Linked by Thom Holwerda on Wed 4th Jan 2006 22:45 UTC
Windows The saga around the WMF flaw in Windows continues. "A cryptographically signed version of Microsoft's patch for the Windows Metafile vulnerability accidentally leaked onto the Internet late Tuesday, adding a new wrinkle to the company's round-the-clock efforts to stop the flow of malicious exploits. The MSRC (Microsoft Security Response Center) acknowledged that a slip-up caused 'a fast-track, pre-release version of the update' to be posted to a security community site and urged users to 'disregard' the premature update."
Thread beginning with comment 81923
To read all comments associated with this story, please click here.
Important notice
by jacquouille on Thu 5th Jan 2006 02:41 UTC
Member since:

Windows users : it is important to know that a file may be a WMF even if its filename does not end in .wmf. Windows, like any modern OS, does not rely only on the extension to determine the filetype. Any file ending in .jpg or .jpeg or .gif or .bmp or... may be a WMF. So be extremely careful in e-mail attachments, and most importantly, disable the automatic displaying of pictures in your mail client.

Also note that, according to the SANS ISC, unregistering the dll is not a 100% sure protection, because malware may re-register it. (Maybe a safe solution would be to not only unregister the dll, but also rename the dll file, so that windows won't find it.)

EDIT : I just found this interesting story on the ISC website, titled "What do the bad guys do with WMF?" :

I'm happy I installed linux on the computers of my relatives (mother, brother, girlfriend...) -- at least they're safe.

Edited 2006-01-05 02:59

Reply Score: 1

RE: Important notice
by Marcellus on Thu 5th Jan 2006 05:23 in reply to "Important notice"
Marcellus Member since:

Also note that, according to the SANS ISC, unregistering the dll is not a 100% sure protection, because malware may re-register it.

In the same way that malware can re-register the dll, they can patch it in memory like the unofficial patch does, and still screw you over.

Reply Parent Score: 1

RE: Important notice
by RenatoRam on Thu 5th Jan 2006 07:32 in reply to "Important notice"
RenatoRam Member since:

Actually, unlike modern operating systems, windows DOES use the extension to know the format of an image. Try to rename a .jpg to .whatever and see by yourself.

The list of known extensions is in the registry; just search for it.

By the way, a known method of deception is using extensions with strings that windows will NEVER show you (they look like long alphanumeric strings in curly braces, just like the many weird registry keys). I read in the past that it is quite simple to produce a file that looks like a "file.doc" but is actually a "file.doc.{dfa43d35sljf3d53k2afd5jf35kldjfldjflk}" (whatever).
The next step is registering an handler for this weird file type... like "execute this", or "open in explorer", and your virus/worm is served.

Reply Parent Score: 1