![]() |
Register | Login | |||||
![]() |
Main
| Memberlist
| Active users
| Calendar
| Chat
| Online users Ranks | FAQ | ACS | Stats | Color Chart | Search | Photo album |
![]()
| |
0 users currently in Hardware / Software. |
Acmlm's Board - I3 Archive - Hardware / Software - Windows Metafile Exploit |
New poll | ![]() ![]() |
Pages: 1 2 | Add to favorites | Next newer thread | Next older thread |
User | Post | ||
Tommathy![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() Since: 11-17-05 From: Cloud Nine, Turn Left and I'm There~ Last post: 6327 days Last view: 6326 days |
| ||
The problem (rather scary, actually)
Possible work around (somewhat helpful, kind of a nuisance, but won't defend against all attack vectors) |
|||
DarkSlaya![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() 930 Gamma Ray ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() Since: 11-17-05 From: Montreal, Canada Last post: 6327 days Last view: 6326 days |
| ||
Now, I wanna know the name of the installed trojan.
Simply because I want to know if there's been a update for my AV (AVG - There's been an update yesterday) |
|||
Ailure![]() Mr. Shine I just want peace... ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() Since: 11-17-05 From: Sweden Last post: 6327 days Last view: 6326 days |
| ||
...I opened around five pages with IE with this laptop. Maybe one more or less. Half of them is Mozilla homepage, rest was me testing online.php as a guest on IE.
Shows how much belief I still have in IE eh? ~_~ Heh, WMF... I recall seeing that extension for clipart. Which usually use vectors, although to be honest I hadn't used clipart in forever. It looks lame now. ![]() |
|||
HyperHacker![]() Star Mario Finally being paid to code in VB! If only I still enjoyed that. <_< Wii #7182 6487 4198 1828 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() Since: 11-18-05 From: Canada, w00t! My computer's specs, if anyone gives a damn. STOP TRUNCATING THIS >8^( Last post: 6327 days Last view: 6327 days |
| ||
I don't think IE has much to do with it this time.
"Disabling the Windows Picture and Fax Viewer will not eliminate the risk as the flaw exists in the Windows Graphical Device Interface library." "...a serious security issue that has cropped up before in browsers, including lololol and Safari." If the hole is in the Windows GDI, then any program that displays WMFs is vulnerable. ![]() (edited by HyperHacker on 12-31-05 01:18 PM) |
|||
Ailure![]() Mr. Shine I just want peace... ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() Since: 11-17-05 From: Sweden Last post: 6327 days Last view: 6326 days |
| ||
Look at that movie
X_X I swear, my next primary OS will not be Windows. |
|||
HyperHacker![]() Star Mario Finally being paid to code in VB! If only I still enjoyed that. <_< Wii #7182 6487 4198 1828 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() Since: 11-18-05 From: Canada, w00t! My computer's specs, if anyone gives a damn. STOP TRUNCATING THIS >8^( Last post: 6327 days Last view: 6327 days |
| ||
Yeah, pretty bad. Though it fails to fully demonstrate the problem... they should have shown the user just browse to a site containing that image. | |||
max![]() Blipper ![]() i'm a pixie !!! ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() Since: 11-17-05 Last post: 6588 days Last view: 6326 days |
| ||
as far as I know it doesn't work when viewed inline (at least in good browsers) | |||
HyperHacker![]() Star Mario Finally being paid to code in VB! If only I still enjoyed that. <_< Wii #7182 6487 4198 1828 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() Since: 11-18-05 From: Canada, w00t! My computer's specs, if anyone gives a damn. STOP TRUNCATING THIS >8^( Last post: 6327 days Last view: 6327 days |
| ||
Dunno, the article makes it sound that way...
Actually, judging by this:
It sounds like some browsers might execute the code while IE just shuts down. (Still, remote crashing is bad. ![]() I guess the only way to be sure would be to make a test image and try it. But for that I'd have to find how exactly to use the exploit and write the code in ASM, which I'd rather not do. ![]() |
|||
HyperHacker![]() Star Mario Finally being paid to code in VB! If only I still enjoyed that. <_< Wii #7182 6487 4198 1828 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() Since: 11-18-05 From: Canada, w00t! My computer's specs, if anyone gives a damn. STOP TRUNCATING THIS >8^( Last post: 6327 days Last view: 6327 days |
| ||
Since MS has been so slow to update, here's someone who claims to have made their own fix. | |||
MathOnNapkins![]() ![]() ![]() 1100 ![]() In SPC700 HELL ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() Since: 11-18-05 Last post: 6327 days Last view: 6326 days |
| ||
So... uh... does Windows use WMF files as a middle man format for display? I don't see how this would be that dangerous b/c i haven't seen a file with a .wmf extension in ages. Wouldn't it be best to make patches that filter out .wmf files? (edited by MathOnNapkins on 01-03-06 08:17 AM) |
|||
dormento![]() Red Goomba ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() Since: 11-18-05 Last post: 6479 days Last view: 6327 days |
| ||
The problem is that Windows recognizes metafiles by their header. In that sense, you could pick a metafile, stuff your payload inside and rename it to jpg.
The poor victim gets the file, opens an explorer window with thumbnails on. Windows thinks "ohoho look this, it's an image file, let's see if i recognize the format. Wheee, it's a metafile!" File extension doesn't matter. For all i know, it checks this type of information for every file in the system. have you ever tried to rename an .EXE to something else, only to try checking the properties dialog and seeing version information? I think the GUI (or CLSID or whatever) always takes priority over file extension. And this exploit is there since at least Win95. That's scary. |
|||
FreeDOS +![]() Giant Red Koopa Legion: freedos = fritos ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() Since: 11-17-05 From: Seattle Last post: 6326 days Last view: 6326 days |
| ||
That's awesome, especially since I'm not on Windows ![]() |
|||
MathOnNapkins![]() ![]() ![]() 1100 ![]() In SPC700 HELL ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() Since: 11-18-05 Last post: 6327 days Last view: 6326 days |
| ||
Originally posted by dormento I didn't mean a filter for the file extension. As you have put it I meant reading from the internal header of the file. I'm gonna go look around for patches in the meantime. They said it might be a week before Microsoft makes one. |
|||
Tarale![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() 2710 Affected by 'Princess Bitch-Face Syndrome' ++++!! Persona non grata ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() Since: 11-17-05 From: Adelaide, Australia Last post: 6326 days Last view: 6326 days |
| ||
Funny, I've known about this for a while but keep missing the thread here.
Well, now they're actually recommending that people install the unofficial patch. I think it's been tested and the binary actually does what the source code says it does and such, so I dunno.... Microsoft still preparing their own patch but that won't be till next week.... meh. |
|||
Chris![]() Spiny ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() Since: 11-17-05 Last post: 6436 days Last view: 6436 days |
| ||
Wow. This must be big. I was reading through -- at the same time, heard it on the news. I can't believe the exploit's been out since win95... | |||
Tarale![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() 2710 Affected by 'Princess Bitch-Face Syndrome' ++++!! Persona non grata ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() Since: 11-17-05 From: Adelaide, Australia Last post: 6326 days Last view: 6326 days |
| ||
Originally posted by Chris Yes, it's unusual that something like this hits mainstream media; but it's good that they're taking it seriously. This has been all over the usual geek media for days -- Slashdot and Ars have both run stories, and it's all over Google News. I'd consider telling my boss about it, but then she'll send out a warning to all users which will freak them out for no real good reason and they'll call us. (Note: I consider unnecessarily panicking a bunch of computer illiterates for something they can't fix to be "no good reason") (edited by Tarale on 01-03-06 11:34 PM) |
|||
Ailure![]() Mr. Shine I just want peace... ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() Since: 11-17-05 From: Sweden Last post: 6327 days Last view: 6326 days |
| ||
And considering that they don't support some of their older OS's... that's a problem. ![]() I really doubt it they fix it for Win 95 and 98... an OS people still use to this age. ![]() (edited by Ailura on 01-03-06 11:30 PM) |
|||
dcahrakos![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() 490 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() Since: 11-17-05 Last post: 6544 days Last view: 6544 days |
| ||
heres an unofficial patch...worked for me.
http://castlecops.com/a6436-Newest_WMF_Exploit_Patch_Saves_the_Day.html |
|||
Tarale![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() 2710 Affected by 'Princess Bitch-Face Syndrome' ++++!! Persona non grata ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() Since: 11-17-05 From: Adelaide, Australia Last post: 6326 days Last view: 6326 days |
| ||
Incidentally, Microsoft are strongly recommending against the unofficial patch and advise that their patch will be released on the 10th.
Google News has been interesting to watch these past couple of days, with articles that tell you either to get the patch or not get the patch... ![]() |
|||
HyperHacker![]() Star Mario Finally being paid to code in VB! If only I still enjoyed that. <_< Wii #7182 6487 4198 1828 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() Since: 11-18-05 From: Canada, w00t! My computer's specs, if anyone gives a damn. STOP TRUNCATING THIS >8^( Last post: 6327 days Last view: 6327 days |
| ||
Someone asked just how this works in Programming, but the thread got closed, so I thought I'd explain here. (||bass gave a fairly good explanation, but I feel like doing so myself. ![]() Any time a program reads things from a file it has to put them in memory. This means it has to reserve some space in memory (what's called a buffer) for the data it reads. The problem is that the program doesn't check the size of the data. If the data is too big the program will blindly copy it into the buffer, and since the buffer isn't big enough the data also gets copied over whatever else is in memory nearby. (Unfortunately this is a common problem in Microsoft's programs.) If there's enough data it can overwrite program code or pointers in memory, so if the data writing over it is actually program code, it gets executed instead of the code that should be there. (Or in the case of overwriting a pointer, it changes it to point to some part of the data which contains code.) Is there any patch out yet for Win98? ![]() |
Pages: 1 2 | Add to favorites | Next newer thread | Next older thread |
Acmlm's Board - I3 Archive - Hardware / Software - Windows Metafile Exploit |
![]() ![]() |