[Fury]

http://www.neowin.net/index.php?act=view&id=31931

The long story short:
- There is no security patch from Microsoft yet.
- Internet Explorer runs WMF-files without asking.
- Firefox and Opera won't save you from this exploit, but they ask before running WMF-files.
- Anti-Spyware and Anti-Virus softwares do not reliably detect any of the variations of this exploit.
- Once your system is infected, you probably have to reinstall Windows.

See a video about the first exploit in action: (note that the file extension is wmv, not wmf)
http://www.websensesecuritylabs.com/images/alerts/wmf-movie.wmv

[Janos]

- Disabling WMFs doesn't help because they can be renamed to pretty much anything. If you somehow manage to block them then clearing your cache can install the exploit (it checks the cache files). Lovely.
- Mozilla and other Indie Alternative Cool Browsers decrease but don't remove the threat. You CAN stop the WMFs from loading in IE, but there's some technobabble explanation as to why it doesn't work.
- Yeah, you're ****ed, better stay away from eBay and Wiki and forums and uhhh whatever. Someone might have posted a picture here - in SomethingAwful it was a transparent 1x1px .gif which contained the exploit. Good luck finding that one.
- NOD32 helps, get it
- the exploit itself is useless, but it can piggybank a nice amount of trojans, spies and **** into your precious hard drives.

Remember - if you drive alone, you drive with Hitler.

[Kamikaze]

I hear you can get exploited just by browsing inside a directory that has an infected file.

Here're a couple methods to avoid being hit:

Run "regsvr32 -u %windir%\system32\shimgvw.dll" in the command prompt. This unregisters the Windows picture and fax viewer.

http://www.hexblog.com/2005/12/wmf_vuln.html <-- Unofficial patch

More info about the exploit/bug itself:

http://www.f-secure.com/weblog/
http://isc.sans.org/diary.php?storyid=994

[achtung]

Heard about it already.

regsvr32 -u shimgvw.dll
Unregister

regsvr32 shimgvw.dll
Reregister

Yours is too long Kamikaze

[Fury]

Swantz, unregistering shimgvw.dll only prevents IE and Windows from viewing wmf-files automatically, it does not prevent your system from being infected if you open a wmf-file regardless.

[achtung]

I know it doesnt fix it, it's just a preventitive measure.

[Sandwich]

Wow.

[Taristin]

http://www.hexblog.com/2005/12/wmf_vuln.html <-- Unofficial patch

Would be nice if it didn't time out.

[Flipside]

Probably being overloaded atm, I suspect theres a lot of people trying to access that site.

[Kosh]

Looks like this isn't a bug, but just a leftover from the 1980's.

http://www.f-secure.com/weblog/#00000761

Scroll down a bit and you'll see it.

[knn]

Since hexblog is unavailable, you can dl the patch from http://handlers.sans.org/tliston/wmffix_hexblog14.exe

Edit: changed to version 1.4 and [url]-d

[karajorma]

Anyone notice the comment that states that this is unlikely to be the only WMF flaw?

[Kamikaze]

Ironically, this "feature" from the 80's is only easily exploitable on Windows XP and 2003.

From the F-secure blog:

...in a practical sense, only Windows XP and Windows Server 2003 (in all their service pack levels) are vulnerable to the WMF flaw.
...all versions of Windows back to 3.0 have the vulnerability in GDI32. Except for Windows XP and Windows Server 2003, no Windows versions, in their default configuration, have a default association for WMF files, and none of their Paint programs or any other standard programs installed with them can read WMF files...

[Descenterace]

I'm using Linux for the next two weeks. I won't have time for gaming anyway.

[Kamikaze]

MS finally releases an official patch: http://it.slashdot.org/article.pl?sid=06/01/05/2027259&tid=172&tid=128&tid=201&tid=218