placement for flash
Skip Navigation LinksHome > Products > WMF Vulnerability
Request Information
Order eSafe
chat

The WMF Vulnerability

WMF Vulnerability

The WMF vulnerability was first discovered on December 27, 2005. It is a zero-day vulnerability (e.g. it was exploited on the same day it was announced) that came into public attention when several malicious media files started surfacing on the Internet. Before this threat could fully be addressed by Microsoft and by the antivirus industry, it was already being used by dozens of spyware and malicious websites. Nine different variants of various types of malicious code carrying media files were already in circulation within the next two days.

During this time, eSafe was the only gateway product capable of providing complete protection against these threats. To fully protect users against this vulnerability exploit as well as all of its latest variants, a special hotfix was developed for all eSafe customers. Customers are urged to contact eSafe's Technical Support department for further details and assistance.

The Windows Meta File (WMF) vulnerability can be exploited to execute arbitrary code on unpatched systems. Typically, to take advantage of this flaw, a malicious code writer creates a specially constructed media file (usually a WMV or JPG file) that actually carries a Trojan downloader component. When the user clicks on the file (even once, without executing it), Windows automatically attempts to preview it. This action triggers the vulnerability and allows the modified media file to download and execute additional malicious content.

A demo of the vulnerability exploit capabilities (see image below) as well as instructions (in German) are available here: http://www.heise.de/security/dienste/browsercheck/demos/ie/wmf.shtml

Above: When opening an infected media file (in this case with a WMF extension), it exploits the WMF vulnerability and executes another file. As this is only a demo, the file executed is Microsoft Calculator.

More information about this vulnerability as well as a patch treating it is available here: http://www.microsoft.com/technet/security/Bulletin/MS05-053.mspx

Related news items:

New Zero-Day Exploit Threatens XP Users
http://www.redmondmag.com/news/article.asp?EditorialsID=7111

Hackers Attack Windows Flaw
(http://www.ecommercetimes.com/story/r0OiM1RpN9zKS7/Hackers-Attack-Windows-Flaw.xhtml)

Trojan Exploit - WMF Attack
(http://www.efytimes.com/fullnews.asp?edid=9006

Antivirus makers catch up to Windows bug (http://news.com.com/Antivirus+makers+catch+up+to+WMF+bug/2100-1002_3-6018696.html)

 
© Aladdin Knowledge Systems, Inc. 1985-2008. All rights reserved.