New .wmf explot for "fully patched" Windows XP and WS2k3.
Update, 12:30 p.m. ET: Several security groups are reporting that it is extremely easy to get whacked by this vulnerability/exploit just by visiting one of a growing number of malicious Web sites that are now employing this attack. F-Secure's [link|http://www.f-secure.com/weblog/archives/archive-122005.html#00000752|blog post on this] indicates that -- because the vulnerability lies in the way Windows parses WMF image files -- Firefox and Opera users also can get infected -- although they at least have to agree to download and run a file first. [link|http://sunbeltblog.blogspot.com/2005/12/new-exploit-blows-by-fully-patched.html|The Sunbelt Blog] also has some good information on this exploit, including some nice screenshots of what it looks like when your machine gets hit with this.
What's more, the exploit itself has just been rolled into [link|http://www.metasploit.com/|Metasploit], an open-source vulernability assessment tool that the bad guys also can use to help automate attacks.
[...]
Update, 2:31 p.m. ET:According to [link|http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=385|information posted at Internet security company Websense], the exploit is now being used by thousands of Web sites to install a bogus anti-spyware application that is fairly tedious to remove from infected machines. Also, Websense says the program "prompts the user to enter credit card information in order to remove the detected spyware. The background image used and the "spyware cleaning" application vary between instances. In addition, a mail relay is installed on the infected computer and it will begin sending thousands of SPAM messages." The above image is from Websense's alert.
It's also worth noting that the SANS Internet Storm Center has increased their threat level to "yellow" over this exploit, noting that a lot of people are on holidays and might overlook this problem.
Happy Holidays! :-/
Cheers,
Scott.