Author Topic: WMF exploit problem  (Read 24441 times)

0 Members and 1 Guest are viewing this topic.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: WMF exploit problem
« Reply #30 on: January 04, 2006, 12:57:07 AM »
Hi,
maybe a silly question this one...is it necessary to set the sensitivity of avast to high, in order to be protected from the wmf exploit?
No, the Web Shield should be first line of defence and Standard Shield if required should pick it up if it is a newly created file regardless of sensitivity setting.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

artamangr

  • Guest
Re: WMF exploit problem
« Reply #31 on: January 04, 2006, 01:03:00 AM »
Hi again,
I am asking because in the normal sensitivity neither the webshield nor the standard shield appear to be scanning png and gif files...

hlecter

  • Guest
Re: WMF exploit problem
« Reply #32 on: January 04, 2006, 01:10:07 AM »
[
Hi,
maybe a silly question this one...is it necessary to set the sensitivity of avast to high, in order to be protected from the wmf exploit?
No, the Web Shield should be first line of defence and Standard Shield if required should pick it up if it is a newly created file regardless of sensitivity setting.

I can confirm that the test at heise which started this thread will stop everything even when the webshield is temporarely disabled. Resident shield=normal.    ;D

Why not do the test?  ???

HL

« Last Edit: January 04, 2006, 01:18:29 AM by hlecter »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: WMF exploit problem
« Reply #33 on: January 04, 2006, 01:28:10 AM »
Hi again,
I am asking because in the normal sensitivity neither the webshield nor the standard shield appear to be scanning png and gif files...
I thought we were talking .wmf here?

They (png and jpg) aren't in the default list of files to scan, the WMF is on the default list. However, when you try to open a file it will be scanned before opening.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: WMF exploit problem
« Reply #34 on: January 04, 2006, 01:37:16 AM »
Hello forum folks,

I stumbled upon this story to-night, read it "cum grano salis",
but you will notice what old "spooks" are hunting us now. Ever heard of a bunch of developers known as the Microsoft "undead"?
Read this: http://www.radsoft.net/resources/rants/20051231,00.shtml
If only 5% is true it is frightening.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

artamangr

  • Guest
Re: WMF exploit problem
« Reply #35 on: January 04, 2006, 01:39:01 AM »
Hi again,
I am asking because in the normal sensitivity neither the webshield nor the standard shield appear to be scanning png and gif files...
I thought we were talking .wmf here?

They (png and jpg) aren't in the default list of files to scan, the WMF is on the default list. However, when you try to open a file it will be scanned before opening.

I did the test...with webshield 'on' the file is .php so it is scanned and virus found, ok
With webshield 'off' the downloaded file is .wmf so it is scanned by the standard shield (even in normal sensitivity) and virus found, ok.
What i am worried about is just for .png and .gif files, since as i read in the other related topic (wmf vulnerability avast official confirmation-message by TAP) the wmf exploit can be renamed to any type of image file, even .png and .gif that are not scanned in normal sensitivity neither by the webshield nor by the standard shield...should i do as suggested by TAP and remove .png and .gif files from the webshield exceptions list?

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: WMF exploit problem
« Reply #36 on: January 04, 2006, 02:03:58 AM »
Hello forum folks,

Be sensible, and read this, there is a lot of misinformation out on the Net regarding the WMF exploit and what to do:
http://blogs.zdnet.com/Ou/?p=143
There was a person who had this checking script
-------------
if not exist c:\scripts\nul md c:\scripts
if not exist c:\scripts\wmfdisabled.txt%windiw%\system32\shimgvw.dll)&
(date/t >c:\scripts\wmfdisabled.txt
-------------
greets,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Reiner

  • Guest
Re: WMF exploit problem
« Reply #37 on: January 04, 2006, 10:22:56 AM »
....
No, this detection is really a generic detection of the "exploit" itself - the previous detections (Win32:Exdown) were removed from the database.
....
I like that statement  ;D
I mean, the author's name is probably not very-well known to common public, but I, personally, would certainly trust Ilfak Guilfanov more than all the sans.org's in the world.
Thanks to Igor for providing the information about how avast is detecting the exploit.

Regarding the patch provided by Ilfak, I have no problems running it with avast (web and on access scanning) on my german XP Pro system. Even at work, with another virus scanner, the patch works flawless.

I think with the patch it is not different than with all the other software being installed and run in Windows. You never know if the next software package you install, programmed by no matter what company, serious or less serious, can break your system. I guess everybody has to decide for himself, what to install and whom to trust. I myself would and will not trust or rely on information provided only by MS.

Concerning what can be harmful and what not, I think there are numerous serious sites on the internet which cover this problem, unfortunately sometimes in a quite technical way, extensively.

As far as I know, a WMF file can be renamed to JPG, GIF, BMP, PNG etc.. If you open such a file, Windows recognizes this file to be a WMF file due to header information within the file. The problem with that is, that a WMF file (or a renamed WMF file) can be found almost everywhere, see
Hello forum folks,

I stumbled upon this story to-night, read it "cum grano salis",
but you will notice what old "spooks" are hunting us now. Ever heard of a bunch of developers known as the Microsoft "undead"?
Read this: http://www.radsoft.net/resources/rants/20051231,00.shtml
If only 5% is true it is frightening.

polonus

They are right concerning where and how WMF pictures can be hidden or used. And that's what is frightening me. Send somebody a word document with an imbedded WMF (or renamed) picture, send somebody an email with an infected picture, posting such a picture on blogs, web-sites, etc. you just name it.

There is even a rumour that there may be more vulnerabilities in the way WMF files are handled by Windows. As I say, so far it's just a rumour, let's see what will happen...

Reiner

  • Guest
Re: WMF exploit problem
« Reply #38 on: January 04, 2006, 11:10:31 AM »
For all those interested in information concerning Ilfaks patch see:

http://castlecops.com/f212-hexblog.html

Reiner

Offline Lars-Erik

  • Avast Evangelist
  • Sr. Member
  • ***
  • Posts: 394
    • Lars-Erik Østerud
Re: WMF exploit problem
« Reply #39 on: January 04, 2006, 02:50:16 PM »
ON my WebShield setup I have exceptions for IMAGE/GIF, IMAGE/JPEG and IMAGE/PNG.  Are all exceptions a threath now with the WMF thing?
www.osterud.name - ICQ: 7297605 - AIM/Yahoo/Facebook/Skype/Astra: LarsErikOsterud

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: WMF exploit problem
« Reply #40 on: January 04, 2006, 05:15:29 PM »
Dear Forum Folks,

All that like to uninstall the WMF Hotfix for one reason or other, or before downloading the official Microsoft patch due for Jan 10th,
do this by gping to C:\Program Files\Windows MetafileFix\inins000.exe.

greets,

Polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: WMF exploit problem
« Reply #41 on: January 04, 2006, 05:39:38 PM »
It should also be in the Add Remove programs list as Windows WMF Metafile Vulnerability Hotfix 1.x
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

HIPPO

  • Guest
Re: WMF exploit problem
« Reply #42 on: January 05, 2006, 01:16:08 PM »
Dear Forum Folks,

Microsoft has recommended customers to "disregard" a beta.

Quote
Kaspersky Analyst's Diary :

A beta version of the Microsoft patch, scheduled to be released on January 10, was leaked on the Internet. Microsoft has recommended customers to "disregard" it, warning that threats could be hidden in any patches coming from dubious sources.

CharleyO

  • Guest
Re: WMF exploit problem
« Reply #43 on: January 06, 2006, 12:44:21 AM »
***

The official Fix is out. Go to Windows Update and get it now!    ;)


***

Offline rwaters

  • Jr. Member
  • **
  • Posts: 84
Re: WMF exploit problem
« Reply #44 on: January 06, 2006, 01:08:36 AM »
« Last Edit: January 06, 2006, 01:10:35 AM by rwaters »