Author Topic: WMF exploit problem  (Read 20159 times)

0 Members and 1 Guest are viewing this topic.

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83569
  • No support PMs thanks
Re: WMF exploit problem
« Reply #30 on: January 04, 2006, 12:57:07 AM »
Hi,
maybe a silly question this one...is it necessary to set the sensitivity of avast to high, in order to be protected from the wmf exploit?
No, the Web Shield should be first line of defence and Standard Shield if required should pick it up if it is a newly created file regardless of sensitivity setting.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 1909 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.6.2420 (build 20.6.5495.561) UI-1.0.544/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline artamangr

  • Jr. Member
  • **
  • Posts: 25
  • Arta forever!
Re: WMF exploit problem
« Reply #31 on: January 04, 2006, 01:03:00 AM »
Hi again,
I am asking because in the normal sensitivity neither the webshield nor the standard shield appear to be scanning png and gif files...
Piges ntip myalo!

Offline curious!

  • Avast Evangelist
  • Poster
  • ***
  • Posts: 531
Re: WMF exploit problem
« Reply #32 on: January 04, 2006, 01:10:07 AM »
[
Hi,
maybe a silly question this one...is it necessary to set the sensitivity of avast to high, in order to be protected from the wmf exploit?
No, the Web Shield should be first line of defence and Standard Shield if required should pick it up if it is a newly created file regardless of sensitivity setting.

I can confirm that the test at heise which started this thread will stop everything even when the webshield is temporarely disabled. Resident shield=normal.    ;D

Why not do the test?  ???

HL

« Last Edit: January 04, 2006, 01:18:29 AM by hlecter »

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83569
  • No support PMs thanks
Re: WMF exploit problem
« Reply #33 on: January 04, 2006, 01:28:10 AM »
Hi again,
I am asking because in the normal sensitivity neither the webshield nor the standard shield appear to be scanning png and gif files...
I thought we were talking .wmf here?

They (png and jpg) aren't in the default list of files to scan, the WMF is on the default list. However, when you try to open a file it will be scanned before opening.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 1909 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.6.2420 (build 20.6.5495.561) UI-1.0.544/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32624
  • malware fighter
Re: WMF exploit problem
« Reply #34 on: January 04, 2006, 01:37:16 AM »
Hello forum folks,

I stumbled upon this story to-night, read it "cum grano salis",
but you will notice what old "spooks" are hunting us now. Ever heard of a bunch of developers known as the Microsoft "undead"?
Read this: http://www.radsoft.net/resources/rants/20051231,00.shtml
If only 5% is true it is frightening.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline artamangr

  • Jr. Member
  • **
  • Posts: 25
  • Arta forever!
Re: WMF exploit problem
« Reply #35 on: January 04, 2006, 01:39:01 AM »
Hi again,
I am asking because in the normal sensitivity neither the webshield nor the standard shield appear to be scanning png and gif files...
I thought we were talking .wmf here?

They (png and jpg) aren't in the default list of files to scan, the WMF is on the default list. However, when you try to open a file it will be scanned before opening.

I did the test...with webshield 'on' the file is .php so it is scanned and virus found, ok
With webshield 'off' the downloaded file is .wmf so it is scanned by the standard shield (even in normal sensitivity) and virus found, ok.
What i am worried about is just for .png and .gif files, since as i read in the other related topic (wmf vulnerability avast official confirmation-message by TAP) the wmf exploit can be renamed to any type of image file, even .png and .gif that are not scanned in normal sensitivity neither by the webshield nor by the standard shield...should i do as suggested by TAP and remove .png and .gif files from the webshield exceptions list?
Piges ntip myalo!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32624
  • malware fighter
Re: WMF exploit problem
« Reply #36 on: January 04, 2006, 02:03:58 AM »
Hello forum folks,

Be sensible, and read this, there is a lot of misinformation out on the Net regarding the WMF exploit and what to do:
http://blogs.zdnet.com/Ou/?p=143
There was a person who had this checking script
-------------
if not exist c:\scripts\nul md c:\scripts
if not exist c:\scripts\wmfdisabled.txt%windiw%\system32\shimgvw.dll)&
(date/t >c:\scripts\wmfdisabled.txt
-------------
greets,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Reiner

  • Jr. Member
  • **
  • Posts: 53
  • I'm a llama!
Re: WMF exploit problem
« Reply #37 on: January 04, 2006, 10:22:56 AM »
....
No, this detection is really a generic detection of the "exploit" itself - the previous detections (Win32:Exdown) were removed from the database.
....
I like that statement  ;D
I mean, the author's name is probably not very-well known to common public, but I, personally, would certainly trust Ilfak Guilfanov more than all the sans.org's in the world.
Thanks to Igor for providing the information about how avast is detecting the exploit.

Regarding the patch provided by Ilfak, I have no problems running it with avast (web and on access scanning) on my german XP Pro system. Even at work, with another virus scanner, the patch works flawless.

I think with the patch it is not different than with all the other software being installed and run in Windows. You never know if the next software package you install, programmed by no matter what company, serious or less serious, can break your system. I guess everybody has to decide for himself, what to install and whom to trust. I myself would and will not trust or rely on information provided only by MS.

Concerning what can be harmful and what not, I think there are numerous serious sites on the internet which cover this problem, unfortunately sometimes in a quite technical way, extensively.

As far as I know, a WMF file can be renamed to JPG, GIF, BMP, PNG etc.. If you open such a file, Windows recognizes this file to be a WMF file due to header information within the file. The problem with that is, that a WMF file (or a renamed WMF file) can be found almost everywhere, see
Hello forum folks,

I stumbled upon this story to-night, read it "cum grano salis",
but you will notice what old "spooks" are hunting us now. Ever heard of a bunch of developers known as the Microsoft "undead"?
Read this: http://www.radsoft.net/resources/rants/20051231,00.shtml
If only 5% is true it is frightening.

polonus

They are right concerning where and how WMF pictures can be hidden or used. And that's what is frightening me. Send somebody a word document with an imbedded WMF (or renamed) picture, send somebody an email with an infected picture, posting such a picture on blogs, web-sites, etc. you just name it.

There is even a rumour that there may be more vulnerabilities in the way WMF files are handled by Windows. As I say, so far it's just a rumour, let's see what will happen...

Offline Reiner

  • Jr. Member
  • **
  • Posts: 53
  • I'm a llama!
Re: WMF exploit problem
« Reply #38 on: January 04, 2006, 11:10:31 AM »
For all those interested in information concerning Ilfaks patch see:

http://castlecops.com/f212-hexblog.html

Reiner

Offline Lars-Erik

  • Avast Evangelist
  • Sr. Member
  • ***
  • Posts: 394
    • Lars-Erik Østerud
Re: WMF exploit problem
« Reply #39 on: January 04, 2006, 02:50:16 PM »
ON my WebShield setup I have exceptions for IMAGE/GIF, IMAGE/JPEG and IMAGE/PNG.  Are all exceptions a threath now with the WMF thing?
www.osterud.name - ICQ: 7297605 - AIM/Yahoo/Facebook/Skype/Astra: LarsErikOsterud

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32624
  • malware fighter
Re: WMF exploit problem
« Reply #40 on: January 04, 2006, 05:15:29 PM »
Dear Forum Folks,

All that like to uninstall the WMF Hotfix for one reason or other, or before downloading the official Microsoft patch due for Jan 10th,
do this by gping to C:\Program Files\Windows MetafileFix\inins000.exe.

greets,

Polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83569
  • No support PMs thanks
Re: WMF exploit problem
« Reply #41 on: January 04, 2006, 05:39:38 PM »
It should also be in the Add Remove programs list as Windows WMF Metafile Vulnerability Hotfix 1.x
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 1909 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.6.2420 (build 20.6.5495.561) UI-1.0.544/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline HIPPO

  • Newbie
  • *
  • Posts: 19
  • I am indicated by the Red Data Book.
    • Tokkii's World
Re: WMF exploit problem
« Reply #42 on: January 05, 2006, 01:16:08 PM »
Dear Forum Folks,

Microsoft has recommended customers to "disregard" a beta.

Quote
Kaspersky Analyst's Diary :

A beta version of the Microsoft patch, scheduled to be released on January 10, was leaked on the Internet. Microsoft has recommended customers to "disregard" it, warning that threats could be hidden in any patches coming from dubious sources.

Offline CharleyO

  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 7086
  • Be alert for error code - ID 10T
Re: WMF exploit problem
« Reply #43 on: January 06, 2006, 12:44:21 AM »
***

The official Fix is out. Go to Windows Update and get it now!    ;)


***
Self-built desktop (8 years old) - AMD64 3200+_Gigabyte GA-K8NS Ultra-939_4 gb RAM_GeForceFX 5800w/256 ram_XP/SP3_Avast 7_MBAM_ZA Free __and__ Toshiba Satellite Laptop_W7-64bit_ 4 gb Ram_Avast 8_MBAM

Offline rwaters

  • Jr. Member
  • **
  • Posts: 83
Re: WMF exploit problem
« Reply #44 on: January 06, 2006, 01:08:36 AM »
« Last Edit: January 06, 2006, 01:10:35 AM by rwaters »