Recent WMF exploit

/*** My apologies for those who may receive multiple copies of this ***/

As many of you are probably aware, last week a 0-day exploit became
available for Windows that preyed upon a vulnerability in Windows
handling of WMF files (a type of graphic). While at one time it may
have been possible to avoid this issue by simply avoiding files
ending in .wmf, Windows actually recognizes the files based upon a
header in the file so they can have any extension or can be embedded
in an office file (actually this is one of the more common uses for
the wmf graphics). This vulnerability is known to effect every
version of Windows currently supported by Microsoft and, in all
likelihood, some unsupported versions as well. While using a browser
other than IE will help in this situation, other browsers can also be
used to download and execute the file (though the user should, in
most cases, be prompted). Additionally, these files can also be sent
via email, IM, P2P networks or any other method people use to transfer files.

Beginning last week, when I was able to get a hold of an exploit
file, I began putting up IDS signatures to detect files systems
downloading this file and have updated the signatures several times
now to refine or replace the signatures as the exploits have changed
and new signatures have become available. Unfortunately, a couple
variants have come out that are going to be very difficult to
reliably detect, and I would like to urge everyone to be very
cautious until Microsoft releases a patch for this problem.

At this time there are two known ways of protecting your
computer. The first one is unregistering the dll exploited as
described in the "Suggested Actions" section of Microsoft's advisory
for this issue
(http://www.microsoft.com/technet/security/advisory/912840.mspx).
Without a doubt I do recommend this course of action and have taken
it on my own computers. The second known way of dealing with this is
installing a patch that has been released by a third party. While
some of the people at SANS/ISC have reversed engineered this code to
make sure that it does not contain an exploit itself, I would urge
caution in applying this or any third party patch. Just because it
does not exploit your computer, does not mean that it is completely
harmless. Some configurations or software could have a conflict or
other issue with this patch and since the patch is unsupported, you
may have a difficult time recovering. Having said this, if you are
still interested in the patch, you should see
http://isc.sans.org/diary.php?rss&storyid=999 for downloads of
SANS/ISC tested versions in both exe and msi format.

Finally, while I, and the rest of SNS, would like to be able to give
everyone a simple guide to fixing their computer if exploited,
because of the way this was released, there are a large number of
potential payloads that may accompany this and we may not be able to
detect the damage from the network. As a result, for most people on
campus, the best way to deal with a system that has been exploited
will be a complete rebuild. In situations where this will have a
substantial impact upon ongoing research (lab equipment for example)
or the mission of the unit, please let us know and we will work with
you to, hopefully, identify another alternative.

More information about this issue can be found at
http://isc.sans.org/diary.php?rss&storyid=994.

Yours,

John Ives
jives@security.berkeley.edu
Systems and Network Security
(510) 642-7773

------------------------------------------------------------------------
The following was automatically added to this message by the list server:

For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.berkeley.edu/>.
Received on Mon Jan 2 08:31:32 2006