| View previous topic :: View next topic |
| Author |
Message |
windyday
Trooper
Joined: Jan 02, 2006
Posts: 32
Location: USA
|
|
| Back to top |
|
 |
Paul
CastleCops Founder
Joined: Feb 22, 2002
Posts: 27351
|
|
| Back to top |
|
|
Ikeb
Special Response Team
Forums Admin
Joined: Apr 20, 2003
Posts: 16505
|
 Posted: Fri Jan 06, 2006 11:03 pm Post subject: |
|
|
The exploit is like the person coming into your house. Of course you're vulnerable if the door isn't locked; someone with nefarious intentions could waltze right in. Most (all?) vulnerabilities and the exploits that take advantage could be thought of in these terms but what makes this different is just how entry is acheived and what results.
Usually a knock on the door is required and the malware has to be invited in.(the user has to open a malware-laden file) to gain entry. Many have to leave a means to defeat the door lock or unlock the back door or a window for instance. A vulnerability to be sure but it takes a couple of steps and usual "safe practices" can guard against them.
In this case, the WMF exploit doesn't need to be invited in (the exploit activates automatically without a file being knowingly opened)! Plus the exploit doesn't have to leave a "call home" hook. It could come in with all the malware required to accomplish the objective in that bulging briefcase! That's why such an exploit is termed to be "zero day"; it all happens immediately, in a flash! Boom, you're a statistic!
And because such an exploit bypasses the due diligence of responsible computer users (i.e. be suspicious of unknown files and don't open them before verifying they are legit) even savvy users can be caught.
The known exploit payload is bad enough -- variants of SpyAxe; spyware which fools the computer owner into buying SpyAxe to get rid of supposed malware (for a price  ). If purchased, to add insult to injury, the package rids the computer of other spyware but leaves hooks to benefit Spyware purveyers.
However this vulnerability could allow *any* known malware to be packaged within the wmf file as the exploit payload! Thus trojans, keyloggers, viruses, etc. could be installed just by browsing to a site. As soon as the site is accessed the wmf file is executed by the browser and the exploit is triggered. No file is opened. No alarms go off (AVs are having trouble keeping up with the variants). The computer is infected.
_________________
|
|
| Back to top |
|
|
windyday
Trooper
Joined: Jan 02, 2006
Posts: 32
Location: USA
|
| Posted: Sat Jan 07, 2006 8:05 am Post subject: |
|
|
Thank you Paul and Ikeb for your information.
Ikeb, what a great explanation! If a computer was attacked sucessfully by the WMF exploit, wouldn't the new Microsoft patch close the "door", so there is no longer a vulnerability for more malware packaged within the WMF to get into the system? (obviously you would have to deal with all the damage "inside the house when the door was left open". Is this the way it works?
|
|
| Back to top |
|
|
Ikeb
Special Response Team
Forums Admin
Joined: Apr 20, 2003
Posts: 16505
|
| Posted: Sat Jan 07, 2006 9:49 am Post subject: |
|
|
As I understand it, the MS fix (or Ilfak's interum fix for that matter) prevents that bulging briefcase, stuffed full with the malware payload, from being opened. In effect it remains sealed.
_________________
|
|
| Back to top |
|
|
IP: 207.112.*.*
Guest
|
| Posted: Thu Dec 28, 2006 12:21 pm Post subject: |
|
|
| Paul wrote: | Actually you can take a look here:
 /a6445-WMF_Exploit_FAQ.html
Look half way down for some pictures.
The WMF exploit takes advantage of a vulnerability in the graphics rendering engine. This engine is the one that provided the open door thru which the WMF exploit got in. |
|
|
| Back to top |
|
|
|
|
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
,
