A new vulnerability has been found on Windows XP and 2003. A vulnerability in the Windows Picture and Fax Viewer found in Windows XP and 2003. This vulnerability can execute arbitrary codes. It uses a corrupt Windows Metafile to do that. Here’s a link that exhibits the said vulnerability. http://<BLOCKED>.com/d/t1/wmf_exp.htm.
When you go to that link using an IE, it will open the file wmf_exp.wmf. This WMF has an exploit code. The WMF file will viewed by the Windows Picture and Fax Viewer. And since the WMF file has an exploit code, the code will be executed. The exploit code will download the file http://<BLOCKED>.com/d/ioo.exe and executes it.
As a temporary solution, you may set your Internet Explorer Security settings to High. To do that, here’s how:
1. Go to Settings > Control Panel.
2. Double-click Internet Options.
3. click the Security tab then click on Default Level button.
4. Move the slider up to High.
5. click Apply button.
This is the best way of setting your IE to avoid those naughty webmasters that injects codes on their site to take advantage of the said vulnerability.
Additonal sightings of URL’s that exploits the said vulnerabilities.
http://<BLOCKED>.biz/parthner3/xpl.wmf.
-The code injected on this WMF file is encrypted using subtraction. It downloads the file http://<BLOCKED>.biz/parthner3/msits.exe and executes it.
http://www.<BLOCKED>.com/xpl.wmf.
-While the code injected on this WMF file is encrypted using XOR. It downloads the file http://www.<BLOCKED>.net/xexe.exe and executes it
And here are more sites that has been seen with manifestations of the said vulnerabilities but are currently down:
http://<BLOCKED>.biz
http://<BLOCKED>.ws
Update(Jovs, 28 December 2005 21:37:47)
The files containing the new WMF Exploit is now detected as WMF_NASCENCE.A.
Update(Jessie, 29 December 2005 10:10:33)
The previous detection name has been renamed to TROJ_WMFIOO.A.