Warning: New .wmf exploit.

[Jon]

Quote:

Originally Posted by Parser

I was kind of surprised to find that this information hadn't been posted earlier, but here we go.

Info

There's a new exploit bumping and grinding its way through the internet that uses the old Windows Metafile image format (.wmf, used for Clipart in MSOffice for example) to deposit a payload of trojans, spyware, viruses - whatever's your poison - onto the victim's computer. This is definitely an exploit you want to avoid.

Why should I care?

Because unlike the majority of exploits, this one can affect you even if your browsing habits resemble the security of Fort Knox. If you're using Internet Explorer, all you have to do is access a webpage that displays the file (or access the file directly) to become infected. Firefox, Opera and other browser users are slightly safer because they can't display .wmf files. However, you may be prompted to download the file, and it will also be downloaded into your cache, so it is still a threat by being on your computer. Why is it a danger by being in your cache? Because if you interact with the file in any way - view it, let Explorer generate a thumbnail for it, download it directly from a program such as wget or let any program access it - then you can become infected. I believe this includes letting a virus scanner examine the file.

Additionally, you may be thinking "Oh, I'll just avoid all contact with .wmf files." Unfortunately, the sting in the tail is that the .wmf can be renamed to any other image file format and still execute. By all means go ahead and adblock the *.wmf extension, but don't be lured into thinking that will make your computer secure.

Crikey! What can I do?

Until Microsoft brings out a patch, there is nothing permanent you can do to prevent yourself from being infected. However, there are a few basic guidelines, most of which are common sense:

Don't use Internet Explorer
By doing so, you're effectively signing over your computer to the exploit without doing anything. Use an alternative browser such as Firefox or Opera. They can't display .wmf files and so you will cut down your chances of being infected.

Use Virus scanning software
If you don't already have some kind of virus scanning software on your computer, you're a lunatic. If you can, use a scanner that has realtime scanning, such as AVG free edition. NOD32 is also a popular scanner and has the definitions ready to tackle this exploit, although unlike AVG you'll have to shell out after 30 days if you want to continue using it.

Turn off your browser's cache
As stated before, even if you use a browser that can't display .wmf files, you are still at danger. If you don't want to be caught out by yourself - or a program - exploring or indexing your browser's cache folder/s then it would be advisable to disable web caching, at least until the ordeal blows over and a patch is released. Programs that might explore your cache folders include Google Desktop, so if you're using it, stop.

Browse without images
One way to cut down risk of infection is to stop viewing images full stop. A bit drastic, since many webpages rely heavily on graphical content, but disabling the medium that has the potential to run the exploit does work.

Be wary of your browsing habits
Try to use your common sense when visiting sites. Incidents of the exploit have been noted on sites such as Google Image Search, MySpace, Wikipedia, and other various popular sites that either index a large variety of images or allow users to post their own.

Disable Image/Fax viewer
If you run Windows 2000/XP, you can take another measure in avoiding infection. You have to unregister the file shimgvw.dll. There's a concise page on how to do this at http://antivirus.about.com/od/virusd...fexploit_2.htm - if you run either OS, it's worth a try.

To Summarise

If you're using Windows, you're at risk, plain and simple [Insert obligatory "lololol use Linux" sentence here]. Your best bet is to take various measures - common sense or otherwise - to try and avoid being infected. Don't use Internet Explorer, do use a popular virus scanner with realtime scanning, curb your browsing habits if you visit a lot of image-heavy sites and additional programs such as Spybot and Adaware wouldn't go amiss either. The payload from the exploited file can vary dramatically.

Finally, thanks to this SomethingAwful thread from which I pulled most of the information. If you'd like a greater understanding of the exploit and more information, that's the thread to visit.

http://forums.beyondunreal.com/showthread.php?t=168324

There is also a video to show what happens to your computer when you open it:
http://www.websensesecuritylabs.com/.../wmf-movie.wmv

[Steve]

Thanks for posting that, I found out about this a few days from GRC, which is a respected security site. GRC also contains instructions on how to prevent it.

[Jon]

Vunrable file now unregestered.