Monday, January 02, 2006

WMF update

Hex blog, who to date has brought the only reliable patch for the WMF exploit, has released a small executable that will check to see if your PC is vulnerable. As noted previously, the patch only works for Windows 2000, Windows XP (32 and 64 bit editions), and Windows Server 2003.

F Secure notes a new version of the email exploit was launched from South Korea. It's got a cryptic, cloak and dagger style of message, so less people are likely to be sucked into this one. The subject is marked "Confidential" and the attached file is "Map.wmf" along with the following lines in the body of the message:

Attached is the digital map for you. You should meet that man at those points seperately.

Delete the map thereafter. Good luck.

F Secure also points out that the WMF exploit appears to be a poor design from the 1980s(!) when Microsoft designed how this file would be handled. From the blog posting comes this ominous warning:

This really means two things:

1) There are probably other vulnerable functions in WMF files in addition to SetAbortProc
2) This bug seems to affect all versions of Windows, starting from Windows 3.0 - shipped in 1990!

"The WMF vulnerability" probably affects more computers than any other security vulnerability, ever.


Anonymous said...

When one clicks on the link to hexblog, you now get this message:

"Account for domain has been suspended"

Any idea as to why?

B.D. said...

Yea, his servers were down and apparently still are.