Dan Posted January 2, 2006 Report Share Posted January 2, 2006 (edited) Hey everyone,Here is some backround information about the WMF Exploit:It exploits a little-known function in Windows Meta Files (WMF). Those files are used for, well, I don't know really. I think they are mostly used for clipart in Office. In any case, the exploit involves a file with special commands in it, which would be rendered by shimgvw.dll acting on behalf of the user. The exploit requires user interaction, such as surfing to a web site hosting an image that exploits the problem, viewing an e-mail with an embedded such image in an e-mail program that shows those images (Outlook 2003 does not do so automatically), or opening an image as a file attachment. Of course, the usual "security researchers" are publishing canned versions, metasploit versions, and all other manner of sample exploits to make it possible for even criminals who barely know how to use a computer to exploit this issue.There are many different exploits of this by now. They are currently in active use to install spyware, according to SANS.From here: http://blogs.technet.com/jesper_johansson/.../02/416762.aspxThe most basic way to stop this is to just unregister the dll. To do this, you just need to click "Start --> Run" and type this:regsvr32 /u %windir%\system32\shimgvw.dllThis will unregister the dll, but you have to be an administrator.A few days ago, and stumbled apon this:http://www.hexblog.com/2005/12/wmf_vuln.html#moreThis is a temporary patch which is approved by SANS. This is a needed thing, but is only temporary! I recommend you read the post under this about what Pete said.When Microsoft Issues a patch, please use that one!Here are the technical details:this is a DLL which gets injected to all processes loading user32.dll.It patches the Escape() function in gdi32.dll. The result of the patch is that the SETABORT escape sequence is not accepted anymore.I can imagine situations when this sequence is useful. My patch completely disables this escape sequence, so please be careful. However, with the fix installed, I can browse files, print them and do other things.If for some reason the patch does not work for you, please uninstall it. It will be in the list of installed programs as "Windows WMF Metafile Vulnerability HotFix". I'd like to know what programs are crippled by the fix, please tell me.Also, take a look at this post over at Computer Trouble forums. It has a bunch of information, and is really helpful Danny Edited January 3, 2006 by Danny Quote Link to post Share on other sites
Pete_C Posted January 3, 2006 Report Share Posted January 3, 2006 http://blogs.technet.com/jesper_johansson/.../02/416762.aspxUnofficial PatchFinally, there is an unofficial patch. Patch really is the right terminology for this. It patches (using basic rootkit technology) a system DLL to ignore calls to the vulnerable function. The patch is an executable and has to be run on each vulnerable system, meaning cost of implementation is potentially very high. According to SANS, it does stop the current exploitsFostering a false sense of security by installing a rootkit is worse than doing nothing. It is far better you take the approach suggested by this senior microsoft security expert while waiting for him to finish writing and testing the patch. You should do this for each browser you use to go wild. As well as your default image viewer. Quote Link to post Share on other sites
Dan Posted January 3, 2006 Author Report Share Posted January 3, 2006 The link doesn't work Pete..http://blogs.technet.com/jesper_johansson/.../02/416762.aspx^Theres the link I see your point. I'm still going to use the patch, but I think it'll be better for users to unregister the dll.....Danny Quote Link to post Share on other sites
Dan Posted January 4, 2006 Author Report Share Posted January 4, 2006 Hexblog is down because of too much trafic... :xThe patch is hosted here: http://handlers.sans.org/tliston/wmffix_hexblog14.exeAnd CCops is going to host a board for Ilfak.... Quote Link to post Share on other sites
Pete_C Posted January 4, 2006 Report Share Posted January 4, 2006 (edited) http://blogs.zdnet.com/Ou/index.php?p=143&tag=nl.e589Lots of bad advice for critical WMF vulnerability!Looks like unregistering the dll is the most effective defense for now.Also looks like the patch will be released next week.Also the paid version of A squared, with background guard will detect and block the exploits. Edited January 4, 2006 by Pete_C Quote Link to post Share on other sites
Dan Posted January 4, 2006 Author Report Share Posted January 4, 2006 What about Ilfak's patch? I think that unregistring the dll and running that patch are still the best things to do /for now/...MSPaint and Lotus Notes can still be exploited even with this DLL unregistered. I think we haven't heard the end of this one yet and there may be many more applications vulnerable to this exploit but the combination of hardware-enforced DEP and unregistering the shimgvw.dll file seems to be very effective for now. Quote Link to post Share on other sites
Pete_C Posted January 6, 2006 Report Share Posted January 6, 2006 (edited) [Microsoft released the patch for Win2k and Win XP on thurdsay jan 05http://www.microsoft.com/technet/security/...n/MS06-001.mspxWin98 and ME the update is not considered critical since there are no exploits targeting those older OS yet; so since they are beyond their life cycle microsoft choose not to patch them at this time.For those, unregistering the DLL is the best option. Edited January 6, 2006 by Pete_C Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.