WMF flaw downs AMD forum page

Malicious users shut down the discussion page of a prominent technology company's website this week by taking advantage of the Windows metafile vulnerability.

PC users visiting AMD's forum page were asked on Monday if they wanted to download a .wmf file from the server toolbardollars[dot]biz, to be opened by the Windows Picture and Fax viewer.

The 16 kilobyte file was actually a WMF exploit taking advantage of the recently patched flaw.

A spokesperson for AMD said today that the issue has been resolved. Mikko Hypponen, chief research officer at F-Secure, said on the firm's blog on Monday that he was unsure why the flaw was on the site.

"We're not sure what's going on here, but there's something wrong at AMD's user discussion forum," he said. "If you visit the site, you get a WMF exploit sent to you right from the front page."

After the vulnerability was revealed in late December, some security experts demanded that Microsoft release a patch for the flaw ahead of its planned, monthly Patch Tuesday schedule.

Microsoft eventually released the update five days earlier than its planned Jan. 10 release. The company first advised users last month to maintain anti-virus services and apply the work-around it recommended.

Prior to the release, malicious users set up attack websites to exploit the image vulnerability, from which they can execute arbitrary code, cause a denial of service condition or take complete control of an infected PC just by getting a user to click on a malicious image file.

Mike Nash, Microsoft corporate vice president for security, said this month that the Redmond, Wash., computing giant wanted to make sure that the update would meet quality goals.

Hypponen said this week that the bottom of the HTML on the forum site was actually an encoded IFRAME directive.

"When decoded, that translates into http[colon]//toolbardollars[dot]biz/dl/adv586.php," he said. "How did it end up on the AMD site? We have no clue. But we have informed relevant people, so hopefully this will be resolved soon."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.