Re: WMF Windows security flaw - change your browser

Mike Rivers wrote: 
Jim Gilliland wrote:

That won't save you.  Windows recognizes WMF files by something inside
them.  So there is no need for them to have a WMF extension.  They can
be called *.jpg and still do the same damage.


If it's just a graphic file, it's no problem. I thought the trick that
people were pulling was to name an executable file with an extension
that sends them someplace where they'll be opened automatically, which
starts executing them.

It's more complicated than that. The Windows Media format has a mechanism that allows it to execute scripts. The capabilities of the scripts are quite limited, and are ordinarily harmless. But apparently someone discovered a flaw in the code that executes the scripts that can force it to branch outside of its own boundaries. So they simply put the malicious code into the WMV file (Windows just assumes that it IS graphic data), then use the buggy scripting DLL to branch to it. Once it gets control, it infects your system.

Unfortunately, WMV scripts can get executed without any overt action from the user. If the file is picked up by a browser, or an email program with a preview function, or even the "thumbnail" capability of the Windows file explorer, the script gets executed and your computer gets infected. Windows has been plagued with security flaws like this for years, but this is the first one that I've seen that doesn't require the user to do something stupid to trigger the problem.

Incidentally, I'm probably oversimplifying the mechansism in my description above, but that's the basic idea. And if I'm reading the situation correctly, the DLL that's causing all the trouble is actually obsolete. The functions that it provides are no longer the normal way to handle this - they only exist for backward compatibility.

Nobody is safe any more. Throw away your computer and take up the
trombone.

If only someone would pay me to play the trombone. Unfortunately, the closest I might come would be to get someone to pay me to stop.
.

Relevant Pages

  • Re: John Resig Video
    ... there are scripts for which it doesn't matter at all. ... The result of executing of a deferred script would usually be different. ... Adding "defer" to p.js would likely have a different result. ... means no more than that deferred scripts are executed when they are executed. ...
    (comp.lang.javascript)
  • Re: More than one vbs file
    ... but most languages have such a funcion so I was very suprised. ... between including code from another source and executing code from another ... In the assemblers I mentioned, ... Since I wrote our scripts, I am the one that gets the call ...
    (microsoft.public.scripting.vbscript)
  • Problems with make -j
    ... As a pet project I've started to change /etc/rc so it uses maketo ... up boot time by executing rc.d scripts in parallel. ...
    (freebsd-questions)
  • Re: Reasons for inittab process not starting
    ... I don't know of any system logs per say, ... redirect the output of the scripts being executed to a file: ... That will put the output of the executing script ... > From: IBM AIX Discussion List ...
    (AIX-L)