It has been less than two days since Microsoft announced a couple of vulnerabilities in graphics device interface (GDI) EMF formatted images, but our DeepSight honeypots are already showing some signs of exploitation in the wild. Although the exploits that we have seen so far do not yet appear to be functional, they appear to have the right general idea in their exploitation. It is possible that these exploits either have been leaked and are "in-work" copies, or that they are functional on some platform that we have not tested.

However, the exploit (named "top.jpg") does contain functional payload, which downloads a secondary file (word.gif). Word.gif is really an executable that would be run following a successful infection. Its main function would be to use iexplore.exe to contact a few hosts in China, presumably to download additional malicious code.

The exploit image is detected by Symantec IPS-enabled products (for Enterprise – SCS/SEP and Consumer – NAV/NIS and N360) as HTTP GDI EMF Remote Code Exec using in-the-field definitions. The resulting malicious code is detected as Downloader.

Microsoft Windows GDI Stack Overflow Vulnerability

Microsoft Windows GDI 'CreateDIBPatternBrushPt' Function Heap Overflow Vulnerability