This is to spotlight John Ives' comments, below, that the so-called
"WMF vulnerability" may represent a very serious risk to Windows
computers, one which should be promptly addressed and continue to
be monitored until it is resolved:
An blog entry from security vendor F-Secure
<http://www.f-secure.com/weblog/archives/archive-012006.html#00000761>
flatly notes:
"The WMF vulnerability" probably affects more computers
than any other security vulnerability, ever.
If you need to communicate this issue effectively to a non-technical
audience, the following Financial Times article may be a good starting place:
"Hackers exploit Windows flaw"
http://news.ft.com/cms/s/0d644d5e-7bb3-11da-ab8e-0000779e2340.html
In summary, this vulnerability has been stated to:
- Make it possible to run malicious code on a Windows system simply
by viewing - or otherwise processing - a specific type of image
file: whether that file is encountered as a graphic on a web page,
as an email attachment, or in a number of other contexts; and
- Affect computers running nearly every version of Windows, from 3.x
releases in the early 1990s to the latest XP and Server 2003.
In addition, a SANS blog entry notes that anti-virus vendor McAfee
claimed on a radio show that 6% of its customer base has already been
successfully exploited. This could be an exaggeration - McAfee and other
A/V vendors have frequently overstated threats, sometimes wildly - but if
that claim was truly made and reflects even a semblance of reality, that
would represent huge numbers.
Please read John's message, below, for a description of how to protect
computers running recent versions of Windows. There are two protection
methods he mentions:
- Un-registering a DLL, shimgvw.dll, which prevents the
Windows Picture and Fax Viewer from handling its associated
image files (the method suggested by Microsoft and recommended
by John); and
- Applying a SANS-vetted, third-party patch, which disables a
routine within an escape function that allows arbitrary code
inside WMF image files to be executed.
For more detailed information about this issue, two recommended places
to start are:
Microsoft's official advisory (mentioned in John's message):
"Microsoft Security Advisory (912840): Vulnerability in
Graphics Rendering Engine Could Allow Remote Code Execution"
http://www.microsoft.com/technet/security/advisory/912840.mspx
And an overview of SANS Internet Storm Center (ISC) blog entries on
this issue, which individually provide up to date, informal,
and often candid looks at the breaking story surrounding this
vulnerability:
"Overview of the WMF related articles at the ISC"
http://isc.sans.org/diary.php?storyid=993
Note that two of the SANS ISC blog entries linked from that page
caution that disabling the relevant DLL, shimgvw.dll, may have
some potential limitations in its protective impact.
More information about the second protection method mentioned
in John's message, a third-party patch, can be found on its
author's blog:
Ilfak Guilfanov
"Windows WMF Metafile Vulnerability HotFix"
http://www.hexblog.com/2005/12/wmf_vuln.html
If for some reason you choose to apply that patch, please note
SANS' caveats <http://isc.sans.org/diary.php?storyid=992>:
Patching with unofficial patches is very risky business,
this comes without any guarantees of any kind.
Please do back out these unofficial patches [via Add/Remove
Programs] before applying official patches from Microsoft.
Aron Roberts
Workstation Software Support Group
On Mon, January 2, 2006 08:28, John Ives wrote:
> /*** My apologies for those who may receive multiple copies of this ***/
>
> As many of you are probably aware, last week a 0-day exploit became
> available for Windows that preyed upon a vulnerability in Windows
> handling of WMF files (a type of graphic). While at one time it may
> have been possible to avoid this issue by simply avoiding files ending
> in .wmf, Windows actually recognizes the files based upon a header in
> the file so they can have any extension or can be embedded in an office
> file (actually this is one of the more common uses for the wmf
> graphics). This vulnerability is known to effect every version of
> Windows currently supported by Microsoft and, in all likelihood, some
> unsupported versions as well. While using a browser other than IE will
> help in this situation, other browsers can also be used to download and
> execute the file (though the user should, in most cases, be prompted).
> Additionally, these files can also be sent via email, IM, P2P networks
> or any other method people use to transfer files.
>
> Beginning last week, when I was able to get a hold of an exploit file, I
> began putting up IDS signatures to detect files systems downloading this
> file and have updated the signatures several times now to refine or
> replace the signatures as the exploits have changed and new signatures
> have become available. Unfortunately, a couple variants have come out
> that are going to be very difficult to reliably detect, and I would like
> to urge everyone to be very cautious until Microsoft releases a patch
> for this problem.
>
> At this time there are two known ways of protecting your computer. The
> first one is unregistering the dll exploited as described in the
> "Suggested Actions" section of Microsoft's advisory for this issue
> (http://www.microsoft.com/technet/security/advisory/912840.mspx).
> Without a doubt I do recommend this course of action and have taken it
> on my own computers. The second known way of dealing with this is
> installing a patch that has been released by a third party. While some
> of the people at SANS/ISC have reversed engineered this code to make
> sure that it does not contain an exploit itself, I would urge caution in
> applying this or any third party patch. Just because it does not
> exploit your computer, does not mean that it is completely harmless.
> Some configurations or software could have a conflict or other issue
> with this patch and since the patch is unsupported, you may have a
> difficult time recovering. Having said this, if you are still
> interested in the patch, you should see
> http://isc.sans.org/diary.php?rss&storyid=999 for downloads of SANS/ISC
> tested versions in both exe and msi format.
>
> Finally, while I, and the rest of SNS, would like to be able to give
> everyone a simple guide to fixing their computer if exploited, because
> of the way this was released, there are a large number of potential
> payloads that may accompany this and we may not be able to detect the
> damage from the network. As a result, for most people on campus, the
> best way to deal with a system that has been exploited will be a
> complete rebuild. In situations where this will have a substantial
> impact upon ongoing research (lab equipment for example) or the mission
> of the unit, please let us know and we will work with you to, hopefully,
> identify another alternative.
>
> More information about this issue can be found at
> http://isc.sans.org/diary.php?rss&storyid=994.
>
> Yours,
>
> Jo
>
> More information about this issue can be found at
> http://isc.sans.org/diary.php?rss&storyid=994.
>
> Yours,
>
> John Ives
> jives@security.berkeley.edu
> Systems and Network Security
> (510) 642-7773
>
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.berkeley.edu/>.
Received on Mon Jan 2 12:34:05 2006
This archive was generated by hypermail 2.1.8 : Mon Jan 02 2006 - 12:34:07 PST