WMF exploit situation summary…



Since there’s been quite a bit of flux the last couple of days I thought I’d try to “reset” the situation and give a general overview of where we stand now with regards to the recent WMF zero-day exploit.

1st there is a vulnerability in the way Windows renders WMF (Windows MetaFile) image files that makes possible an exploitable buffer overflow allowing remote execution. There are at least two exploits for this vulnerability and it is not necessary for the wmf to have a name ending in .wmf (it could masquerade as jpg for instance.) The specially crafted WMF could be in a web page, email (html email), or other document. There are many possible vectors of entry for this.


2nd…. the second exploit that started making the rounds yesterday involves a random component. At this point, it will be difficult for IDS signatures to be certain that this variation is blocked. Further, antivirus signatures are not keeping up. Only three AV products seem to successfuly detect the exploits created by this new method. Source: incidents.org

3rd…. there is no official patch from Microsoft yet. There is no encouraging signal that there will be a patch before January 9th. Microsoft has not given guidance on when to expect a patch.

4th…. the new variation on the exploit has been seen in SPAM junk messages and there has also been an Instant Messenger worm propogating using the exploit.

5th… there have been a number of mitigating factors each with varying benefits/costs.
a) Hardware-enforced DEP for ALL programs and services is one measure which can help, but as reports have been varied, it should not be your only defence.
b) IDS signatures may have been effective for the first exploit, but may not be as effective for the second variation.
c) blocking suspected senders will not protect against all possible senders, Sans does have a block list THAT should not be your only defence either.
d) Workaround by disabling the dll that Explorer calls to view WMF images. From SANS… “Click Start, click Run, type “regsvr32 -u %windir%\system32\shimgvw.dll” (without the quotation marks), and then click OK.” This will help, but is not an end-all solution the dll may be re-registered, or other programs may use different approaches to exploit the Escape() function in gdi32.dll (which seems to be the real problem.)
e) An unofficial patch is available for Windows XP and Windows 2000 and Windows 2003. http://handlers.sans.org/tliston/wmffix_hexblog11.exe This is the patch that was first reported yesterday. It has been reviewed by several people and it is currently being recommended (along with unregistering the shimgvw.dll) as the best preventative measure.

I’m in the process of testing the patch in a VM right now although from everything I’ve read it does exactly what it says, nothing more and gives an uninstall link. I think at this point your best protection against this exploit is to install the unofficial patch and go ahead and unregister shimgvw.dll When Microsoft get’s around to an update, uninstall the unofficial patch (From control-panel add/remove programs) and you can then re-register the dll. (And install the official update.)

There are other notes to pass along about this. If browsing the web, you might use Firefox or Opera. Recent versions of these will at least PROMPT before viewing the wmf images. Which at least gives a chance to say no. At least one site that would normally be considered trusted has, within the last day, had a hacking that placed the exploit in a redirect frame, so you need to be very careful. I wouldn’t be surprised to see other hacks like that as a means to propogate various payloads through this exploit while there’s an opportunity. To clarify alternative browsers Opera and Firefox will not PREVENT your machine from being exploited, but will give you the opportunity to decline opening the file with Windows Picture and Fax viewer. (If running a more recent version.)

The exploit affects 98 and ME as well, but the unofficial patch at this time doesn’t work on those platforms. Unfortunately, unregistering the dll is the only advice outside of not opening image files from unknown sources and be extremely cautious in web browsing. If you have one, maybe use a linux boot cd to browse the web? (or the vmplayer safe browsing virtual machine – I don’t recall if vmplayer requires XP or can run on 98??) Of course, those may not be options for everyone.

Given that the bug can deliver pretty much ANY payload the attacker chooses makes the possible infections a real wildcard, but I spent the better part of an afternoon/evening cleaning up a virtual machine infection and would suggest if there is any way available to you to harden your systems against the vulnerability, do so… the time spent cleaning up from this could be enormous.

–update 2:26PM EST–

After testing the patch the only ill side-effect I see is a “run dll as application” error. I basically installed the unofficial patch and rebooted, then visited a site with the wmf exploit. Through that site and popups there were at least two wmf exploit attempts. The first loaded Windows picture and fax viewer with no image to display, the second did as well and both seemed to give the above error. And the VM is still clean with no additional downloads.

–update 10:51 PM EST–

The security fix is covering the available unofficial patch and what the current situation is.

   Send article as PDF   

Similar Posts