Yep, this is loking to be a bad one...
This was copied from SANS (internet storm center) website:
The folks at Websense Labs have a nice movie on how it looks like if a system gets exploited by this WMF 0-day, see
http://www.websensesecuritylabs.com/images/alerts/wmf-movie.wmv . Don't go to any of the URLs visible in the movie unless you know what you are doing (or feel like spending the next hours reinstalling your PC).
And then from the US-CERT (US computer emergency readiness team):
Vulnerability Note VU#181038
Microsoft Windows Metafile handler SETABORTPROC GDI vulnerability
Overview
Microsoft Windows is vulnerable to remote code execution via an error in handling files using the Windows Metafile image format. Exploit code has been publicly posted and used to successfully attack fully-patched Windows XP SP2 systems. However, other versions of the the Windows operating system may be at risk as well.
I. Description
Windows Graphic Display Interface (GDI)
Windows GDI is an interface that "... enables applications to use graphics and formatted text on both the video display and the printer." GDI functions can be used to draw lines, text, curves and other graphical elements.
GDI Escape function
The GDI Escape function allows an application to access capabilities of a device that are not directly available through GDI. For example, a print job can be cancelled via a GDI Escape call.
Windows Metafile (WMF)
Microsoft Windows Metafile (WMF) format images are graphical files that can contain both vector and bitmap-based picture information. WMF files contain a sequence of GDI function calls. The image is created by executing the GDI functions.
The problem
Certain GDI functions can have unexpected security implications. According to the MSDN document Security Considerations: GDI:
Bitmaps, metafiles, and fonts are complex structures that could become corrupted. It is good practice to try to ensure that these items are uncorrupted and from a trustworthy source.
Current public exploits use the SETABORTPROC GDI Escape function to execute arbitrary code when viewed. The SETABORTPROC GDI Escape is obsolete, and is provided only for compatibility with 16-bit versions of Windows. Other GDI functions may also be exploitable.
The public exploits currently use the Windows Picture and Fax Viewer (SHIMGVW.DLL) as an attack vector affecting users of any Windows-based application that can handle Windows Metafiles. However, disabling the Windows Picture and Fax Viewer will not eliminate this vulnerability as it is currently thought to exist in the Windows Graphical Device Interface library (GDI32.DLL).
Google Desktop Search (GDS) can trigger the buffer overflow vulnerability if a malicious WMF file is placed in a location that is indexed. Other content indexing software may also be vulnerable. It is reported that various anti-virus software products cannot detect all known variants of exploits for this vulnerability.
II. Impact
A remote, unauthenticated attacker may be able to execute arbitrary code if the user is persuaded to view a specially crafted Windows Metafile.
III. Solution
We are currently unaware of a practical solution to this problem.
Disable or reset the file association for Windows Metafiles
Disabling or remapping Windows Metafile files to open a program other than the default Windows Picture and Fax Viewer may prevent exploitation via some attack vectors. Microsoft has suggested taking the following steps to disable shimgvw.dll in Microsoft Security Advisory (912840):
Microsoft has tested the following workaround. While this workaround will not correct the underlying vulnerability, it will help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.
* Un-register the Windows Picture and Fax Viewer (Shimgvw.dll) on Windows XP Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and Windows Server 2003 Service Pack 1
To un-register Shimgvw.dll, follow these steps:
1. Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK.
2. A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.
Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.
To undo this change, re-register Shimgvw.dll by following the above steps. Replace the text in Step 1 with "regsvr32 %windir%\system32\shimgvw.dll" (without the quotation marks).
Do not access Windows Metafiles from untrusted sources
Exploitation occurs by accessing a specially crafted Windows Metafile. By only accessing Windows Metafiles from trusted or known sources, the chances of exploitation are reduced.
Attackers may host malicious Windows Metafiles on web sites. In order to convince users to visit their sites, those attackers often use a variety of techniques to create misleading links including URL encoding, IP address variations, long URLs, and intentional misspellings. Do not click on unsolicited links received in email, instant messages, web forums, or internet relay chat (IRC) channels. Type URLs directly into the browser to avoid these misleading links. While these are generally good security practices, following these behaviors will not prevent exploitation of this vulnerability in all cases, particularly if a trusted site has been compromised or allows cross-site scripting.
Block access to Windows Metafiles at network perimeters
By blocking access to Windows Metafiles using HTTP proxies, mail gateways, and other network filter technologies, system administrators may also limit potential attack vectors.
Please be aware we have confirmed that filtering based just on the WMF file extensions or MIME type application/x-msMetafile will not block all known attack vectors for this vulnerability. Filter mechanisms should be looking for any file that Microsoft Windows recognizes as a Windows Metafile by virtue of its file header. Please check with your network vendor for updated signatures. WMF files can begin with various byte sequences such as:
01 00 09 00 ...
02 00 09 00 ...
D7 CD C6 9A ...
Enable Data Execution Prevention (DEP)
Enable DEP for all applications, as described in the Microsoft TechNet article How to Configure Memory Protection in Windows XP SP2. It has been reported that hardware-enforced DEP may help mitigate this vulnerability. Software-enforced DEP is not effective in mitigating this vulnerability.
Systems Affected
Vendor Status Date Updated
Google Vulnerable 30-Dec-2005
Lotus Software Unknown 30-Dec-2005
Microsoft Corporation Vulnerable 29-Dec-2005
Mozilla, Inc. Unknown 28-Dec-2005
References
http://www.us-cert.gov/cas/techalerts/TA05-362A.html
http://www.microsoft.com/technet/security/advisory/912840.mspx
http://isc.sans.org/diary.php?rss&storyid=972
http://isc.sans.org/diary.php?storyid=975
http://secunia.com/advisories/18255/
http://www.securityfocus.com/bid/16074
http://vil.mcafeesecurity.com/vil/content/v_137760.htm
http://www.f-secure.com/weblog/archives/archive-122005.html#00000753
http://www.symantec.com/avcenter/venc/data/bloodhound.exploit.56.html
http://www.ciac.org/ciac/bulletins/q-085.shtml
http://www.juniper.net/security/auto/vulnerabilities/vuln2830.html
