Since there’s been quite a bit of flux the last couple of days I thought I’d try to “reset” the situation and give a general overview of where we stand now with regards to the recent WMF zero-day exploit.
1st there is a vulnerability in the way Windows renders WMF (Windows MetaFile) image files that makes possible an exploitable buffer overflow allowing remote execution. There are at least two exploits for this vulnerability and it is not necessary for the wmf to have a name ending in .wmf (it could masquerade as jpg for instance.) The specially crafted WMF could be in a web page, email (html email), or other document. There are many possible vectors of entry for this.
2nd…. the second exploit that started making the rounds yesterday involves a random component. At this point, it will be difficult for IDS signatures to be certain that this variation is blocked. Further, antivirus signatures are not keeping up. Only three AV products seem to successfuly detect the exploits created by this new method. Source: incidents.org
3rd…. there is no official patch from Microsoft yet. There is no encouraging signal that there will be a patch before January 9th. Microsoft has not given guidance on when to expect a patch.
4th…. the new variation on the exploit has been seen in SPAM junk messages and there has also been an Instant Messenger worm propogating using the exploit.
5th… there have been a number of mitigating factors each with varying benefits/costs.
a) Hardware-enforced DEP for ALL programs and services is one measure which can help, but as reports have been varied, it should not be your only defence.
b) IDS signatures may have been effective for the first exploit, but may not be as effective for the second variation.
c) blocking suspected senders will not protect against all possible senders, Sans does have a block list THAT should not be your only defence either.
d) Workaround by disabling the dll that Explorer calls to view WMF images. From SANS… “Click Start, click Run, type “regsvr32 -u %windir%system32shimgvw.dll” (without the quotation marks), and then click OK.” This will help, but is not an end-all solution the dll may be re-registered, or other programs may use different approaches to exploit the Escape() function in gdi32.dll (which seems to be the real problem.)
e) An unofficial patch is available for Windows XP and Windows 2000 and Windows 2003. http://handlers.sans.org/tliston/wmffix_hexblog11.exe This is the patch that was first reported yesterday. It has been reviewed by several people and it is currently being recommended (along with unregistering the shimgvw.dll) as the best preventative measure.
I’m in the process of testing the patch in a VM right now although from everything I’ve read it does exactly what it says, nothing more and gives an uninstall link. I think at this point your best protection against this exploit is to install the unofficial patch and go ahead and unregister shimgvw.dll When Microsoft get’s around to an update, uninstall the unofficial patch (From control-panel add/remove programs) and you can then re-register the dll. (And install the official update.)
There are other notes to pass along about this. If browsing the web, you might use Firefox or Opera. Recent versions of these will at least PROMPT before viewing the wmf images. Which at least gives a chance to say no. At least one site that would normally be considered trusted has, within the last day, had a hacking that placed the exploit in a redirect frame, so you need to be very careful. I wouldn’t be surprised to see other hacks like that as a means to propogate various payloads through this exploit while there’s an opportunity. To clarify alternative browsers Opera and Firefox will not PREVENT your machine from being exploited, but will give you the opportunity to decline opening the file with Windows Picture and Fax viewer. (If running a more recent version.)
The exploit affects 98 and ME as well, but the unofficial patch at this time doesn’t work on those platforms. Unfortunately, unregistering the dll is the only advice outside of not opening image files from unknown sources and be extremely cautious in web browsing. If you have one, maybe use a linux boot cd to browse the web? (or the vmplayer safe browsing virtual machine – I don’t recall if vmplayer requires XP or can run on 98??) Of course, those may not be options for everyone.
Given that the bug can deliver pretty much ANY payload the attacker chooses makes the possible infections a real wildcard, but I spent the better part of an afternoon/evening cleaning up a virtual machine infection and would suggest if there is any way available to you to harden your systems against the vulnerability, do so… the time spent cleaning up from this could be enormous.
–update 2:26PM EST–
After testing the patch the only ill side-effect I see is a “run dll as application” error. I basically installed the unofficial patch and rebooted, then visited a site with the wmf exploit. Through that site and popups there were at least two wmf exploit attempts. The first loaded Windows picture and fax viewer with no image to display, the second did as well and both seemed to give the above error. And the VM is still clean with no additional downloads.
–update 10:51 PM EST–
The security fix is covering the available unofficial patch and what the current situation is.
Related PostsRelated Posts
- How to Remove Windows System Defender | Removal Guide Windows System Defender is a new rogue antivirus software along the lines of Windows PC Defender (See the Windows PC Defender Removal guide) (I believe it's the same family of malware.) It claims to be a powerful and effective antivirus and antispyware suite, but will overwhelm you with warnings and......
- Version 2 of the WMF exploit vs Windows 98 SE Ok, I wasn't quite satisfied with the results of the tests against the first version of the WMF (Windows Metafile) zero day exploit that's now up to 4 or 5 days or so... Windows 98 is listed as being vulnerable, but there are no patches or workarounds currently available for......
- Workaround for the critical WMF zero-day exploit The Windows Meta File (WMF) zero-day (0-day) exploit is apparently, VERY nasty, no user intervention required (unless running firefox or opera). Just VISITING a malicous site (viewing a malicious email with image...) would be enough to get the system owned. It sounds as though a FULL reinstall is the best......
- Review of Windows Live Writer When you find a tool that makes life easier, there is nothing more exciting. The need for corporations to simplify and systematize their processes has to do with working smart and taking advantage of things that allow workers to reach their goals without having to work quite as hard. One......
- FAQ about computer security Q: The virus blocked the registry access and how to get rid of it?A: You can deal with like this: 1. Click on Start -> Run (or Start Search in Windows Vista). 2. Enter GPEdit.msc and then press Enter. 3. Navigate to the following location: User Configuration -> Administrative Templates......
- What You Need To Know About Money Management Programs The debt levels of ordinary individuals have increased by a significant amount over the last two decades, leaving many people with unmanageable piles of debt.Â People seeking a way to improve their finances or eliminate their debt often turn to money management software programs to provide them with a way......
- NEW exploit for the WMF vulnerability
- WMF exploit unofficial patch
- Microsoft releases patch early for WMF exploit
- Windows 98 WMF patch
- WMF exploit and Windows 98