ID:185568
 
http://www.securityfocus.com/brief/89

A previously unknown vulnerability in the Microsoft Windows graphics rendering engine is being exploited by several malicious Web sites to infect visitors' systems, security experts said on Wednesday.

The vulnerability can be triggered remotely and gives the attacker full system privileges, according to technical descriptions of the issue. However, in a security bulletin released late Wednesday, Microsoft maintained that only local user privileges could be gained through the vulnerability. In the last 24 hours, three different Windows Meta Files (WMFs) have been detected trying to use the vulnerability to spread, according to antivirus firm F-Secure.

"Do note that it's really easy to get burned by this exploit if you're analyzing it under Windows," Mikko Hyppönen, chief research officer for F-Secure said in a blog posting. "All you need to do is to access an infected web site with IE (Internet Explorer) or view a folder with infected files with the Windows Explorer."

Increasingly, security and software companies are worried about vulnerabilities that are exploited without any previous warning. Called zero-day exploits, the attacks can compromise systems before software makers issue patches to fix a security issue. Last month, a security researcher attempted to sell a previously unknown vulnerability in Microsoft Excel on eBay. Several companies have marketed defenses against zero-day exploits and Microsoft has created a network of automated Windows systems, known as honeymonkeys, that browse the Web to find malicious code targeted at Internet Explorer.

Google Desktop users have to be particularly careful as the search giant's software indexes any downloaded image file, an action that will cause the exploit to immediately execute, according to security researchers. A Microsoft spokesperson said the company is currently investigating the reports.

UPDATE: This brief has been updated to reflect information published by Microsoft in a Security Bulletin released late on Wednesday. The original brief was published about noon PST on Wednesday, and the updated version at 6:30 PST on Thursday.



In a nutshell, all you have to do is even LOOK at the image in any way for the exploit to trigger. Firefox doesn't do anything, as the file can simply be renamed to a Gif or Jpg. Once you see the image (assuming it's not a 1x1 transparent Gif, otherwise you...won't know) it has already run whatever is tacked onto it.

Apparantly AVG can catch this (if it scans ALL files and not just "infectible", but if you don't have that then grab NOD32 and give it a go.
http://www.eset.com/download/trial.htm
This never ceases to amaze me.
In response to EGUY
SO if we have FF, we are safe? :)
In response to XzDoG
No.
In response to Sarm
Crap, I better not look at pr0n till this is fixed then. =/
I read about an image exploit a long time ago, which pretty much said the same things. Full system control, 1x1 transparent, etc. It seems like the only exploits nowadays are the ones that give full system control. =/

Hiead
In response to Hiead
Who cares if someone gets full control of my system, theres nothing but junk on it anyways.. games, byond, hentai... more hentai.

No one wants control of that.
In response to Shades
Shades wrote:
No one wants control of that.

Spammers sure do. Your computer can run as slow as molasses for you, while for them it sends out hundreds upon hundreds of emails.
In response to Jon88
Not to mention those individuals who create large "botnets" of comprised computers and then sell them to other criminally-minded individuals. They come in very handy for spamming and DDoSing.
In response to XzDoG
Never trust the security of an OS named Windows. It's a little obvious people!
In response to XzDoG
FireFox is not effected by this fualt, but most embeded browsers use IE's core, making you still a target. Surfing in FireFox is fine, but that doesn't mean your system is bullet proof.
In response to Jon88
Now would it be illegal to attack back at spammers?

Though in the US or other countries, IDK if there'd be a jury in a case for that if it was illegal but I'm sure they would hesitate to punish somene for it. :P