Unpatched Windows Vulnerability

Latest Secunia bulletin discloses new unpatched Windows vulnerability which is being 'exploited in the wild'.

http://secunia.com/advisories/18255/

Question. Pending a Windows Update, is this something NOD can protect us against?

 

Yep, NOD32 protects you from update 1.1342

 

Indeed. Thanks again Eset!

EDIT: Upon looking at this a little further, was this not already patched? http://www.microsoft.com/technet/security/bulletin/ms05-053.mspx

 

This must be something different. Take a look here, the new exploit works even on a fully patched XP SP2 system:

http://isc.sans.org/diary.php?storyid=972

and updated

http://isc.sans.org/diary.php?storyid=975


I do have a probably very stupid question but anyway: Would deleting wmf from the registered file type list help against this exploit?

Regards,
qs

 

There's a temporary ("undoable") fix on this page:

Security Fix - Brian Krebs on Computer and Internet Security - (washingtonpost.com)

 

That video looks pretty nasty, and I use .wmf files all the time.
Good thing I can count on NOD.

 

Here's a fix. However there's no proof that this fix protect you from 100%.
Just run.

1) Close any Internet Explorer window.
2) Start, Run and write: regsvr32 -u %windir%\system32\shimgvw.dll
This will cause that this DLL that is the problem of this vulnerability will not be registered.

If you want to register this DLL in question, just write: regsvr32 %windir%\system32\shimgvw.dll
This fix was suggestes by Microsoft.

Another suggested fix by Microsoft is available on: How to Configure Memory Protection in Windows XP SP2
http://www.microsoft.com/technet/security/prodtech/windowsxp/depcnfxp.mspx
Published: December 9, 2004

 

OK, but according to Marcos' earlier post, we're already protected by NOD32. Am I right?

 

Yes, of course. We're protected with NOD32, however more protection isn't a problem

 

that's what I said, that's what I said!!! [Data - Goonies, Movie]

 

No offence taken Bubba, but my question is still not answered. According to all that I have read in anti-spy ware literature, this is an extremely dangerous flaw in the MS code that allow almost anyone to infect one's computer and then download various trojans (and later viruses). I can understand that Nod32 can detect the exploit (and probably prevent the installation of trojans and viruses) but can Nod32 prevent the exploit itself?
If everything I am reading on this forum is correct, then if you have Nod32 on your computer, MS does not need to do any updates and it is not necessary to unregister the shimgvw.dll to be protected.

 

do not forgett yes nod32 detected all of those and also other anti-virus but i do not think still that kaspersky can compaire with nod32.
because kaspersky will always be nr 1 of hot top!

 

Joit, No offense intended, but it's not the right topic to discuss KAV v.s. NOD32.
jayt, there's NO AV that can protect you from 100%. It's human impossible.
Anyway take a look at the results from VirusTotal and two differents WMF exploits:

Este es el resultado de analizar el archivo "exploit-wmf2.wmf" que VirusTotal ha procesado el dia 31/12/2005 a las 10:07:59 (CET).

AntiVir 6.33.0.70 30.12.2005 no ha encontrado virus
Avast 4.6.695.0 30.12.2005 Win32:Exdown
AVG 718 30.12.2005 no ha encontrado virus
Avira 6.33.0.70 30.12.2005 no ha encontrado virus
BitDefender 7.2 31.12.2005 Exploit.Win32.WMF-PFV
CAT-QuickHeal 8.00 31.12.2005 no ha encontrado virus
ClamAV devel-20051123 29.12.2005 no ha encontrado virus
DrWeb 4.33 30.12.2005 no ha encontrado virus
eTrust-Iris 7.1.194.0 30.12.2005 no ha encontrado virus
eTrust-Vet 12.4.1.0 31.12.2005 no ha encontrado virus
Ewido 3.5 30.12.2005 no ha encontrado virus
Fortinet 2.54.0.0 31.12.2005 no ha encontrado virus
F-Prot 3.16c 30.12.2005 no ha encontrado virus
Ikarus 0.2.59.0 30.12.2005 no ha encontrado virus
Kaspersky 4.0.2.24 31.12.2005 Exploit.Win32.IMG-WMF
McAfee 4663 30.12.2005 Exploit-WMF
NOD32v2 1.1347 30.12.2005 variant of Win32/Exploit.WMF
Norman 5.70.10 31.12.2005 W32/Exploit.Gen
Panda 9.0.0.4 30.12.2005 Exploit/WMF
Sophos 4.01.0 30.12.2005 no ha encontrado virus
Symantec 8.0 31.12.2005 no ha encontrado virus
TheHacker 5.9.1.064 29.12.2005 no ha encontrado virus
UNA 1.83 30.12.2005 no ha encontrado virus
VBA32 3.10.5 30.12.2005 no ha encontrado virus


Este es el resultado de analizar el archivo "exploit-wmf3.wmf" que VirusTotal ha procesado el dia 31/12/2005 a las 10:12:36 (CET).

AntiVir 6.33.0.70 30.12.2005 no ha encontrado virus
Avast 4.6.695.0 30.12.2005 no ha encontrado virus
AVG 718 30.12.2005 no ha encontrado virus
Avira 6.33.0.70 30.12.2005 no ha encontrado virus
BitDefender 7.2 31.12.2005 Exploit.Win32.WMF-PFV
CAT-QuickHeal 8.00 31.12.2005 no ha encontrado virus
ClamAV devel-20051123 29.12.2005 no ha encontrado virus
DrWeb 4.33 30.12.2005 no ha encontrado virus
eTrust-Iris 7.1.194.0 30.12.2005 no ha encontrado virus
eTrust-Vet 12.4.1.0 31.12.2005 no ha encontrado virus
Ewido 3.5 30.12.2005 no ha encontrado virus
Fortinet 2.54.0.0 31.12.2005 no ha encontrado virus
F-Prot 3.16c 30.12.2005 no ha encontrado virus
Ikarus 0.2.59.0 30.12.2005 no ha encontrado virus
Kaspersky 4.0.2.24 31.12.2005 no ha encontrado virus
McAfee 4663 30.12.2005 Exploit-WMF
NOD32v2 1.1347 30.12.2005 variant of Win32/Exploit.WMF
Norman 5.70.10 31.12.2005 W32/Exploit.Gen
Panda 9.0.0.4 30.12.2005 Exploit/WMF
Sophos 4.01.0 30.12.2005 no ha encontrado virus
Symantec 8.0 31.12.2005 no ha encontrado virus
TheHacker 5.9.1.064 28.12.2005 no ha encontrado virus
UNA 1.83 30.12.2005 no ha encontrado virus
VBA32 3.10.5 30.12.2005 no ha encontrado virus

 

yeah yeah, but maybe this silly test kav did not detected 100% but only 80% and it is still good... But maybe next test of other variant maybe Kaspersky will detect 100% next time, and not NOD32 we never know it, so do not hessitate and say wow nod32 is the best one like usually also other av's detected it with 100%...
and if you see the av-comp.... kav has win that test in many years now more then nod32...!
bye and Happy New Year 2006!

 

Hopefully you will have the answer you are looking for in this ongoing thread now that you have asked your question.

 

Well, NOD32 has something KAV will not have so soon as I know: very strong heuristics. This for sir_carew's post.

 

Yes, totally agreed.
Eset had one of the best person in heuristics in the world.

 

There is a good fix for the security hole at F-Secure ( or rather they reffer to some tech gurus blogg )

http://www.f-secure.com/weblog/archives/archive-122005.html#00000756

/Sam

 

Lots of good advice and breaking news on this WMF file exploit - as well as a nice fix for Kerio PFW 4.x users - can be found here http://sunbeltblog.blogspot.com/

Great to see NOD32 at the head of the queue on protection for this - perfect way to end the year

 

metasploit has released an update that pads the escape call with random data. newest variants blow by all AV, NOD32 w/ advanced heuristics included.

http://metasploit.com/projects/Framework/exploits.html#ie_xp_pfv_metafile

It looks like DEP or a hacked patch of the dll is the only way to prevent these permutations from executing.

 

Need to be very careful about DEP and this exploit http://sunbeltblog.blogspot.com/2005/12/microsoft-clarifies-dep-issue.html

 

what do you mean?
that nod32 detected this new exploit Windows Vulnerability with their Hive without to add any samples??
i do not think so.

 

1) Hive isn't part of NOD32. Hive is part of Bitdefender. NOD32 engine is called ThreatSense.
2) Yes, is true. NOD32 is able to detect new variants/modifications of known WMF exploits without the exact sample. Read at VirusTotal results I posted. variant of... That's mean detection for a new variant without an exact signature.

 

My verison of NOD32 1.1347 doesn't detect the newest permutations (it pads the escape call with random data). Try the two files at the bottom of my test page; they'll initiate a windows shutdown and NOD32 won't say a peep. Ilfak's patch does stop the newest variants though (as one would expect).

http://multitudious.com/test.html (nod32 will complain about the inlined images, but not the when meta2.wmf and meta3.wmf are clicked and launhed in fax/picture viewer - R1CH from SA created the images)

Good link, hadn't seen that.