Since there’s been quite a bit of flux the last couple of days I thought I’d try to “reset” the situation and give a general overview of where we stand now with regards to the recent WMF zero-day exploit.
1st there is a vulnerability in the way Windows renders WMF (Windows MetaFile) image files that makes possible an exploitable buffer overflow allowing remote execution. There are at least two exploits for this vulnerability and it is not necessary for the wmf to have a name ending in .wmf (it could masquerade as jpg for instance.) The specially crafted WMF could be in a web page, email (html email), or other document. There are many possible vectors of entry for this.
2nd…. the second exploit that started making the rounds yesterday involves a random component. At this point, it will be difficult for IDS signatures to be certain that this variation is blocked. Further, antivirus signatures are not keeping up. Only three AV products seem to successfuly detect the exploits created by this new method. Source: incidents.org
3rd…. there is no official patch from Microsoft yet. There is no encouraging signal that there will be a patch before January 9th. Microsoft has not given guidance on when to expect a patch.
4th…. the new variation on the exploit has been seen in SPAM junk messages and there has also been an Instant Messenger worm propogating using the exploit.
5th… there have been a number of mitigating factors each with varying benefits/costs.
a) Hardware-enforced DEP for ALL programs and services is one measure which can help, but as reports have been varied, it should not be your only defence.
b) IDS signatures may have been effective for the first exploit, but may not be as effective for the second variation.
c) blocking suspected senders will not protect against all possible senders, Sans does have a block list THAT should not be your only defence either.
d) Workaround by disabling the dll that Explorer calls to view WMF images. From SANS… “Click Start, click Run, type “regsvr32 -u %windir%system32shimgvw.dll” (without the quotation marks), and then click OK.” This will help, but is not an end-all solution the dll may be re-registered, or other programs may use different approaches to exploit the Escape() function in gdi32.dll (which seems to be the real problem.)
e) An unofficial patch is available for Windows XP and Windows 2000 and Windows 2003. http://handlers.sans.org/tliston/wmffix_hexblog11.exe This is the patch that was first reported yesterday. It has been reviewed by several people and it is currently being recommended (along with unregistering the shimgvw.dll) as the best preventative measure.
I’m in the process of testing the patch in a VM right now although from everything I’ve read it does exactly what it says, nothing more and gives an uninstall link. I think at this point your best protection against this exploit is to install the unofficial patch and go ahead and unregister shimgvw.dll When Microsoft get’s around to an update, uninstall the unofficial patch (From control-panel add/remove programs) and you can then re-register the dll. (And install the official update.)
There are other notes to pass along about this. If browsing the web, you might use Firefox or Opera. Recent versions of these will at least PROMPT before viewing the wmf images. Which at least gives a chance to say no. At least one site that would normally be considered trusted has, within the last day, had a hacking that placed the exploit in a redirect frame, so you need to be very careful. I wouldn’t be surprised to see other hacks like that as a means to propogate various payloads through this exploit while there’s an opportunity. To clarify alternative browsers Opera and Firefox will not PREVENT your machine from being exploited, but will give you the opportunity to decline opening the file with Windows Picture and Fax viewer. (If running a more recent version.)
The exploit affects 98 and ME as well, but the unofficial patch at this time doesn’t work on those platforms. Unfortunately, unregistering the dll is the only advice outside of not opening image files from unknown sources and be extremely cautious in web browsing. If you have one, maybe use a linux boot cd to browse the web? (or the vmplayer safe browsing virtual machine – I don’t recall if vmplayer requires XP or can run on 98??) Of course, those may not be options for everyone.
Given that the bug can deliver pretty much ANY payload the attacker chooses makes the possible infections a real wildcard, but I spent the better part of an afternoon/evening cleaning up a virtual machine infection and would suggest if there is any way available to you to harden your systems against the vulnerability, do so… the time spent cleaning up from this could be enormous.
–update 2:26PM EST–
After testing the patch the only ill side-effect I see is a “run dll as application” error. I basically installed the unofficial patch and rebooted, then visited a site with the wmf exploit. Through that site and popups there were at least two wmf exploit attempts. The first loaded Windows picture and fax viewer with no image to display, the second did as well and both seemed to give the above error. And the VM is still clean with no additional downloads.
–update 10:51 PM EST–
The security fix is covering the available unofficial patch and what the current situation is.
Related PostsRelated Posts
- Possible network printing problems with the unofficial WMF patch The Sunbelt Blog has picked up on a report of some network printing problems with the unofficial WMF exploit patch installed. The first report was on the fulldisclosure list. It is recommended that the patch be tested before rolling out. The variation of software configurations varies by environment... The report......
- More WMF exploit testing on Windows 98 I've spent some more effort on trying to infect Windows 98 SE in a virtual machine with some of the exploit samples I can find. The first attempt was at a website with the .wmf download. No luck infecting the system there. Then, I've loaded up the image and visited......
- WMF exploit unofficial patch Sans is talking about the unofficial patch for the WMF vulnerability. One of their handlers has helped with it to extend it to work on XP SP 1 and Windows 2000. They've also looked at the patch thoroughly and it sounds as though it's very well done. We want to......
- The Best Way To Vanquish The Particular Obstructions Of Standard Various Article Submitter Large writing and submitting articles is a wonderful way to develop backlinks, boost SERP search rankings and achieve a lot of visitors aimed at your website. It's not necessarily with out down sides having said that, exactly what actually is the easiest way to make use of it? Anyone who......
- FAQ about computer security Q: The virus blocked the registry access and how to get rid of it?A: You can deal with like this: 1. Click on Start -> Run (or Start Search in Windows Vista). 2. Enter GPEdit.msc and then press Enter. 3. Navigate to the following location: User Configuration -> Administrative Templates......
- How to Fix Windows Registry Error by Yourself Are you having a problem with windows registry errors? This article is intended to give you a step by step instruction to fix windows registry error by yourself. To be specific, I will go over how to check for errors in the registry entries, instruction to perform a registry back......
- NEW exploit for the WMF vulnerability
- WMF exploit unofficial patch
- Microsoft releases patch early for WMF exploit
- Windows 98 WMF patch
- WMF exploit and Windows 98