Saturday, December 31, 2005

WMF Story - Day 4

1) Microsoft has updated their security advisory about the WMF. It now confirms that software-based DEP does NOT protect you from the WMF Exploit.

2) Also on FD, HD Moore has released an updated Metasploit 2.5 MWF Attack Module. This new version uses the "Escape/SetAbortFun code execution flaw" and pads the Escape() call with random WMF records.

3) Viruslist.com is reporting the first IM-Worm to exploit the WMF vulnerability. Appears to be spreading via MSN at this point, but i wouldn't be suprised to see copies on ICQ, AIM and Yahoo soon.

As far as I can tell, one of the biggest attack vectors is the IFRAME tag in a hacked/bad website.
As the number of attacks grow and become more and more nasty...we all wait for a patch. Do you think Microsoft will release it out of cycle? Who knows...

No comments:

Post a Comment