The Antivirus Guy Blog

Keeping people up to date with antivirus and security information

SANS – Internet Storm Center – * Update on Windows WMF 0-day

SANS – Internet Storm Center – Cooperative Cyber Threat Monitor And Alert System.

 Handler’s Diary December 28th 2005

* Update on Windows WMF 0-day (NEW)

Published: 2005-12-28,
Last Updated: 2005-12-28 20:02:19 UTC by Daniel Wesemann (Version: 1)

Update 19:07 UTC: We are moving to Infocon Yellow for a bit. There has been some debate among the handlers about this step, but considering that a lot of people are on holidays and might otherwise miss the WMF 0-day problem, we have decided to raise the alert level.

The folks at Websense Labs have a nice movie on how it looks like if a system gets exploited by this WMF 0-day, see . Don’t go to any of the URLs visible in the movie unless you know what you are doing (or feel like spending the next hours reinstalling your PC).

The orignal exploit site ( is no longer up. But the exploit is being served from various sites all over by now, see the F-Secure Blog on for an update on the versions of the exploit found in the wild.

Working exploit code is widely available, and has also been published by FRSIRT and the Metasploit Framework.

Regarding DEP (Data Execution Protection) of XPSP2, the default settings of DEP will not prevent this exploit from working. Comments we have received in the meantime suggest that if you enable DEP to cover all programs (as documented on Microsoft Technet ), the WMF exploit attempt will result in a warning and not run on its own.

While the original exploit only refered to the Microsoft Picture and Fax Viewer, current information is that any application which automatically displays or renders WMF files is vulnerable to the problem. This includes Google Desktop, if the indexing function finds one of the exploit WMFs on the local hard drive – see the F-Secure Weblog mentioned above for details.


December 28, 2005 - Posted by | Antivirus News, Security News, Virus Outbreaks

No comments yet.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: