From Brian Livingston's Windows Secrets Newsletter::
"The new "WMF Metafile" vulnerability is different:
"It can infect your PC if you merely view an image formatted as a Windows
metafile on a Web page, in an e-mail attachment, or on your hard disk.
"Every browser is vulnerable - IE, Firefox, Opera, and others - because the
image is not being rendered by the browser. It's rendered by Windows' own
Picture and Fax Viewer (Shimgvw.dll, also known as the Shell Image View
Control). New versions of Firefox do display an alert when a suspicious
image is encountered on a Web page. But since viewing an image is usually
harmless, most users will click OK, exposing themselves to infection.
"If your PC catches an infected metafile - perhaps through instant messaging
or file-sharing software - the payload can run even if you don't consciously
open or view the image. Google Desktop Search, for example, causes the
payload to be executed when the metadata of the image is accessed. If the
image is an icon, merely displaying a file directory in certain views of
Windows Explorer can silently execute a Trojan."
Tom
----- Original Message -----
From: "Carl Houseman" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Wednesday, January 04, 2006 12:35 AM
Subject: Re: wmf vulnerability: defragging risky ??
Opening and reading a file in and of itself is not the problem.
The problem is when the contents of the file are analyzed and processed by
Microsoft's graphical interpreter to produce an image.
Defragging, virus checking, and even many 3rd party graphical display or
manipulation programs, do not use Microsoft's graphical interpreter.
But (and I have not confirmed this or even researched it) *if* Google
desktop search is a problem, *then* Google's desktop search must at some
point use Microsoft's graphical interpreter. It may be a simple
side-effect
of accessing the files by some other Microsoft API.
Carl
-----Original Message-----
From: Windows Home/SOHO [mailto:[EMAIL PROTECTED] On Behalf
Of
Bill Kingsbury
Sent: Wednesday, January 04, 2006 12:13 AM
To: [email protected]
Subject: Re: wmf vulnerability: defragging risky ??
At 05:50 PM 1/3/2006, Diane Poremsky wrote:
the indexers look at file content too, not just file name,
so think any of the ones you mentioned are ok unless they
also read content.
Yes, that's what I thought -- after thinking it over.
But then, defragging *does* read the entire files' contents,
doesn't it? It reads a file's fragments, then copies them to
new drive sectors (to consolidate them), and then deletes the
old fragments. Also, antivirus- and spyware- scanning reads
the entire files' contents (I hope).
So, why can a simple file-read for "indexing" with the Google
Desktop Search, allegedly trigger the wmf exploit -- and yet,
no problem with file-reads for virus scanning, or the major
file-reading and -writing that takes place while defragging?
Bill
--
----------------------------------------
WIN-HOME Archives: http://PEACH.EASE.LSOFT.COM/archives/WIN-HOME.html
Contact the List Owner about anything: [EMAIL PROTECTED]
Official Win-Home List Members Profiles Page
http://www.besteffort.com/winhome/Profiles.html
