564

Virusare printr-o imagine WMF(patch nu-i) !

Din cauza unei erori cauzate de prelucrarea fisierelor .WMF este posibila executarea unui cod arbitrar fara interactiunea userului, adica userul intra de ex. cu Internet Explorer(orice versiune) pe careva site care contine un WMF cu exploit(crackz.ws de ex, nu intrati!) si automat se viruseaza.Deja exista virusi activi in internet care fol. vulnerabilitatea pentru a se raspindi.The vulnerability has been confirmed on a fully patched system running Microsoft Windows XP SP2. Microsoft Windows XP SP1 and Microsoft Windows Server 2003 SP0 / SP1 are reportedly also affected. Other platforms may also be affected.Solution:Do not save, open or preview untrusted image files from email or other sources, or open untrusted folders and network shares in explorer.Set security level to "High" in Microsoft Internet Explorer to prevent automatic exploitation.Source.. http://secunia.com/advisories/18255/Deasemenea este posibil ca o imagine WMF vulnerabila sa aiba o alta extensie (ex. GIF/JPG/PNG), dar datorita faptului ca imaginile se detecteaza dupa continut nu dupa extensie, browserul Internet Explorer de ex. il va interpreta ca un WMF..Iata ce scrie M$ ;) -> http://www.microsoft.com/technet/security/advisory/912840.mspxUnii experti recomanda sa faceti "unregister" la biblioteca shimgvw.dll in care si se contine vulnerabilitatea, insa veti ramane fara unele functionalitati(nu veti putea vedea WMF-urile inofensive de ex. =)..Deci pina vine patchul oficial de la Microsoft, tuturor le este recomandat sa intra in Start->Run si sa scrie: regsvr32 /u shimgvw.dllDupa ce va iesi patchul oficial de M$, pentru a inregistra biblioteca inapoi va trebui de intrat in Start->Run si de scris: regsvr32 shimgvw.dll.La moment acestea urmatorii antivirusi cu ultimile updateuri pot depista exploitul: AntiVir, Avast!, BitDefender, Ewido, F-Secure, Fortinet, Ikarus, Kaspersky, McAfee si NOD32.Iata cineva a scanat prin http://www.virustotal.com un wmf cu exploit:This is a report processed by VirusTotal on 12/28/2005 at 20:38:41 (CET)after scanning the file "xpladv548.wmf.gz" file.AntiVir - no virus foundAvast - Win32:ExdownAVG - no virus foundAvira - no virus foundBitDefender - Exploit.Win32.WMF-PFVCAT-QuickHeal - no virus foundClamAV - no virus foundDrWeb - no virus foundeTrust-Iris - no virus foundeTrust-Vet - no virus foundEwido - no virus foundFortinet - W32/WMF-exploitF-Prot - no virus foundIkarus - no virus foundKaspersky - Trojan-Downloader.Win32.Agent.acdMcAfee - Exploit-WMFNOD32v2 - Win32/TrojanDownloader.WmfexNorman - no virus foundPanda - Exploit/MetafileSophos - no virus foundSymantec - no virus foundTheHacker - no virus foundUNA - no virus foundVBA32 - no virus foundRederinte..http://www.f-secure.com/weblog/archives/archive-122005.html#00000752http://www.uinc.ru/news/sn5064.htmlhttp://www.eweek.com/article2/0,1759,1906211,00.asp?kc=EWRSS03129TX1K0000614
0