We saw a new nasty exploit yesterday around 5:00 PM. This is a totally new exploit and is not the same one posted by FrSIRT back on 11/30/05.

We have a number of sites that we have found with this exploit. Different sites download different spyware. We only had a handful of websites using this new exploit but now we are seeing many more using this to install bad stuff. These image files can be modified very easily to download any malware or virus.

I hit one site with a fully patched XP system last night and it was pretty intense—it went right through and infected my machine with this happiness:

Exploirt2134asdfs324jkajdfasdf

SecurityFocus just posted a bulletin on it.

Microsoft Windows WMF graphics rendering engine is affected by a remote code execution vulnerability. The problem presents itself when a user views a malicious WMF formatted file, triggering the vulnerability when the engine attempts to parse the file. The issue may be exploited remotely or by a local attacker. Any code execution that occurs will be with SYSTEM privileges due to the nature of the affected engine. Microsoft Windows XP is considered to be vulnerable at the moment. It is likely that other Windows operating systems are affected as well.

Link here.

Any application that automatically displays a WMF image will cause the user’s machines to get infected. This includes older versions of Firefox, current versions of Opera, Outlook and all current version of Internet Explorer on all versions of Windows.

Our security response team is working on this as I write and so the situation is unfolding. We have notified Microsoft and will release more details under our Responsible Disclosure policy and as we get more information.

Folks, I’ve seen it with my own eyes and this is a really bad exploit. Be careful out there.

Alex Eckelberry