[TriLUG] OT: www.hexblog.com - a fix for the WMF vulernability.
Brian Henning
brian at strutmasters.com
Wed Jan 4 09:36:26 EST 2006
Interestingly, I presume shortly after receiving information on how to
identify it, ClamAV tagged a bunch of sample WMFs that come with an
older version of Broderbund's PrintMaster Gold in a backup folder from a
user's machine. It wasn't clear to me if the files actually contained
threats, or if simply having anything in that code block would trigger
the scanner to report it. Needless to say, those files and folders have
been summarily toasted regardless.
This fix also got /. coverage today.
And yes, this is an across-the-board vulnerability; it is not tied
directly to IE at all, in fact -- it's tied to legacy standards in
effect since Windows 3.0 which provided for the executable block of
WMFs, and Explorer's tendency to open and read portions of every file in
a folder when you browse its parent folder, in order to create thumbnails.
Or so I've read.
~B
David A. Cafaro wrote:
> Actually if a user isn't careful, they could get infected using firefox.
> It will pop up as a windows media file and ask if you want to play it,
> if the user clicks yes, click, they are infected. Unfortunetly users do
> these kinds of things...
>
> (PS, this is from experience, luckily Norton AV actually caught it as it
> was downloaded after the users clicked yes, user:"I thought it was the
> video I was looking for...")
>
> On Wed, 2006-01-04 at 09:10 -0500, jonc wrote:
>
More information about the TriLUG
mailing list