Threat Level: green Handler on Duty: Jim Clausing

SANS ISC: * Windows WMF 0-day exploit in the wild SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
* Windows WMF 0-day exploit in the wild

From Daniel's diary entry yesterday ...

Just when we thought that this will be another slow day, a link to a working unpatched exploit in, what looks like Windows Graphics Rendering Engine, has been posted to Bugtraq.

The posted URL is   [ uni on seek. com/   d/t    1/  wmf_exp.  htm ]
(DON'T GO HERE UNLESS YOU KNOW WHAT YOU'RE DOING. Added spaces to avoid accidental clicking. See Firefox note below!!)

The HTML file runs another WMF (Windows Meta File) which executes a trojan dropper on a fully patched Windows XP SP2 machine. The dropper will then download Winhound, a fake anti-spyware/virus program which asks user to purchase a registered version of software in order to remove the reported threats.

During the test Johannes ran, it was interesting that the DEP (Data Execution Prevention) on his system stopped this from working. However, as this was tested on a AMD64 machine, we still have to confirm whether (or not) the software DEP also stops this - let us know if you tested this.

Internet Explorer will automatically launch the "Windows Picture and Fax Viewer".  Note that Firefox users are not totally imune either. In my install of Firefox, a dialog box will ask me if I would like to load the image in "Windows Picture and Fax Viewer". If I allow this to happen ("pictures are safe after all" NOT!), the exploit will execute.

UPDATE - According to F-Secure's blog "Firefox users can get infected if they decide to run or download the image file."

For more information, see also and


140 Posts
Dec 28th 2005

Sign Up for Free or Log In to start participating in the conversation!