All, I think I was able to get the SAFER mechanism to block this for IE, and any program covered under it. I know that there are other workarounds, but I have found the SAFER approach has stopped every one of these sorts of attacks. I have a vbscript that activates SAFER for IE, and various other client apps. Email me at this address if you want me to send it out to anyone. Thanks! > -----Original Message----- > From: Bill Busby [mailto:williambusby2001@xxxxxxxxx] > Sent: Thursday, December 29, 2005 1:35 PM > To: Hayes, Bill; davidribyrne@xxxxxxxxx > Cc: bugtraq@xxxxxxxxxxxxxxxxx > Subject: RE: WMF Exploit > > > It is not only *.wmf extensions it is all files that > have windows metafile headers that will open with the > Windows Picture and Fax Viewer. Any file that has the > header of a windows metafile can trigger this exploit. > > --- "Hayes, Bill" <Bill.Hayes@xxxxxxx> wrote: > > > CERT now has posted Vulnerability Note VU#181038, > > "Microsoft Windows may > > be vulnerable to buffer overflow via specially > > crafted WMF file" > > (http://www.kb.cert.org/vuls/id/181038). The note > > provides additional > > details about the exploit and its effects. Very few workarounds have > > been proposed other than blocking at the perimeter > > and possibly > > remapping the .wmf extension to some application > > other than the > > vulnerable Windows Picture and Fax Viewer > > (SHIMGVU.DLL). > > > > Bill... > > > > -----Original Message----- > > From: davidribyrne@xxxxxxxxx > > [mailto:davidribyrne@xxxxxxxxx] > > Sent: Wednesday, December 28, 2005 4:18 PM > > To: bugtraq@xxxxxxxxxxxxxxxxx > > Subject: WMF Exploit > > > > > > Another quick observation, again, I apologize if > > this information has > > already been posted; I haven't been able to read all > > the posts today. > > The thumbnail view in Windows Explorer will parse > > the graphics files in > > a folder, even if the file is never explicitly > > opened. This is enough to > > trigger the exploit. Even more frightening is that > > you don't have to use > > the thumbnail view for a thumbnail to be generated. > > Under some > > circumstances, just single-clicking on the file will > > cause it to be > > parsed. > > > > David Byrne > > > > > > > > __________________________________ > Yahoo! for Good - Make a difference this year. > http://brand.yahoo.com/cybergivingweek2005/ >
