p2p news / p2pnet: A new zero-day vulnerability is targetting Windows WMF files (Windows Metafiles) and, "Right now, fully patched Windows XP SP2 machines are vulnerable," with no known fix, says F-Secure.

Trojan downloaders, available from unionseek[DOT]com, have been actively exploiting this vulnerability, it states, going on that the exploit is currently being used to distribute:

Trojan-Downloader.Win32.Agent.abs
Trojan-Dropper.Win32.Small.zp
Trojan.Win32.Small.ga
Trojan.Win32.Small.ev.

Some install hoax anti-malware programs such as Avgold, says the post, and, "You can get infected if you visit a web site that has an image file containing the exploit. Internet Explorer users might automatically get infected. Firefox users can get infected if they decide to run or download the image file.

"In our tests (under XP SP2) older versions of Firefox (1.0.4) defaulted to open WMF files with "Windows Picture and Fax Viewer", which is vulnerable. Newer versions (1.5) defaulted to open them with Windows Media Player, which is not vulnerable…but then again, Windows Media Player is not able to show WMF files at all so this might be a bug in Firefox. Opera 8.51 defaults to open WMF files with "Windows Picture and Fax Viewer" too. However, all versions of Firefox and Opera prompt the user first.

"As a precaution, we recommend administrators to block access to unionseek[DOT]com and to filter all WMF files at HTTP proxy and SMTP level."

Also See:
F-Secure - New WMF 0-day exploit, December 28, 2005

This entry was posted on Wednesday, December 28th, 2005 at 2:02 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

HOME

Viewed 12013 times