View Full Version : High-risk security vulnerability in Windows found

Alan Shore
01-01-2006, 11:33 AM
Since ******* is hacked and the BB is different, I suppose we can expect some funny things happening today.

The following is from another forum I visit:


There is a new virus out that uses WMF (windows metafile format) files to infect a computer. All you have to do to get infected is view a webpage that has the image on it. That means the forums can be a vector for infection too.

The exploit affects Firefox, Internet Explorer, and any other browser that downloads the file into the cache on the local machine. The file could also be a WMF renamed to any other image, or even a text filetype. Anything that puts the image exploit onto your computer or opens it up in windows fax viewer or the part of windows that generates thumbnails of WMF files is a vulnerability.

This affects anyone on Windows. USING FIREFOX DOES NOT ELIMINATE THE RISK as the file is still downloaded to your cache in most cases, but it does reduce your chances somewhat since the image is often not displayed in the browser. But if you then interact with the file in any way (thumbnail it, Google Desktop) that causes it to be handled by the windows GDI responsible for WMF then you will have problems.

If your virus definitions aren't updated, then update them right away. Scan your computer. You might want to get a trial version of NOD32 to scan with, because Symantec does not detect this virus yet.

1. SCAN YOUR COMPUTER - NOD32 TRIAL VERSION (update definitions right away after installing - they auto-update but you want to be sure you have the latest)

Even if you think you are safe, scan your Windows computer anyway. ClamWin appears to catch this, but it doesn't have a realtime scanner. SAV Corporate 10.2 does not catch it (yet) and Symantec's own site says that it never may due to something about how the virus works. AVG, McAfee, Trend are unknowns at this point. NOD32 has been tested and its AMON on-access scanner stopped the image as soon as it was saved to the cache.

2. USE AN ALTERNATIVE BROWSER - Using Firefox or an alternative browser will reduce your risk because it does not display the image. However the image is still downloaded to your cache, and some browsers prompt you to open the file - which you should not do!

3. TURN OFF GOOGLE DESKTOP or anything else that does indexing of files on your computer.

4. THE GENERAL STUFF - Don't go to links you don't trust, don't open files you aren't expecting, etc.

5. KEEP ON TOP OF WINDOWS UPDATES - Hopefully they can fix this one quickly, but you really should be up-to-date on everything else anyway.

If you spot the virus being spread through our forums, inform a Moderator about this as soon as possible. In fact, it's even quicker to just inform all of us. For the current Moderator list, follow this link.

A further note: Adblocking the WMF extension will NOT work since it's fairly easy to just change the image extension.

skip to my lou
01-01-2006, 12:11 PM
and the BB is different

vBulletin upgraded to 3.5.2, that's all. All the features will come back soon.

01-01-2006, 12:19 PM
Thanks Skip, I suspected that's what might have happened. :)

01-01-2006, 01:25 PM
Hi all, I found two file with the dreaded suffix and deleted them. Maybe I triggered them when I did a windows search.

I then ran my updated virus checket Panda 6. Half way through I got a message
which came from either Windows or Panda I dont know which told me two windows programs have been replaced by unauthorised versions and to run service patch 2 again. Unfortunately the link given to download it did not work. I propose to
find the correct link to service patch 2 and then download and reinstall it. It is somewhere on my computer but I do not know its name.

01-01-2006, 02:55 PM
Don't let it break my computer ;pray: :pray: :pray: plz

02-01-2006, 12:21 PM
Just for once the Windows fix worked.

1) update virus checker

2) check everything

3) delete service patch 2

4) check everything

5) restart

6) run microsoft update which reinstalled service patches

7) run virus checker

8) restart

04-01-2006, 09:07 AM
This story is from our news.com.au network Source: AFP

Microsoft races to fix virus weak spot
From correspondents in San Francisco
January 04, 2006

MICROSOFT was hustling to fix a flaw that left its Windows operating platform vulnerable to attacks from hackers, the company announced.

The software "patch" was in the final phases of testing and Microsoft intended to simultaneously release it worldwide in 23 languages on January 10, according to the US-based company.

"Microsoft has been carefully monitoring the attempted exploitation of the Windows Meta File vulnerability since it became public last week," the company said.

"Although the issue is serious and the attacks are being attempted, Microsoft's intelligence sources indicate that the scope of attacks is limited."

Microsoft began working on the patch after getting word December 27 of attacks on Windows operating platform users, the company said.

Duff McKagan
11-01-2006, 07:31 AM
I'm using Windows 98 with Firefox... will it get me?