WMF Exploit 0-Day

[Data_Pirate]

blocking the wmf exploit isn't as easy as you all think right now! just blocking files with that extension will not work as it apparently can change its name. heres a quote i got it from:

the exploit still works if the .wmf files were renamed to other image extensions.. like .jpg or .bmp... so filtering .wmf wont 100% work

however there are some possibilities, found in this quote:

No, it doesn't work because they are recognized and therefore executed based on their 'magic' If you filtered by the magic at the border you *may* have a chance of blocking them from the outside. No guarantees though.

this information has been found on another security information forums if anybody is curious.

EDIT: heres some interesting insight on the history of this exploit, because apparently it existed from the beginning of windows!

he new vulnerability makes it possible for users to infect their computers with spyware or a virus simply by viewing a web page, e-mail or instant message that contains a contaminated image.

“We haven’t seen anything that bad yet, but multiple individuals and groups are exploiting this vulnerability,” Mr Hyppönen said. He said that every Windows system shipped since 1990 contained the flaw.

that small quote was grabbed from an article located at:http://news.ft.com/cms/s/0d644d5e-7bb3-11da-ab8e-0000779e2340.html

[Vlk]

Data_Pirate, most of the stuff has already been said in this thread  


Sgt Schuman:

Personally, the 'play-examples' (like the heise one) are indeed not important ... but the problem is, that they lead very fast to a 'bad publicity", since they are easy available and a lot of people state them as 'representative' 

I agree, and that is one of the reasons we're today releasing a generic solution to the problem.

[RejZoR]

Vlk, i know this won't be directly related to WMF exploit but will you use more generic signatures in the near future or you guys try to avoid them because of possible increase in false positives? I noticed McAfee and Kaspersky use generic signatures quiet often, especially for Beagles, MyDooms and MyTobs plus various SdBot/IrcBot/SpyBot/xBot nasties.
Ok Kaspersky is class for itself because of brutal unpacking but McAfee doesn't seem to be anything extremelly special. I mean, i'm noticing that various bots get pass avast! lately (of course there is some error level on Jotti because of Linux version but i see many users here and there that have such bots on their PCs (using avast!).

Anyway, keep up the good work on detection improvements, i noticed you finally and forever added all samples i ever submitted to you. Thats a very good sign

EDIT:
Also it would be smart idea to add WMF Exploit to list of latest threats.
This WMF crap was a big boom in these days and seeing "Just" Zotob as latest threat won't make users any more confident in avast!...
Just a marketing thought and mainstream users perspective for your own good

[Lisandro]

This WMF crap was a big boom in these days and seeing "Just" Zotob as latest threat won't make users any more confident in avast!...
Just a marketing thought and mainstream users perspective for your own good

This is an eternal suggestion... if there is no webpage update, why does this information is there?
Self confidence is important for the product...

[Dwarden]

This WMF crap was a big boom in these days and seeing "Just" Zotob as latest threat won't make users any more confident in avast!...
Just a marketing thought and mainstream users perspective for your own good

This is an eternal suggestion... if there is no webpage update, why does this information is there?
Self confidence is important for the product...

i think that "threat" page need some serious rework ... maybe collaborate with some forum community members who will help etc?

[Lisandro]

i think that "threat" page need some serious rework ... maybe collaborate with some forum community members who will help etc?

If you're asking to make a compilation, no way...
I've did in the past, on version 4.1 but that thread goes much much further.
I think Alwil should open another tool to this, maybe a pool, or a score of suggestions or anything else.
There are too many suggestion, repetitions, and so on... Does anybody want to read them now? Are they worth for anything?

[Dwarden]

i think that "threat" page need some serious rework ... maybe collaborate with some forum community members who will help etc?

If you're asking to make a compilation, no way...
I've did in the past, on version 4.1 but that thread goes much much further.
I think Alwil should open another tool to this, maybe a pool, or a score of suggestions or anything else.
There are too many suggestion, repetitions, and so on... Does anybody want to read them now? Are they worth for anything?

well hard to say but what will be so problematic to "adjust" the threat list bit ...
ie utilize Jotti / Virustotal results
or use similar system like :
ESET http://www.virus-radar.com/
KASPERSKY LABS http://www.viruslist.com/en/viruses/alerts
PANDA SOFWARE http://www.pandasoftware.com/virus_info/
TRENDMICRO http://www.trendmicro.com/map/
SYMANTEC http://www.symantec.com/avcenter/
AVG http://www.grisoft.com/doc/Updates/lng/us/tpl/tpl01
MCAFEE http://vil.nai.com/vil/newly-discovered-viruses.asp or http://vil.nai.com/vil/recently-updated-viruses.asp
there are many others and some bit different (like Message Labs warning service etc.) ...

no need to be "so" detailed just include the biggest latest threats ...

[Lisandro]

No need to be "so" detailed just include the biggest latest threats ...

Maybe we're talking about different things...
I'm refering to this thread list: http://forum.avast.com/index.php?topic=12640.0

[Vlk]

Guys, this discussion is way off-topic here. We all know that the "Latest Threats" section needs a lot of work - but let's stay on topic here.


BTW the "generic" WMF exploit detection has been released as part of the latest VPS update.


Thanks
Vlk

[RejZoR]

Well we aren't exactly "offtopic" I know that threats section doesn't mean anything to us since we know you deal fast with new threats but other, new users might not share the same opinion don't you think? Seing only Zotob as latest threat will scare them away from avast! since everyone are talking only about WMF and nothing about it on avast! page (Zotob is last year's snow...). All big ones like McAfee, Trend Micro and Symantec make a huge marketing of any such "boom" malware and i belive they market it pretty well in the end.
Jump on the bandwagon and earn some more $$$

[TAP]

Well we aren't exactly "offtopic" I know that threats section doesn't mean anything to us since we know you deal fast with new threats but other, new users might not share the same opinion don't you think? Seing only Zotob as latest threat will scare them away from avast! since everyone are talking only about WMF and nothing about it on avast! page (Zotob is last year's snow...). All big ones like McAfee, Trend Micro and Symantec make a huge marketing of any such "boom" malware and i belive they market it pretty well in the end.
Jump on the bandwagon and earn some more $$$

I totally agree, for me it's a pain to see the lack about malware informations on the virus page on the avast! official site.

[dadkins_1]

Guys, this discussion is way off-topic here. We all know that the "Latest Threats" section needs a lot of work - but let's stay on topic here.


BTW the "generic" WMF exploit detection has been released as part of the latest VPS update.


Thanks
Vlk

Thanks Vlk! 

[polonus]

Hi Folks,

Microsoft is planning a patch for Jan 10th, their reaction:
http://www.microsoft.com/technet/security/advisory/912840.mspx


polonus

[Spiritsongs]

  Saw the following posted on the freedomlist.com
    antiSPYWARE  forums yesterday :
"
There is one critical thing you need to do, however, and that is to install the temporary patch from Ilfak to protect your computer from the Microsoft Windows Media Format (WMF) Zero Day Exploit (See WMF FAQ  here ).

FIX DIRECT DOWNLOAD LINK:  http://www.hexblog.com/security/files/wmffix_hexblog13.exe 
Fix Described Here:  http://www.hexblog.com/2005/12/wmf_vuln.html 

VULNERABILITY CHECKER DIRECT DOWNLOAD LINK:  http://www.hexblog.com/security/files/wmf_checker_hexblog.exe 
Checker Described here:  http://www.hexblog.com/2006/01/wmf_vulnera....html#more 

The temporary patch can be uininstalled via Add/Remove programs after Microsoft provides a solution to this exploit. "

 

[polonus]

Hi Spiritsongs,

I have downloaded the Hotfix-1.1.14 by Ilfak Guilfanov,and run it. Does this mean now that I am fully protected?

greets,

polonus