Wmf Exploit Temporary Fix


Recommended Posts

Hey everyone,

Here is some backround information about the WMF Exploit:

It exploits a little-known function in Windows Meta Files (WMF). Those files are used for, well, I don't know really. I think they are mostly used for clipart in Office. In any case, the exploit involves a file with special commands in it, which would be rendered by shimgvw.dll acting on behalf of the user. The exploit requires user interaction, such as surfing to a web site hosting an image that exploits the problem, viewing an e-mail with an embedded such image in an e-mail program that shows those images (Outlook 2003 does not do so automatically), or opening an image as a file attachment. Of course, the usual "security researchers" are publishing canned versions, metasploit versions, and all other manner of sample exploits to make it possible for even criminals who barely know how to use a computer to exploit this issue.

There are many different exploits of this by now. They are currently in active use to install spyware, according to SANS.

From here: http://blogs.technet.com/jesper_johansson/.../02/416762.aspx

The most basic way to stop this is to just unregister the dll. To do this, you just need to click "Start --> Run" and type this:

regsvr32 /u %windir%\system32\shimgvw.dll

This will unregister the dll, but you have to be an administrator.

A few days ago, and stumbled apon this:

http://www.hexblog.com/2005/12/wmf_vuln.html#more

This is a temporary patch which is approved by SANS. This is a needed thing, but is only temporary! I recommend you read the post under this about what Pete said.

When Microsoft Issues a patch, please use that one!

Here are the technical details:

this is a DLL which gets injected to all processes loading user32.dll.

It patches the Escape() function in gdi32.dll. The result of the patch is that the SETABORT escape sequence is not accepted anymore.

I can imagine situations when this sequence is useful. My patch completely disables this escape sequence, so please be careful. However, with the fix installed, I can browse files, print them and do other things.

If for some reason the patch does not work for you, please uninstall it. It will be in the list of installed programs as "Windows WMF Metafile Vulnerability HotFix". I'd like to know what programs are crippled by the fix, please tell me.

Also, take a look at this post over at Computer Trouble forums. It has a bunch of information, and is really helpful :thumbsup:

Danny :thumbsup:

Edited by Danny
Link to post
Share on other sites

http://blogs.technet.com/jesper_johansson/.../02/416762.aspx

Unofficial Patch

Finally, there is an unofficial patch. Patch really is the right terminology for this. It patches (using basic rootkit technology) a system DLL to ignore calls to the vulnerable function. The patch is an executable and has to be run on each vulnerable system, meaning cost of implementation is potentially very high. According to SANS, it does stop the current exploits

Fostering a false sense of security by installing a rootkit is worse than doing nothing. It is far better you take the approach suggested by this senior microsoft security expert while waiting for him to finish writing and testing the patch. You should do this for each browser you use to go wild. As well as your default image viewer.

Link to post
Share on other sites

http://blogs.zdnet.com/Ou/index.php?p=143&tag=nl.e589

Lots of bad advice for critical WMF vulnerability!

Looks like unregistering the dll is the most effective defense for now.

Also looks like the patch will be released next week.

Also the paid version of A squared, with background guard will detect and block the exploits.

Edited by Pete_C
Link to post
Share on other sites

What about Ilfak's patch? I think that unregistring the dll and running that patch are still the best things to do /for now/...

MSPaint and Lotus Notes can still be exploited even with this DLL unregistered. I think we haven't heard the end of this one yet and there may be many more applications vulnerable to this exploit but the combination of hardware-enforced DEP and unregistering the shimgvw.dll file seems to be very effective for now.

<_<:blink::Beta2a:

Link to post
Share on other sites

[

Microsoft released the patch for Win2k and Win XP on thurdsay jan 05

http://www.microsoft.com/technet/security/...n/MS06-001.mspx

Win98 and ME the update is not considered critical since there are no exploits targeting those older OS yet; so since they are beyond their life cycle microsoft choose not to patch them at this time.

For those, unregistering the DLL is the best option.

Edited by Pete_C
Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...