This is sorta scary.
authored by none other than Mr. Metasploit his own self.
Q) Are there any other ways to obtain code execution besides via WMF files
viewed by PFV or Explorer?
A) Yes. Any application that accepts WMF files and calls PlayMetaFile with
the supplied data can be exploited. Some of these only recognize WMF
files with the placeable header, which may prevent the application from
reaching the SetAbortProc function. There are *many* other places where
standard (ie. included with the OS) applications call the PlayMetaFile
function, its just a matter of figuring out which ones can be used to
deliver the malicious WMF content. A potential vector includes the
display of icons stored inside of a standard executable. Viewing these
files in an Explorer directory listing could result in the execution of
code in an embedded WMF file. This has yet to be tested.
Office apps LIVE off WMF files. Think in “micro$oft” terms, I would bet that every application has different “playmetafile” functions. They are so married to the old school of coding, that is to say complete applications ready to stand on their own, that I would almost bet my check that at least SOME of the apps in Office have their own WMF players. You know, tools that aren’t that popular among malware writers…like Powerpoint, publisher, frontpage, and other apps where graphics are used extensively.
Perhaps another week of hell? Give’m time…give’m time…