The first WMF is easily exploitable and allows remote code execution. I have done it myself and it works both local and remote. The victim simply needs to open a .HTML redirecting to .WMF or directly open the .WMF with MS Picture and Fax Viewer (default Windows picture viewer) which leads to downloading my own executable off the web and running it (it could also easily install a spamhost or bind a shell but downloading a larger program and running it is a lot more fun)... Good luck, MS, you'll need it!

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/newsbriefs/101/444#444