Lotus Notes Vulnerable to WMF Exploit…
Yesterday I covered this exploit in some detail [see Microsoft WMF 0-Day Exploit Roundup]; what it affects and how to mitigate the problem until Microsoft release a patch for it.
However, as things have developed, more data and findings have been released since then. The most worrying, in the eyes of many companies, is the discovery that Lotus Notes version 6.x and later is also vulnerable to this exploit.
I know, you are all going to say “Not after you’ve unregistered the Windows Picture and Fax Viewer, that will stop it, right?“, well that should be the case, but as usual in the ‘Real World [TM]‘ this is, sadly, not the case.
So, the upshot of this is that the bad guys can use this to infect Lotus Notes users by just sending them an e-mail [as predicted yesterday] with a malicious WMF file attached [even if it is disguised as another file format, such as a jpeg or gif file].
Simply viewing or opening the ‘bogus’ graphic attachment will cause the embedded exploit code to run - game over! - Pack up and go home, your Windows system is no longer yours, it belongs to the bad guys.
The good news is that the ‘bogus’ graphic file can only be an attachment, not an inline image, as it isn’t a real image file.
This was reported by John Herron from NIST. Here is a link to the posting on this discovery: http://www.nist.org/nist_plugins/content/content.php?content.25
IBM is aware of this issue so expect an advisory soon!
If you want to reclaim your system, you currently will have a long battle as lots of different malware is being installed via this exploit; spyware, adware, trojans, keyloggers [yes, the Phishing crews are now using this, as I predicted] and pretty much anything they wish to install on your exploited system.
So, you’ll need up-to-date anti-virus, anti-adware/spyware and anti-rootkit tools for starters [not forgetting backups and your original media disks], but which ones to use? You do know that there are many ‘bogus’ anti-spyware tools out there that are actually spyware, don’t you?
Fear not, dear reader! I have a cunning plan. I have a web page which lists good tools from reputable vendors [many are FREE] - You can find this list here: http://arachnid.homeip.net/free.htm
Suggested workarounds, at this time include:
- Filter all common picture file extensions at the network perimeter.
- Remove [strip] all picture attachments from e-mail at the server level.
- Anyone receiving graphic file attachments from UNTRUSTED sources should NOT open or view them.
- Anyone receiving graphic file attachments from TRUSTED sources should verify with the alleged sender that they actually sent them, before they open or view them.
Expect other products to be reported as vulnerable from many vendors over the next few weeks, it’s going to be a bumpy ride, hang on tight!
Please note that this blog has now moved to my own hosted domain here: http://momusings.com/momusings/.
A full RSS/ATOM feed can be found there.
All the data up to the end of December 2006 will be left here, however all postings from the 1st of January 2007 onwards will only be available at this blogs new home.
ALL future postings will only be available at the new site.
