Unpatched Windows Vulnerability

Latest news on this - as minerat's post was I believe intended to suggest - indicates the discussion about heuristics and signature detection is somewhat irrelevant at present http://isc.sans.org/diary.php?storyid=992

In case I forget amidst this gloomy tale, a particularly happy New Year to all the folk who post at Wilders - with a special wave to the Eset crew

 

Well, as I said before, no AV detect 100%. It's human impossible.
Anyway I sent the two WMF files to Eset.
Thanks.

 

Just an update on the Windows Vulnerability.

http://isc.sans.org/diary.php?rss&storyid=992

A new exploit has been found which no AV detects yet (According to Internet storm Centre)

Be Careful out there

PS Happy 2006

Cheers

Jlo

 

Here are some "harmless" test files for the exploit if you want to determine if NOD32 is finding it:

http://kyeu.info/WMF/

Please indicate what results you get in both IE and Firefox (if you use it). I received no alerts in Firefox for ".GIF" formats. The ".HTML" format just displayed a page of gibberish. The remaining gave me alerts.

 

AVI and the rest are pretty much all the same

Cheers

 

Yup picked up that test using Opera just fine.

 

I got page of gibberish on the html file, the rest were detected in both Firefox 1.5 and SeaMonkey 1.0b.

 

FYI: found in another forum:

Posted: Mon Jan 02, 2006 9:27 am
http://www.realtechnews.com/posts/2401
Found in anAnti-Virus Coverage for WMF Flaw Still Spotty

AV-Test, which tests anti-malware products, has been tracking the situation closely and has, so far, analyzed 73 variants of malicious WMF files. Products from the following companies have identified all 73:

Alwil Software (Avast), Softwin (BitDefender), ClamAV, F-Secure Inc., Fortinet Inc., McAfee Inc., ESET (Nod32), Panda Software, Sophos Plc., Symantec Corp., Trend Micro Inc., VirusBuster

These products detected fewer variants: 62 — eTrust-VET, 62 — QuickHeal, 61 — AntiVir, 61 — Dr Web, 61 — Kaspersky, 60 — AVG, 19 — Command, 19 — F-Prot, 11 — Ewido, 7 — eSafe, 7 — eTrust-INO, 6 — Ikarus, 6 — VBA32, 0 — Norman

 

In page http://multitudious.com/test.html there are 3 variants of this exploit. Nod was unable to detect 2 of them before the latest update 1.1348 today. Only BitDefender and Kaspersky found the virus, but now Nod32 has joined the group. Good work

 

I noticed that the above alert images are saying "Infiltration Detected". My alerts say "Threat Detected". Why would there be a difference?

 

NOD32 2.5 uses the term "threat" instead of "infiltration". I'd suggest that the guy updates his NOD32 from v. 2.0 to v. 2.5

 

Has anyone tried that test site recently. My browsers now hang when trying to process the files. Has NOD32 changed something in their latest update?

 

I can't get the test files to load today, but my browsers don't "hang", there seems to be a problem connecting to the files.

 

Well I have tried these tests against my system with the patch from GRC.com,removed that and tried the NOD patch ,removed that and applied the official Microsoft update......every patch FAILS the inline plain text test on Internet Explorer.The warning message that my browser is unsafe as it is recognising MIME comes up.So my IE6 browser is still vunerable?

 

Anybody else tried this or got any suggestions?

 

The "inline plain text" test does not test for the WMF/GDI32 vulnerability. What it does do is test whether Internet Explorer can be fooled into thinking that a plain text file is javascript, or some other piece of code. When I open it up with Opera, I see this, which is what is supposed to show up:

Code:

<html><body>
<img src="pic.wmf">
<script language="javascript">alert('If you see this, your browser is not safe. This is supposed to be a plain text file.');</script>
<!-- IF YOU CAN SEE THIS, YOUR BROWSER IS RECOGNIZING THIS FILE AS A TEXT FILE, WHICH IS GOOD! -->
</body></html>

Internet Explorer misinterprets this piece of code. People who wanted to spread this "WMF" virus around could use this "misinterpretation" to embed and run an infected WMF file. With the patches installed, Internet Explorer still misinterprets the page, but the WMF file is now harmless.

 

Thank you for that explanation

 

Oh dear..

http://www.pcworld.com/news/article/0,aid,124310,00.asp

 

It's my test site, it's funny that it was reposted to here; it's really gotten around

I don't know what's going on with it. I was away on vacation and sometime last week the infected WMFs stopped loading. My host says he hasn't changed anything and theplanet says that they're not doing any type of network filtering on the infected files. Very rarely I'll get the infected file to download, but that's only after wget has been going at it for a while. Fortunately it's less of a pressing concern now that an official patch is out.