CastleCops, Internet Crime Fighters
Need help? Click here to register for free! Absolutely zero advertisements on this site!

$9736.22 of $21422.68
left sidedonated so farneed $11686.46 donated to reach our goalright side, our goal
Help CastleCops serve the community on new servers, Donate Here to reach our goal.

Donation/Premium
spacer
Donations. Become Premium Today! Premium Icon
block bottom
Security Central
spacer
· Home
· PIRT/Fried Phish
· MIRT
· SIRT
· Deutsch
· Wiki
· Newsletter
· O16/ActiveX
· CLSID List
· Contest2007
· Downloads
· Feedback (send)
· Forums
· HijackThis
· Hijacktrend
· LSPs
· My Downloads
· O18
· O20
· O21
· O22
· O23
· O9
· Premium
· Private Messages
· Proxomitron
· Reviews
· Search
· StartupList
· Stories Archive
· Submit News
· WsIRT
· Your Account
· Acceptable Use Policy
block bottom
Survey
spacer
Was 2007 a good year?

Yes it was a wonderful year
Yes, but there is always room for improvement
Status quo
It was a challenge
Other (leave comment)



Results
Polls

Votes: 941
Comments: 25
block bottom
spacer spacer
image WMF Exploit FAQ image
CastleCops

Microsoft has released its official patch

Read the Microsoft Security Bulletin MS06-001 article for details.

There is a lot of public information available right now on the WMF Exploit and workaround patches. This article will attempt to answer some basic questions surrounding the WMF Exploit and those patches (both official and workaround), including why Microsoft is waiting to release their official patch on January 10th, and rumors of an early MS patch Internet leak. Other items include how to install and uninstall the various unofficial patches, and how to deal with them once you have Microsoft's official patch installed.

Summary:
The graphics rendering engine in the Windows operating system had a vulnerability. The WMF Exploit took advantage of this "hole". Microsoft's new patch plugs this "hole" which mitigates the exploit.

  1. What is WMF?

    2. Microsoft defines WMF as the Windows Metafile, a 16 bit metafile image format contained both vector and bitmap data.

  2. What is the issue with WMF?

    3. The WMF image is a little different from other images, it can call external procedures -- one of which can execute code.

  3. How can I get the WMF Exploit?

    4. The answer to this varies right now, however, one thing is certain, you can get the exploit by visiting an infected web page. Others suggest it can arrive thru email attachments, instant messaging, Lotus Notes, the list goes on.

  4. What can I do to patch this?

    5. Microsoft has now released its official patch for affected operating systems. Visit here for details.

  5. Will my antivirus find a malicious WMF?

    6. There are at least 73 variants of this exploit and the following products detect them all:

    • Alwil Software (Avast)
    • Softwin (BitDefender)
    • ClamAV
    • F-Secure Inc.
    • Fortinet Inc.
    • McAfee Inc.
    • ESET (Nod32)
    • Panda Software
    • Sophos Plc
    • Symantec Corp.
    • Trend Micro Inc.
    • VirusBuster

    Those products not listed detected less, you can read about them here.

  6. Will DEP mitigate this attack?

    7. Data Execution Protection, or DEP, prevents execution of data segments. Hardware enforced DEP may mitigate this attack, software enforced DEP will not mitigate this attack. However, it has been found that third party image viewers on hardware enabled DEP systems may still leave the operating system vulnerable (please see the DEP not a 'total solution' to WMF for more details).

  7. Will blocking the .wmf extension mitigate the attack?

    8. No, the graphics rendering engine does not look at the extension when determining file type. The attack can occur with other image file extensions such as .jpg and .gif.

  8. What is Microsoft doing to patch this?

    9. Microsoft has responded by creating a patch already. Download the official patch and read about it here. It is recommended to install this patch.

    This patch is being tested internally and by vendors to ensure business and home systems/products do not break. They are set to release an official patch January 10. Until then, Microsoft recommends un-registering the Windows Picture and Fax Viewer (shimgvw.dll). A movement exists in the security industry to not bother with un-registering the file (more details further below).

  9. How do I un-register shimgvw.dll?

    1. Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK.

    2. A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.


  10. How do I re-register shimgvw.dll?

    1. Click Start, click Run, type "regsvr32 %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK.


  11. When should I re-register shimgvw.dll, before or after the patch?

    12. You can re-register it after the patch Microsoft releases.

  12. Should I install Ilfak Guilfanov's WMF Hotfix?

    13. Microsoft recommends against installing third party patches, however, the rest of the security industry recommends installing it. A slide presentation lower down explains why.

  13. What does the WMF Hotfix do?

    14. The hotfix DLL patches the Escape() function in gdi32.dll and makes SETABORT escape sequence invalid. The hotfix removes this function only in memory, it makes no changes to the filesystem.

  14. Are any changes made to the Registry?

    15. The installer injects this DLL to processes in the system using the following registry key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

    For an explanation of this key, visit this link.

  15. What operating systems are affected?

    16. It has recently been claimed by iDEFENSE and Microsoft that the following operating systems are at risk:

    1. Windows XP Service Pack 1
    2. Windows XP Service Pack 2
    3. Windows Server 2003
    4. Windows Server 2003 Service Pack 1

    If you have one of these then install the patch. Other operating systems are not affected.

    NOTE: Windows 2000 is not by default vulnerable, but it can be made to be vulnerable, please see the WMF Update for more details.

  16. Are Windows 98, Windows 98 SE, and/or Windows ME Vulnerable?

    17. Microsoft states "the Windows 9x platform is not vulnerable to any "Critical" attack vector. The reason Windows 9x is not vulnerable to a "Critical" attack vector is because an additional step exists in the Win9x platform: When not printing to a printer, applications will simply never process the SetAbortProc record. Although the vulnerable code does exist in the Win9x platform, all "Critical" attack vectors are blocked by this additional step. The remaining attack vectors that we have identified require extensive user interaction and are not rated "Critical". Again the "Critical" rating refers to code execution attacks that could result in automated attacks requiring little or no user interaction."

  17. Is Lotus Notes Vulnerable?

    18. It has been confirmed that Lotus Notes versions 6.x and higher are indeed vulnerable to the WMF Exploit. Even after the un-registration of the shimgvw.dll file, Lotus Notes still remains vulnerable.

  18. So how are both patches intertwined?



    19. [click to enlarge]


    The WMF Exploit first goes thru an application, which in this case can then route thru shimgvw.dll and then end up at gdi32.dll. Both patches attempt to block the exploit along this pathway.

  19. What can happen if only the shimgvw.dll patch is applied?



    20. [click to enlarge]


    The exploit doesn't have to go thru the intermediate shimgvw.dll step. Un-registering the shimgvw.dll file as Microsoft recommends doesn't prevent the exploit from calling gdi32.dll directly. And since gdi32.dll is the one that contains the vulnerable function, it is recommended to install Ilfak's hotfix.

  20. So what happens when the Hotfix is installed?



    21. [click to enlarge]


    Ilfak's patch deals with the vulnerlable Escape() function within gdi32.dll directly in memory. Indirect or direct calls to the function are mitigated by the hotfix.

  21. Can I install the hotfix across a network?

    22. Yes, the hotfix can be run in silent mode via a batch process:

    wmffix_hexblog14.exe /VERYSILENT /SUPPRESSMSGBOXES

  22. Can I un-install the hotfix across a network?

    23. Yes, the un-installer is found here:

    c:\Program Files\WindowMetafile\Fixunins000.exe

  23. How can I uninstall the MSI Hotfix?


    24. msiexec.exe /X{E1CDC5B0-7AFB-11DA-8CD6-0800200C9A66} /qn

  24. I have the hotfix installed, when should I remove it?

    25. The hotfix is written in such a way that it won't interfere with the official Microsoft patch, claims the author. However, you can un-install it either before or after the Microsoft patch is installed on your system.

  25. Are there any issues with the hotfix?

    26. There are some reports of printing problems and at least one case where a system restore was required.

  26. Are there any issues with un-registering shimgvw.dll?

    27. Other than being passed over in a direct call to gdi32.dll (which can then exploit the vulnerability), you won't be able to use the Windows Picture and Fax viewer.

  27. What are the MD5 and SHA-1 hashes for the hotfix files?

    28. Please read this forum post.

  28. What operating systems does the Hotfix support?

    29. The fix is known to work on Windows 2000, XP (SP1 and SP2), XP64, Windows 2003.

  29. How do I install the hotfix on a single system?

    30. Just run the hotfix executable.

  30. How do I un-install the hotfix on a single system?

    31. Un-install it from the Add/Remove programs window.

  31. How can I tell if I am vulnerable?

    32. Download the WMF exploit checker (link below).

  32. Where can I download the hotfix and checker (and their source codes)?

    33. - WMF hotfix
    - WMF Exploit Checker
    - WMF hotfix source code
    - WMF exploit checker source code

  33. Where can I get support?

    34. In our online Forum here. Ilfak hosts this forum.

  34. I heard there was a leak of the upcoming official Microsoft patch?

    35. Yes there are reports that the official patch has leaked onto the Internet and that it works wonderfully. It was released to the public officially on Jan 5th. However, it is recommended to wait for January 10th for an official announcement and release from Microsoft

  35. What happens if I leave the hotfix installed along with the MS official patch?

    36. F-Secure reports "seems to co-exist fine with the REGSVR32 workaround and the Ilfak patch." Ilfak states "Uninstalling the patch does not lead to any loss of functionality but since it serves no purpose anymore, there is no real reason to keep it installed. "

  36. Should I install both workarounds?

    37. That depends on how much risk and time you want to put in. Security is about defense in depth, or multiple layers of security. Certainly the hotfix goes straight for the troubled Escape() function, and the un-registration of shimgvw.dll can help. You have to determine what is best for your environment.

  37. I'm nervous about deploying it in a network environment, what should I do?

    38. If you have a test environment trial it there first. If you do not, ask some clients to become part of a test group and trial it with them.

  38. I installed the Hotfix but the checker says I'm still vulnerable, what happened?

    39. Please read this post.

  39. What is the changelog for the Hotfix?

    40. 1.4 - Permits silent installs across a network
    1.3 - Works for Win 2000 SP4 (Code shows this as release 1.2)
    1.2 - check for installed hotfix
    1.1 - initial win2000 support
    1.0 - initial release

  40. What are the timestamps for the Hotfix versions?

    41. 1.0 - 31.12.05 06:??
    1.1 - 31.12.05 23:08
    1.2 - 01.01.06 15:09
    1.3 - 01.01.06 15:54
    1.4 - 02.01.06 23:53

  41. Where did the WMF 0Day Exploit come from?

    42. The source code claims to be made by the folks at metasploit and xfocus, together with an anonymous source.

  42. Looking at the WMF issue, how did it get there (Microsoft's Answer)?

    43. "The long story short is that the vulnerability can be triggered with either correct OR incorrect metafile record size values, there seems to have been some confusion on that point." Full Story
Further reading and references:



Note: Updated 1955 hrs, 14 Jan UTC-5
Posted on Wednesday, 04 January 2006 @ 11:49:44 UTC by Paul (32038 reads)
[ Trackback ]		image

"WMF Exploit FAQ" | Login/Create an Account | 0 comments
Threshold
The comments are owned by the poster. We aren't responsible for their content.

No Comments Allowed for Anonymous, please register
 
Login
spacer
Nickname

Password

Security Code: Type Security Code: Usage signifies AUP acceptance
· New User? · Click here to create a registered account.
block bottom
Related Links
spacer
· del.icio.us!
· digg it!
· reddit!
· TrackBack (0)
· PHP HomePage
· Microsoft
· Microsoft
· HotScripts
· W3 Consortium
· ZDNet News
· CastleCops
· More about CastleCops
· News by Paul

Most read story about CastleCops:
Acceptable Use Policy
block bottom
Article Rating
spacer
Average Score: 4.71
Votes: 7


Please take a second and vote for this article:

Bad
Regular
Good
Very Good
Excellent
block bottom
Options
spacer

Printer Friendly Page  Printer Friendly Page
block bottom
2002-2008 © Computer Cops LLC dba CastleCops®. All rights reserved.
Acceptable Use Policy. Use signifies your agreement.
181ppm 0.327s (0.007s)
Making cybercriminals unhappy since 2002*
In Memory of Trpm
spacer spacer