Right in the middle of the holiday season, internet users and security experts alike received an unexpected gift which would start the New Year with a bang. It has only been a week since the release of the 0-day WMF exploit code but it has already caused much disarray and has spread like wildfire throughout the net.
In the Beginning…
December 28, 2005, I still had a hangover from Christmas and was looking forward to New Years when Microsoft released an advisory regarding the said vulnerability. At the same time an exploit code for wmf(windows meta file) has also been released by Metasploit as part of their Framework. And so the began the spread of the WMF exploit.
The Attack…
In just a few days after the release of the exploit code, reports came in that the wmf exploit has now spread throughout the net and is gaining the attention of security experts. Sans has released an infocon Yellow implying the gravity of the situation.
The said exploit is very dangerous since unlike exe files, it does not need to be manually run to execute. The exploit could be triggered just by selecting the file, or by viewing the directory in Explorer with “Icon Size”. With this, a malware can spread using the exploit in a number of different vectors. It can be used on e-mails, Instant Messaging Applications, and the most used of all, Websites(through Iframes and redirection).
Continues Growth…
Metasploit has now released 3 modules for the wmf exploit and we have confirmed reports of the wmf vulnerability being spammed in email and links of wmf file, circulating through Instant Messaging Applications.
The Defense…
We have a generic detection for the wmf vulnerability (TROJ_NASCENE.GEN). This generic pattern is also continually being improved as new samples are being created.
As of this moment we are still expecting more and more malwares to use this vulnerability and rest assured that we are taking every measure in defense of this vulnerability. Furthermore it is advised to all as always to be more conscious and alert of unknown emails, links and websites that you go to, this is probably the best defense anyone can have not just to this wmf vulnerability but against any malware.