WMFの脆弱性を利用したZeroDayウイルス

手元では、wmfをインターネットからダウンロード制限しようかと思っています。

Squidでの設定サンプル(この場合、xxx.wmfってフォルダがあった場合も規制されます)*1
acl WMF-Exploit urlpath_regex -i \.wmf$
http_access deny WMF-Exploit

って書いた鼻から、SANSにだめかもって、情報が

WindowsXPはファイルをMagicBytesで判断するので、違う拡張子が現れる可能性があると・・・

Update 23:19 UTC: Not that we didn't have enough "good" news already, but if you are relying on perimeter filters to block files with WMF extension from reaching your browser, you might have a surprise waiting for you. Windows XP will detect and process a WMF file based on its content ("magic bytes") and not rely on the extension alone, which means that a WMF sailing in disguise with a different extension might still be able to get you.

Metasploitを使っているので誰でも作れちゃうので、亜種でまくりって話

根本解決を急がなきゃ・・・(regserveもいいけど)

Working exploit code is widely available, and has also been published by FRSIRT and the Metasploit Framework.

SANSからもregsrv32でPicture and Fax Viewerを無効にする方法が書かれています。

(MSアドバイザリーの回避策に書かれてたのか)

Update 23:00 UTC: The vulnerability seems to be within SHIMGVW.DLL. Unregistering this DLL (type REGSVR32 /U SHIMGVW.DLL at the command prompt or in the "Start->Run" Window, then reboot) will resolve most of the vulnerability, but will also break your Windows "Picture and Fax Viewer", as well as any ability of programs like "Paint" and "Explorer" to display thumbnails of any picture and real (benign) WMF files.

*1:確立低いから設定していますが