WMF exploit situation summary…

Since there’s been quite a bit of flux the last couple of days I thought I’d try to “reset” the situation and give a general overview of where we stand now with regards to the recent WMF zero-day exploit.

1st there is a vulnerability in the way Windows renders WMF (Windows MetaFile) image files that makes possible an exploitable buffer overflow allowing remote execution. There are at least two exploits for this vulnerability and it is not necessary for the wmf to have a name ending in .wmf (it could masquerade as jpg for instance.) The specially crafted WMF could be in a web page, email (html email), or other document. There are many possible vectors of entry for this.

2nd…. the second exploit that started making the rounds yesterday involves a random component. At this point, it will be difficult for IDS signatures to be certain that this variation is blocked. Further, antivirus signatures are not keeping up. Only three AV products seem to successfuly detect the exploits created by this new method. Source: incidents.org

3rd…. there is no official patch from Microsoft yet. There is no encouraging signal that there will be a patch before January 9th. Microsoft has not given guidance on when to expect a patch.

4th…. the new variation on the exploit has been seen in SPAM junk messages and there has also been an Instant Messenger worm propogating using the exploit.

5th… there have been a number of mitigating factors each with varying benefits/costs.
a) Hardware-enforced DEP for ALL programs and services is one measure which can help, but as reports have been varied, it should not be your only defence.
b) IDS signatures may have been effective for the first exploit, but may not be as effective for the second variation.
c) blocking suspected senders will not protect against all possible senders, Sans does have a block list THAT should not be your only defence either.
d) Workaround by disabling the dll that Explorer calls to view WMF images. From SANS… “Click Start, click Run, type “regsvr32 -u %windir%system32shimgvw.dll” (without the quotation marks), and then click OK.” This will help, but is not an end-all solution the dll may be re-registered, or other programs may use different approaches to exploit the Escape() function in gdi32.dll (which seems to be the real problem.)
e) An unofficial patch is available for Windows XP and Windows 2000 and Windows 2003. http://handlers.sans.org/tliston/wmffix_hexblog11.exe This is the patch that was first reported yesterday. It has been reviewed by several people and it is currently being recommended (along with unregistering the shimgvw.dll) as the best preventative measure.

I’m in the process of testing the patch in a VM right now although from everything I’ve read it does exactly what it says, nothing more and gives an uninstall link. I think at this point your best protection against this exploit is to install the unofficial patch and go ahead and unregister shimgvw.dll When Microsoft get’s around to an update, uninstall the unofficial patch (From control-panel add/remove programs) and you can then re-register the dll. (And install the official update.)

There are other notes to pass along about this. If browsing the web, you might use Firefox or Opera. Recent versions of these will at least PROMPT before viewing the wmf images. Which at least gives a chance to say no. At least one site that would normally be considered trusted has, within the last day, had a hacking that placed the exploit in a redirect frame, so you need to be very careful. I wouldn’t be surprised to see other hacks like that as a means to propogate various payloads through this exploit while there’s an opportunity. To clarify alternative browsers Opera and Firefox will not PREVENT your machine from being exploited, but will give you the opportunity to decline opening the file with Windows Picture and Fax viewer. (If running a more recent version.)

The exploit affects 98 and ME as well, but the unofficial patch at this time doesn’t work on those platforms. Unfortunately, unregistering the dll is the only advice outside of not opening image files from unknown sources and be extremely cautious in web browsing. If you have one, maybe use a linux boot cd to browse the web? (or the vmplayer safe browsing virtual machine – I don’t recall if vmplayer requires XP or can run on 98??) Of course, those may not be options for everyone.

Given that the bug can deliver pretty much ANY payload the attacker chooses makes the possible infections a real wildcard, but I spent the better part of an afternoon/evening cleaning up a virtual machine infection and would suggest if there is any way available to you to harden your systems against the vulnerability, do so… the time spent cleaning up from this could be enormous.

–update 2:26PM EST–

After testing the patch the only ill side-effect I see is a “run dll as application” error. I basically installed the unofficial patch and rebooted, then visited a site with the wmf exploit. Through that site and popups there were at least two wmf exploit attempts. The first loaded Windows picture and fax viewer with no image to display, the second did as well and both seemed to give the above error. And the VM is still clean with no additional downloads.

–update 10:51 PM EST–

The security fix is covering the available unofficial patch and what the current situation is.

Related Posts

Blog Traffic Exchange Related Posts
  • Zero-day ( 0-day) Microsoft Word exploit There was some news on this last night at Incidents.org, today F-secure has some details as well on the trojan that's dropped in this circulating, exploit. It seems as though the initial attack was very targetted against a specific organization. Antivirus packages did not recognize the trojan that the exploit......
  • More WMF exploit testing on Windows 98 I've spent some more effort on trying to infect Windows 98 SE in a virtual machine with some of the exploit samples I can find. The first attempt was at a website with the .wmf download. No luck infecting the system there. Then, I've loaded up the image and visited......
  • Windows 98 and the WMF exploit I've seen breathless headlines that say "Windows PCs face 'huge' virus threat; Affects every MICROSOFT OS shipped since 1990..." and really would like to try to clarify (again) what the situation is. Yes, the bug or vulnerability that's currently being exploited exists as far back as Windows 3.0, but as......
Blog Traffic Exchange Related Websites
  • How to Fix Windows Registry Error by Yourself Are you having a problem with windows registry errors? This article is intended to give you a step by step instruction to fix windows registry error by yourself. To be specific, I will go over how to check for errors in the registry entries, instruction to perform a registry back......
  • Conflicker - I mean, seriously If you don't already know, conflicker is a worm that exploits a buffer overflow in the windows server service.  The worm is wiley - there are several hundred variants and it is difficult to know how widespread it is.  You can find more info on the Wiki or on the......
  • The Best Way To Vanquish The Particular Obstructions Of Standard Various Article Submitter Large writing and submitting articles is a wonderful way to develop backlinks, boost SERP search rankings and achieve a lot of visitors aimed at your website. It's not necessarily with out down sides having said that, exactly what actually is the easiest way to make use of it? Anyone who......
PDF24    Send article as PDF   

Similar Posts

See what happened this day in history from either BBC Wikipedia
Amazon Logo

One Response to “WMF exploit situation summary…”

  1. Polarman Says:

    Urgent WMF exploit

    What Microsoft should do about the WMF exploit: · Use automatic update to immediately unregister the shimgvw DLL. When they’ve fixed the problem, they can turn it back on. · Negotiate to use the current fix of Ilfak Guilfanov’s. Pay

Switch to our mobile site