"Extremely Critical" New zero-day Windows vulnerability being exploited.
NIST.org
currently being exploited through Trojan email messages and allow for
Arbitrary Code Execution. It is related to Microsoft Windows WMF
(Windows Metafiles) handling. Even fully patched Windows XP SP2
machines machines using IE or Firefox are vulnerable.
Update 12/29: F-Secure is reporting that this vulnerability can be
exploited using other image extensions such as BMP, GIF, PNG, JPG,
JPEG, JPE, JFIF, DIB, RLE, EMF, TIF, TIFF or ICO.
There is currently no patch for this vulnerability.
See http://www.nist.org/news.php?extend.50 for more information and
tips on how to block it.
Ludovic Joly
If a patch is not released fast it's going to get as mad as with rpc
dcom...
Todd H.
> If a patch is not released fast it's going to get as mad as with rpc
> dcom...
Hrmm. I don't know about that. Why do you think so?
I don't know if I understand the present issue completely, but whereas
RPC DCOM was remotely exploitable via the network without user
interaction, this windows metafile dealio would require someone to
receive an email with the file attachment, wouldn't it? And hence
rely on the mailer doing something with it? Or am I underestimating
the severity of the release?
--
Todd H.
http://www.toddh.net/
David H. Lipman
The following is a eport of AV software and their detection of this Exploit.
AntiVir 6.33.0.70 12.29.2005 TR/Dldr.WMF.Agent.D
Avast 4.6.695.0 12.29.2005 Win32:Exdown
AVG 718 12.29.2005 Downloader.Agent.13.AI
Avira 6.33.0.70 12.29.2005 TR/Dldr.WMF.Agent.D
BitDefender 7.2 12.29.2005 Exploit.Win32.WMF-PFV.C
CAT-QuickHeal 8.00 12.29.2005 WMF.Exploit
ClamAV devel-20051123 12.29.2005 Exploit.WMF.A
DrWeb 4.33 12.29.2005 Exploit.MS05-053
eTrust-Iris 7.1.194.0 12.29.2005 Win32/Worfo.C!Trojan
eTrust-Vet 12.4.1.0 12.29.2005 Win32/Worfo
Ewido 3.5 12.29.2005 Downloader.Agent.acd
Fortinet 2.54.0.0 12.29.2005 W32/WMF-exploit
F-Prot 3.16c 12.29.2005 security risk or a "backdoor" program
Ikarus 0.2.59.0 12.29.2005 Trojan-Downloader.Win32.Agent.ACD
Kaspersky 4.0.2.24 12.29.2005 Trojan-Downloader.Win32.Agent.acd
McAfee 4662 12.29.2005 Exploit-WMF
Microsoft ?? 12.29.2005 no virus found
NOD32v2 1.1343 12.28.2005 Win32/TrojanDownloader.Wmfex
Norman 5.70.10 12.29.2005 no virus found
Panda 9.0.0.4 12.28.2005 Exploit/Metafile
Sophos 4.01.0 12.29.2005 Troj/DownLdr-NK
Symantec 8.0 12.29.2005 Download.Trojan
TheHacker 5.9.1.064 12.28.2005 Exploit/WMF
Trend Micro 135 12.29.2005 TROJ_NASCENE.D
UNA 1.83 12.29.2005 no virus found
VBA32 3.10.5 12.28.2005 no virus found
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
E.
What about a web bug (0x0 pixelatted image) in an email linking to an
infected source, which the email client then renders?
Yet another reason why HTML email should be banned. If you want HTML,
use a frigging browser. ;->
E.
E.
Easy enough to add the dll unregister command to a logon script until a
patch is made ;-)
Thx for posting that info. Appropriate action taken.
Cheers,
E.
Jbob
news:84acej3...@ripco.com...
>
> I don't know if I understand the present issue completely, but whereas
> RPC DCOM was remotely exploitable via the network without user
> interaction, this windows metafile dealio would require someone to
> receive an email with the file attachment, wouldn't it? And hence
> rely on the mailer doing something with it? Or am I underestimating
> the severity of the release?
>
> --
> Todd H.
> http://www.toddh.net/
NO, NO, NO! Severely underestmated! lol This one infects simply by
visiting a web page with a suspect wmf file. You don't need to click on
anything. If the wmf file is imbedded windows will try an open it. The
full attack vector is still unsure of at this point. There are some
possible work arounds that "MAY" help.
Todd H.
Yikes. That is disconcerting.
Is avoiding the use of IE of any help to this issue, or is everyone on
the platform screwed until a reliable workaround is available?
Jbob
> Yikes. That is disconcerting.
>
> Is avoiding the use of IE of any help to this issue, or is everyone on
> the platform screwed until a reliable workaround is available?
>
>
> --
> Todd H.
> http://www.toddh.net/
I think what we "think" we know so far is that other browsers are less
suspect. It seems the IE will simply try and open the wmf file in Windows
Picutre and FAX viewer whereas Fx will attempt to open it in Windows Media
Player which is not vulnerable. The issue is at this time I'm not sure
anyone knows exactly the attack vector. It started out being thought the
(SHIMGVW.dll) was the one being exploited but not it appears to not
necessarily be the case. See this thread for a good run down.
http://www.dslreports.com/forum/remark,15115819
nemo_outis
IE, Firefox, mail programs - all are vulnerable to some degree or another.
The full range of vectors for the attack is not yet fully understood and
the workarounds (disabling or redirecting default WMF & EMF file handlers,
deregistering shimgvw.dll, etc.) while helpful, are probably insufficient.
It appears the core graphic-handling DLLs are also susceptible and these,
obviously, cannot be disabled.
This is a nasty one.
Regards,
John Hyde
Interesting reading, couple of questions if anyone knows:
How does one disable the windows picture and fax viewer in win98 2ed?
Or is there another similar method that will give some protection?
Though my machine is XP, I'm the only "tech support" for several others
with a variety of machines. (The poor slobs, they should get competent
help.)
Once virus checkers are able to see these files, will they necessarily
be checking the files downloaded by a browser for display in a web page?
Thanks
JH
nemo_outis
news:11r8vbc...@corp.supernews.com:
>
> Interesting reading, couple of questions if anyone knows:
>
> How does one disable the windows picture and fax viewer in win98 2ed?
> Or is there another similar method that will give some protection?
> Though my machine is XP, I'm the only "tech support" for several
> others with a variety of machines. (The poor slobs, they should get
> competent help.)
>
> Once virus checkers are able to see these files, will they necessarily
> be checking the files downloaded by a browser for display in a web
> page?
>
> Thanks
> JH
>
The first thing you should do is follow MS's workaround (in 912840) and
disable the WMF viewer using the following command under Start - Run:
regsvr32 -u %windir%\system32\shimgvw.dll
You should also go into Explorer and change the file association for EMF
and WMF file extensions (to some benign program).
That'll help a lot and it's all you can do right now as far as I know. The
problem is that mislabelled files can still be opened if you click on them
(Windows will recognize the file header of a WMF file even if it
is called, for instance, a JPG file).
FWIW Firefox, while not immune, has lower suceptibility than IE. With
Firefox merely opening a "poisoned" site will result in triggering the WMF
vulnerability; with Firefox nothing will happen unless you deliberately
click on the "trigger" (but webmasters can be devious in tricking you into
clicking on things you shouldn't).
Regards,
Ludovic Joly
>I don't know if I understand the present issue completely, but whereas
>RPC DCOM was remotely exploitable via the network without user
>interaction, this windows metafile dealio would require someone to
>receive an email with the file attachment, wouldn't it? And hence
>rely on the mailer doing something with it? Or am I underestimating
>the severity of the release?
In the case of RPC DCOM, the attacker started from a range of IP
addresses (typically the ones belonging to a company or organization,
or a pool of DSL users located in a particular area), scanned it to
find the machines vulnerable to the attack, and exploited it. This
resulted (I believe) in the creation of armies of thousands of zombies.
In the case of this new vulnerability, the attacker is bound to start
from an email database, and spam the virus with a very high chance of
successful exploitation. It is less direct than starting from the IP
addresses, but it can still result in massive exploitation. I have
recently found an email database with millions of addresses, and if the
virus takes the contacts stored on an exploited machine and forward
itself, just imagine...
Moreover, starting from the IP addresses the attacker would face
hardened gateways. This is probably why most of the victims of the RPC
DCOM vuln were individuals. With a scheme of a virus spreading via
email you can get INTO an organisation.
Well, let's wait for the patch. And do what we can as a workaround.
John Hyde
> John Hyde <EJ...@netscape.net> wrote in
> news:11r8vbc...@corp.supernews.com:
>
>
>>Interesting reading, couple of questions if anyone knows:
>>
>>How does one disable the windows picture and fax viewer in win98 2ed?
>>Or is there another similar method that will give some protection?
>>Though my machine is XP, I'm the only "tech support" for several
>>others with a variety of machines. (The poor slobs, they should get
>>competent help.)
>>
>>Once virus checkers are able to see these files, will they necessarily
>>be checking the files downloaded by a browser for display in a web
>>page?
>>
>>Thanks
>>JH
>>
>
>
>
> The first thing you should do is follow MS's workaround (in 912840) and
> disable the WMF viewer using the following command under Start - Run:
>
> regsvr32 -u %windir%\system32\shimgvw.dll
Yeah, done on all the XP boxes. The win98 SE box I tried it on didn't
work. Search for "shivgvw.dll" came up empty too. Windows installs
that just don't have it?
>
> You should also go into Explorer and change the file association for EMF
> and WMF file extensions (to some benign program).
I'll do that. By benign, do you mean some other image handler? or
something that just won't do anything with the file? Any suggestions?
Frankster
-Frank
Notan
>
> Auto-updated today to #3.137.00. I run Officescan.
Please don't change the subject line, when responding to a post.
It makes it extremely difficult to follow the thread.
Thanks!
Notan
Frankster
>
> It makes it extremely difficult to follow the thread.
Not with my newsreader.
-Frank
David H. Lipman
| Auto-updated today to #3.137.00. I run Officescan.
|
| -Frank
|
Trend Micro 135 12.29.2005 TROJ_NASCENE.D
--
Notan
It's referred to as being considerate of others.
Notan
Frankster
> |
> | -Frank
> |
>
> Trend Micro 135 12.29.2005 TROJ_NASCENE.D
Interesting. Here's what I see on the Trend Micro page...
TROJ_WMFCRASH.A Low Dec 29, 20053.137.00
TROJ_NASCENE.C Low Dec 28, 20053.135.00
I thought this one was the WMFCRASH.A?
-Frank
Walter Roberson
>Please don't change the subject line, when responding to a post.
>It makes it extremely difficult to follow the thread.
That's what the References: header is for, to provide linking
through changes of Subject:.
As best I recall, Usenet guidelines are that one *should* change
Subject: headings any time that the topic has mutated significantly
from the original topic, so as to give others a chance to avoid
messages on topics they are not interested in, and to make it
easier to find messages related to a particular topic.
Changing the Subject: heading is not considered disrespectful
if the new Subject is a good description of the content.
By the way, -your- messages do not meet the technical standards
for postings. The technical standards for NNTP (Network News
Transport Protocol) require that you use a valid email address
when posting. Not just something that is more or less in
the right format for an email address. A lot of people ignore
this technical requirement these days, but there are certainly
people who consider violation of the technical standards to be
"disrespectful".
--
"law -- it's a commodity"
-- Andrew Ryan (The Globe and Mail, 2005/11/26)
Notan
>
> In article <43B55548...@ddress.com>, Notan <no...@ddress.com> wrote:
> >Please don't change the subject line, when responding to a post.
>
> >It makes it extremely difficult to follow the thread.
>
> That's what the References: header is for, to provide linking
> through changes of Subject:.
>
> As best I recall, Usenet guidelines are that one *should* change
> Subject: headings any time that the topic has mutated significantly
> from the original topic, so as to give others a chance to avoid
> messages on topics they are not interested in, and to make it
> easier to find messages related to a particular topic.
>
> Changing the Subject: heading is not considered disrespectful
> if the new Subject is a good description of the content.
You sure know how to twist guidelines, don't you?
Yes, it's suggested that one change the subject line, when the
subject changes, *not* when responding to a previous post.
> By the way, -your- messages do not meet the technical standards
> for postings. The technical standards for NNTP (Network News
> Transport Protocol) require that you use a valid email address
> when posting. Not just something that is more or less in
> the right format for an email address. A lot of people ignore
> this technical requirement these days, but there are certainly
> people who consider violation of the technical standards to be
> "disrespectful".
Munging an address is a perfectly acceptable way to avoid spam
and harassment.
You're the first person, that I've ever heard, to even suggest
that munging is "disrespectful."
Notan
David H. Lipman
As of last night I was told there may be 50 variants in the wild.
Based upon the variant I tested...
AntiVir 6.33.0.70 12.30.2005 EXP/IMG.WMF
Avast 4.6.695.0 12.29.2005 Win32:Exdown
AVG 718 12.29.2005 Downloader.Agent.13.AI
Avira 6.33.0.70 12.30.2005 EXP/IMG.WMF
BitDefender 7.2 12.29.2005 Exploit.Win32.WMF-PFV.C
CAT-QuickHeal 8.00 12.29.2005 WMF.Exploit
ClamAV devel-20051123 12.29.2005 Exploit.WMF.A
DrWeb 4.33 12.29.2005 Exploit.MS05-053
eTrust-Iris 7.1.194.0 12.29.2005 Win32/Worfo.C!Trojan
eTrust-Vet 12.4.1.0 12.29.2005 Win32/Worfo
Ewido 3.5 12.29.2005 Downloader.Agent.acd
Fortinet 2.54.0.0 12.29.2005 W32/WMF-exploit
F-Prot 3.16c 12.29.2005 security risk or a "backdoor" program
Ikarus 0.2.59.0 12.29.2005 Trojan-Downloader.Win32.Agent.ACD
Kaspersky 4.0.2.24 12.29.2005 Trojan-Downloader.Win32.Agent.acd
McAfee 4662 12.29.2005 Exploit-WMF
Microsoft ?? 12.30.2005 Exploit:Win32/Wmfap
NOD32v2 1.1343 12.28.2005 Win32/TrojanDownloader.Wmfex
Norman 5.70.10 12.29.2005 no virus found
Panda 9.0.0.4 12.28.2005 Exploit/Metafile
Sophos 4.01.0 12.29.2005 Troj/DownLdr-NK
Symantec 8.0 12.29.2005 Download.Trojan
TheHacker 5.9.1.064 12.28.2005 Exploit/WMF
Trend Micro 135 12.29.2005 TROJ_NASCENE.D
UNA 1.83 12.29.2005 no virus found
VBA32 3.10.5 12.30.2005 Trojan-Downloader.Win32.Agent.acd
David H. Lipman
OLD RFCs :-)
It is now a REQUIREMENT to post to UseNet with a munged email address so as not to get the
Swen Internet worm or be the target of spam bots.
Additionally the standard of appending .INVALID has long bee invalidated by spam bots
programmed to drop the .INVALID suffix found in an email address.
Notan
>
> <snip>
>
> OLD RFCs :-)
>
> It is now a REQUIREMENT to post to UseNet with a munged email address so as not to get the
> Swen Internet worm or be the target of spam bots.
I guess I was ahead of my time.
Who'da thunkit! <g>
Notan
Rob Skedgell
wrote:
> Walter Roberson wrote:
[...]
>> By the way, -your- messages do not meet the technical standards
>> for postings. The technical standards for NNTP (Network News
>> Transport Protocol) require that you use a valid email address
>> when posting. Not just something that is more or less in
>> the right format for an email address. A lot of people ignore
>> this technical requirement these days, but there are certainly
>> people who consider violation of the technical standards to be
>> "disrespectful".
>
> Munging an address is a perfectly acceptable way to avoid spam
> and harassment.
>
> You're the first person, that I've ever heard, to even suggest
> that munging is "disrespectful."
It would be if you don't have the permission of ddress.com's owners
(netidentity.com), which is a valid domain, with MX records pointing
to Outblaze hosts, since it's their CPU cycles and bandwidth wasted
when rejecting spam aimed at this address. It's also hardly fair or
"respectful" if someone pays NetIdentity USD24.95 for that address
and then gets the dubious benefits of notan {at} ddress {dot} com
having being harvested from your usenet posts, they might be less
than ecstatic.
Of course, having read <http://www.giganews.com/aup.html>, I'm sure
you have permission to use ddress.com in your Message-ID header as
well...
--
Rob Skedgell <rob+...@nephelococcygia.demon.co.uk>
From: address is a spamtrap, Reply-To: is valid.
GnuPG/PGP: 7DA3 1579 C0DD 8748 C05A B984 E2A2 3234 D14B 6DD7
nemo_outis
>> You should also go into Explorer and change the file association for
>> EMF and WMF file extensions (to some benign program).
>
> I'll do that. By benign, do you mean some other image handler? or
> something that just won't do anything with the file? Any suggestions?
The default association on my XP boxes was already Acdsee rather than
Windows Picture and Fax viewer. I mentally debated whether that was good
enough, whether I should change it to Notepad, or even to some "null"
handler (either a nonfunctional exe created for that purpose or a
nonexistent one). In the end I chose Notepad. I decided Nottepad probably
wouldn't do anything harmful with such a file but its popping up would
alert me.
But all of this is just a makeshift - we need a patch.
Regards,
Volker Birk
> It is now a REQUIREMENT to post to UseNet with a munged email address
No, really not.
It just means to redirect all SPAM-Mails to the victims, whose mail
addresses are abused as faked sender addresses, because they're bombarded
with complaints then.
A not-so-nice "solution" for the sender to avoid _is_ SPAM.
Yours,
VB.
--
Ein vision statement ist in aller Regel planfreies Gelalle einer Horde
realitätsferner Spinner.
Dietz Pröpper in d.a.s.r
Volker Birk
No, really not.
It just means to redirect all SPAM-Mails to the victims, whose mail
addresses are abused as faked sender addresses, because they're bombarded
with complaints then.
A not-so-nice "solution" for the sender to avoid _his_ SPAM.
Jbob
>news:Xns973C6EBFD...@204.153.244.170...
>
> The default association on my XP boxes was already Acdsee rather than
> Windows Picture and Fax viewer. I mentally debated whether that was good
> enough, whether I should change it to Notepad, or even to some "null"
> handler (either a nonfunctional exe created for that purpose or a
> nonexistent one). In the end I chose Notepad. I decided Nottepad
> probably
> wouldn't do anything harmful with such a file but its popping up would
> alert me.
>
> But all of this is just a makeshift - we need a patch.
>
> Regards,
>
From what we've seen so far any graphic rendering ap appears to be suspect.
Many it seem make use of the suspect .DLL files in one way or another. It
might be as simple as the rendering of thumbnails. It would seem that
Notepad is the better choice as of now. I do know that with setting
InfranView as default, the infection still occured.
Frank Slootweg
> In article <43B55548...@ddress.com>, Notan <no...@ddress.com> wrote:
> >Please don't change the subject line, when responding to a post.
>
> >It makes it extremely difficult to follow the thread.
>
> That's what the References: header is for, to provide linking
> through changes of Subject:.
>
> As best I recall, Usenet guidelines are that one *should* change
> Subject: headings any time that the topic has mutated significantly
> from the original topic, so as to give others a chance to avoid
> messages on topics they are not interested in, and to make it
> easier to find messages related to a particular topic.
>
> Changing the Subject: heading is not considered disrespectful
> if the new Subject is a good description of the content.
Not that it's a big deal, but just for completeness:
The posting fails on three counts: The new Subject: is *not* a good
description of the content, it does not have the customary "(was:
<old_subject>)", and it does not quote any previous material.
FWIW, personally I do not care about any of these, because my
newsreader can easily show the parent article ('u'p the tree) and my
News-server(s) are normally quite complete (so I'm not likely to miss
the parent).
[deleted]
Todd H.
> In article <43B55548...@ddress.com>, Notan <no...@ddress.com> wrote:
> >Please don't change the subject line, when responding to a post.
>
> >It makes it extremely difficult to follow the thread.
>
> That's what the References: header is for, to provide linking
> through changes of Subject:.
>
> As best I recall, Usenet guidelines are that one *should* change
> Subject: headings any time that the topic has mutated significantly
> from the original topic, so as to give others a chance to avoid
> messages on topics they are not interested in, and to make it
> easier to find messages related to a particular topic.
>
> Changing the Subject: heading is not considered disrespectful
> if the new Subject is a good description of the content.
Indeed.
David H. Lipman
|
| It would be if you don't have the permission of ddress.com's owners
| (netidentity.com), which is a valid domain, with MX records pointing
| to Outblaze hosts, since it's their CPU cycles and bandwidth wasted
| when rejecting spam aimed at this address. It's also hardly fair or
| "respectful" if someone pays NetIdentity USD24.95 for that address
| and then gets the dubious benefits of notan {at} ddress {dot} com
| having being harvested from your usenet posts, they might be less
| than ecstatic.
|
| Of course, having read <http://www.giganews.com/aup.html>, I'm sure
| you have permission to use ddress.com in your Message-ID header as
| well...
|
GigaNews doesn't enforce squat !
Their subscriber's are free to do whatever they want !
John Hyde
It looks to me like Irfanview uses shimgvw.dll to render thumbnails, at
least on the "file open" screen. This because disableing the dll
results in icons only on that screen.
Anyone want to issue a WAG about how long it will take to see a patch?
Considering that the vuln is being reported today on CNN?
JH
nemo_outis
> It looks to me like Irfanview uses shimgvw.dll to render thumbnails,
> at least on the "file open" screen. This because disableing the dll
> results in icons only on that screen.
>
> Anyone want to issue a WAG about how long it will take to see a patch?
> Considering that the vuln is being reported today on CNN?
>
>
> JH
CNN is a little slow on the draw; the BBC reported it yesterday.
Sites exploit Windows image flaw
http://news.bbc.co.uk/1/hi/technology/4566504.stm
(same article although yesterday it wasn't in the technology section)
Regards,
Jbob
>news:11rbffq...@corp.supernews.com...
> on 12/30/2005 10:39 AM Jbob said the following:
> Considering that the vuln is being reported today on CNN?
>
>
> JH
>
I'm kinda surprised there isn't one out yet but with the holidays I suppose
many techs are out and about. I'm also surprised I haven't really read of
anyone locking this one down yet. Seems to be so many vectors that it is
hard to narrow down.
It seems most of the AV vendors have it covered now but I have heard of some
detecting it but not before it has already started to infect. I also read
that BOClean had this covered over a month ago.
Rob Skedgell
<DLipman~nospam~@Verizon.Net> wrote:
> From: "Rob Skedgell" <nos...@nephelococcygia.demon.co.uk>
>
[...]
>
> |
> | Of course, having read <http://www.giganews.com/aup.html>, I'm
> | sure you have permission to use ddress.com in your Message-ID
> | header as well...
> |
>
> GigaNews doesn't enforce squat !
>
> Their subscriber's are free to do whatever they want !
>
Perhaps true, but if "Notan" decides to choose a less abusive means
of protecting his/her email address from harvesting by spambots it
hardly matters whether GigaNews actually enforces its AUP or not.
traveler 66
> F-Secure.com and Secunia.com are reporting a new zero-day vulnerability
> currently being exploited through Trojan email messages and allow for
> Arbitrary Code Execution. It is related to Microsoft Windows WMF
> (Windows Metafiles) handling. Even fully patched Windows XP SP2
> machines machines using IE or Firefox are vulnerable.
>
> Update 12/29: F-Secure is reporting that this vulnerability can be
> exploited using other image extensions such as BMP, GIF, PNG, JPG,
> JPEG, JPE, JFIF, DIB, RLE, EMF, TIF, TIFF or ICO.
>
> There is currently no patch for this vulnerability.
>
> See http://www.nist.org/news.php?extend.50 for more information and
> tips on how to block it.
It sounds like using Mozilla might be a solution?
Borked Pseudo Mailed
>> See http://www.nist.org/news.php?extend.50 for more information and tips
>> on how to block it.
>
> It sounds like using Mozilla might be a solution?
No, it doesn't sound like that at all. It's a **Windows** vulnerability
that has little or nothing at all to do with what browser you're running.
If you'd bothered to click the link that was a mere two lines before your
reply, you might have saved yourself some embarrassment by reading this:
"Entry vectors include: Rogue web pages, Trojan eMail messages, P2P
downloads. Even Firefox is not immune as a downloaded WMF graphics file
immediately loads the "Windows Picture and Fax Viewer", which is
vulnerable."
"NOTE: Any 3rd party program that utilizes the shimgvw.dll graphics
rendering engine is also vulnerable. This includes the Google Desktop and
(as discovered by NIST.org) Lotus Notes."
"Warning to IT Security types: Do not attempt to analyze this exploit from
a Windows based computer. It is very easy to trigger this exploit."
You can read, can't you? :)
TwistyCreek
> On 29 Dec 2005 03:22:46 -0800, NIST.org wrote:
>
>> F-Secure.com and Secunia.com are reporting a new zero-day vulnerability
>> currently being exploited through Trojan email messages and allow for
>> Arbitrary Code Execution. It is related to Microsoft Windows WMF
>> (Windows Metafiles) handling. Even fully patched Windows XP SP2 machines
>> machines using IE or Firefox are vulnerable.
>>
>> Update 12/29: F-Secure is reporting that this vulnerability can be
>> exploited using other image extensions such as BMP, GIF, PNG, JPG, JPEG,
>> JPE, JFIF, DIB, RLE, EMF, TIF, TIFF or ICO.
>>
>> There is currently no patch for this vulnerability.
>>
>> See http://www.nist.org/news.php?extend.50 for more information and tips
>> on how to block it.
>
> It sounds like using Mozilla might be a solution?
ROTFL! Typical privacy.LIE stupidity and laziness.
In addition to the LART you got from someone else...
http://www.securitypipeline.com/175701189?CID=rssfeed_pl_scp
"It's really easy to get this thing," said Shane Coursen, a senior
technical analyst with Moscow-based Kaspersky Labs. "The exploit will
even work through a DOS box."