zero-day WMF exploit does PG protect?

Will PG alert on zero-day WMF exploit files if one visits any of these sites on IE? Fx protects by mistakenly trying to open them in WMP. I know the current recommended work around until MS issues a fix is to unregister SHIMGVW.DLL. However, that totally disables MS Picture and Fax Viewer which means no preview in Explorer on right click. Ugh. I use that frequently. Can't do without preview. Thus my question will PG alert on this?

 

PG will protect you from automatically executing the dropper (but of course you shouldn't decide "yes") and thereby executing all the associated junk, but it won't protect you from the exploit. The dropper or the trojan will be downloaded on your PC even if you have Process Guard.

 

This raises a very interesting point.

Would it be possible for a file to be downloaded to your computer like this via an exploit, and still cause damage without being run (not even meant to be run)? If so, what can PG do to afford some sort of protection in this scenario?

 

Mele20, you need to re-think that fix. It has been proven that it does not work!
Take a look at Steve Gibson's (GRC.com) page about this exploit, http://www.grc.com/sn/notes-020.htm. At the top of the page there is now a notice that MS is issuing a patch NEXT Tuesday (January 10). Also on that page is a link to a patch that does work as well as a link to a WMF Vulnerability Checker by the same author as the above mentioned patch.

 

Thanks, but I know all that. I've been glued to my computer for the last several days. Just note all my posts on this subject over at dslr.

I installed the unofficial patch 1.1 and it broke Windows on my host machine that has XP Pro SP1. I could not boot normally and had to boot to Safe Mode where I was unable to uninstall the patch. I had to use System Restore.

My VMWare machine with the same OS installed the patch with no problems.

Testing indicates though that the VMWare machine is just, if not more, vulnerable than the unpatched host.

So, I am just using the guest virtual machine until next Tuesday. I should have my new, replacement computer by then anyhow and it will have XP Pro SP2 and that takes this unofficial patch much better....by the time I get it all set up and everything moved from my current computer, MS will have put out the official patch probably.

 

I guess I'm lucky that the patch only resulted in a .dll failing to register error on my comp.

 

Please note I visited an exploit site with IE set to PROMPT for all scripts etc, and was PROMPTED to download an EXE file so I did.. thanks website