microsoft gets an official patch released next week (or whenever):

USE AT YOUR OWN RISK. IF YOU MAKE A MISTAKE, WINDOWS COULD BE RENDERED INOPERABLE!

Installation instructions v3. Again, this is ONLY for Windows XP SP2 fully patched systems, with gdi32.dll file version "5.1.2600.2770 (xpsp_sp2_gdr.051005-1513)" and SHA-1 hash fa02573ce6239d1c375db93058810fb968390485.

0. Search your Windows directory for "gdi32.dll". Delete any that aren't in system32. Be sure to set advanced options / search hidden files.
1. Download http://r-1.ch/gdi32.zip
2. Extract to windows/system32/dllcache. Yes to overwrite if prompted.
3. Rename windows/system32/gdi32.dll to gdi32.old
4. Copy windows/system32/dllcache/gdi32.dll to windows/system32/
5. Cancel any Windows File Protection prompts. Note that if you don't get a Windows File Protection dialog, the patch did NOT work and you'll find Windows has reverted the file in system32 to an earlier version.
6. Reboot.

NOTE: If automatic updates or Windows Update finds the November patch (KB896424) for gdi32.dll, then my patch did NOT work as the patch you are seeing is because Windows reverted to a much older gdi32.dll.

these instructions must be followed very carefully and you must delete every single copy of gdi32.dll on your system EXCEPT for the one in \windows\system32 first, before trying to install the one from the zip file. after rebooting, you should still have gdi32.dll labelled version 5.1.2600.2770 (the same as Microsoft's current official version), but this is a version that R1CH has hacked to eliminate the vulnerability.

you can check the version number by right-clicking gdi32.dll and clicking properties, then clicking version. if you have a gdi32.dll version earlier than 5.1.2600.2770, then you've applied the fix wrong, Windows has installed an outdated backup from its System Restore folder (which Windows Update will try to replace with version 5.1.2600.2770 as soon as you connect to Windows Update), and you have not corrected the problem yet. run another hard drive search and delete EVERY copy of gdi32.dll, except the one mentioned above, then try again until Windows tries to stop you with the "Protected File" warning.

here is a test file: http://r-1.ch/test.wmf
it is not a virus. it's a test to see whether the vulnerability still exists on your system. if it does nothing or it crashes the browser, then you are not vulnerable. if it reboots Windows, then you are vulnerable, because it proves that a picture file is able to start a program in your system. you can cancel the reboot by: Start -> Run -> type shutdown -a

if you apply the patch correctly, Windows will think that it has the official gdi32.dll version 5.1.2600.2770 from Microsoft even though you really have a hacked version, and the test.wmf should not be able to reboot Windows.

also: DO NOT reboot without a copy of gdi32.dll in \windows\system32
you could seriously mess up your computer if you don't know what you're doing, here.

here's a patch which i believe works very similar to the R1CH patch (replaces gdi32.dll with a hacked version), but it has an installer to make it easier: http://www.hexblog.com/2005/12/wmf_vuln.html

also. a tip for anybody whose router or firewall software has URL blocking: you can add .wmf to your list of blocked addresses. this may not catch every single wmf file (because there are lots of ways for files to reach your computer, without having the file extension in the URL), but it should block wmf files from webpages at least.

what i posted was a minor work around till rich posted his patch

yes, no offense intended. what i meant by "not a real fix" was that it dealt with one way (shimgvw.dll, the shell image viewer) of accessing the exploited file, but didn't fix the file that's actually being exploited (gdi32.dll, the image renderer).

you can add .wmf to your list of blocked addresses.

Since the hole can still be exploited if the .wmf file is renamed .jpg or some other image type you should not rely on URL blocking providing any security.

I recommend the hexblog patch and not using Internet Explorer at all.

I ran a search and didnt come up with another post on this.
Its suppose to be a bad virus, MS hasnt made a patch for it yet.
What is your input on this and has anyone else heard of it? And is there another fix beside the one listed?
Here is more.

Anyone using Windows OS needs to read about the new Windows WMF security threat that's been issued recently. Some of you have already heard about this, but if you haven't, the threat involves a vulnerability in Windows that allows for malicious code to be installed on your computer without your intervention whatsoever, just by visiting a website and viewing a picture that, without a single click from you, could install any number of things on your computer.

We're not talking about spyware here. That's bad enough. This is far worse in that an attacker can hide the code in an image file that, just by it be viewed in your browser, can activate the malicious code. This is serious, folks.

What this means is, you can be browsing a webpage with an image on it that has dangerous code attached to it which can infect your computer simply by viewing the image on the page. This happens without any intervention on your part whatsoever.

My point is be very careful where you browse, as Microsoft currently has no patch available at the moment, although they're working on the problem and claim one will be available in a week. A WEEK???? However, all hope is not lost. There's an unofficial hotfix for this issue that I recommend you all download.

If you want more information on the problem, read about it here:

Microsoft website: http://www.microsoft.com/technet/security/advisory/912840.mspx

Slashdot.org: http://it.slashdot.org/it/06/01/03/1913252.shtml?tid=220&tid=109&tid=172&tid=218

Internet Storm Center's Alert: http://isc.sans.org/diary.php?storyid=996

Get the HOTFIX here:

http://isc.sans.org/diary.php (on that page it's called WMFHotfix-1.4.msi)re. http://www.sophos.com/pressoffice/news/articles/2006/01/wmfexploit.html

This is not something to be taken lightly. This exploit is currently billed as the worst infection in history. It can hide rootkits, it can even hide itself.

Why do ppl do this shit? :angry:

http://filesharingtalk.com/vb3/showthread.php?t=109060 ;)

http://filesharingtalk.com/vb3/showthread.php?t=109060 ;)
Thanks Guillaume I must of not entered the right search word. But perhaps some of the links I posted are new.
Out of the other post, which one is the best to follow for stopping or fixing the problem and does anyone know what the threat does to your comp?

http://filesharingtalk.com/vb3/showthread.php?t=109060 ;)
which one is the best to follow for stopping or fixing the problem and does anyone know what the threat does to your comp?

the hexblog hotfix should work since microsoft are not gonna patch it until the 10th of jan.

this basically allows for malicious code to be run on your system so it can do anything from install a trojan to format your hard drive.

I found and ran these two...your input?

WMF vulnerability checker
http://castlecops.com/downloads-file-495-details-WMF_Vulnerability_Checker.html

Temp Fix
http://castlecops.com/downloads-file-496-details-Ilfaks_Temporary_WMF_Patch.html

you should be safe but remove it when the offical patch arrives and use that.

guess we will have to wait for black tuesday for that.

Would this threat make so your comp wont stay on and keeps shutting itself down? My nieces comp is doing this and its almost acts like the sassor worm or msblaster, but she has the patch for that.
she cant stay on long enough to even run avg.

-edit-

http://www.microsoft.com/downloads/details.aspx?familyid=0C1B4C96-57AE-499E-B89B-215B7BB4D8E9&displaylang=en

for those that don't have auto updates.....

mine's already been patched :happy:

Erm...

Round two? (http://www.infoworld.com/article/06/01/09/73733_HNwmfbugs_1.html?source=NLC-NET2006-01-10) :unsure:

awesome. here we go again :/