The WMF vulnerability exists in fully patch computers running Microsoft Windows XP with SP1 and SP2, even systems running the latest in anti-virus protection. The security flaw is being exploited by inducing victims to view maliciously constructed sites, particularly where IE is used as a browser, or when previewing *.wmf format files with Windows Explorer.
Symantec said the exploit is designed to download and run a program from the Web that downloads several malicious files, including tools that attackers could use to control vulnerable computers via Internet relay chat (IRC) channels.
The exploit code, first posted on security mailing list Bugtraq, states that the included Internet address can successfully exploit a fully patched Windows XP system with a freshly updated [Symantec] Norton Anti-Virus. Symantec said it has verified that the exploit works on fully-patched Windows XP systems, and that updates that would allow its anti-virus program to detect threats trying to exploit the new flaw would be released as soon as possible, though it noted that "some of the components of this attack, including the exploit itself, are NOT detected by Symantec products."
According to an overnight post at the SANS Internet Storm Center, the link provided at Bugtraq when clicked on successfully drops a Trojan horse program onto fully patched Windows XP SP2 machines (other Windows versions may also be affected.) The Trojan will then download a fake anti-spyware/virus program which asks user to purchase a registered version of software in order to remove threats it claims are resident on the user's machine.
Several security groups are reporting that it is extremely easy to get whacked by this vulnerability/exploit just by visiting one of a growing number of malicious Web sites that are now employing this attack. F-Secure's blog post on this indicates that -- because the vulnerability lies in the way Windows parses WMF image files -- Firefox and Opera users also can get infected -- although they at least have to agree to download and run a file first. The Sunbelt Blog also has some good information on this exploit, including some nice screenshots of what it looks like when your machine gets hit with this.
Windows users can disable the rendering of WMF files using the following hack:
- 1. Click on the Start button on the taskbar.
- 2. Click on Run...
- 3. Type "regsvr32 /u shimgvw.dll" to disable.
- 4. Click ok when the change dialog appears.