Sonicwall Keeps Users Secure From Wmf Remote Code Execution Exploit

Published by

Vulnerability prevention team keeps customers safe from critical vulnerability. SonicWALL, Inc. (NASDAQ: SNWL) today announced that users of its Internet threat prevention technology are actively being protected from the Metafile Format (WMF) Remote Code Execution exploit impacting Microsoft Windows users. Thus far, SonicWALL has monitored attempted exploits at a rate of tens of thousands a day.
SonicWALL?s SonicALERT team first detected signs of the WMF exploit on December 28, and within hours launched a response across all SonicWALL security appliances worldwide using the company?s dynamic protection capabilities.
Read more


Microsoft Windows WMF graphics rendering engine is affected by a remote code execution vulnerability, which could allow an attacker to execute arbitrary code in the security context of the logged-on user. The vulnerability is being exploited on fully patched systems. Researchers are tracking thousands of sites distributing the exploit code which, if successful, would allow the malicious software to surreptitiously install spyware on a user's PC or allow a hacker to control the machine remotely.

?Our gateway threat prevention services subscribers have been protected automatically from this exploit from day zero, which is highly important since Microsoft?s patch reportedly will not be distributed until next week? said Boris Yanovsky, vice president of security services at SonicWALL. ?Our ability to protect our customers from this threat is particularly notable since this flaw uses a file format that has not been used for previous attacks. As a result, providing protection may be more challenging for some anti-virus solution vendors.?

?If an attacker were able to execute local code within a user?s system, the potential for complete compromise exists,? added Yanovsky.

SonicWALL, named the leader in Unified Threat Management (UTM) security appliances worldwide for the third consecutive quarter, according to IDC?s Worldwide Quarterly Security Appliance Tracker, has delivered zero day gateway anti-virus and intrusion prevention signatures to its subscribers to defend against attacks and exploits based on the WMF remote code execution vulnerability.

Signatures added by the SonicAlert team are constantly updated and include:-
Intrusion Prevention Service:
? EXPLOIT WMF Remote Code Execution Exploit, SID:3089
Gateway Anti-Virus:
? WMF.A (Exploit)

Further information is available at http://software.sonicwall.com/applications/ips/index.asp?ev=sig&sigid=3089