Admins to Microsoft: WMF?!
By Enterprise IT Planet Staff
January 6, 2006
As everyone is well aware, Microsoft has slowly been trying to mend its image when it comes to security. Automatic updates, a predictable monthly patch strategy, free virus and spyware offerings and XP SP2 were a good start.
The Windows WMF flaw and zero-day created a wide crack in the operating system's steadily improving defenses.
While not a fortress by any stretch of the imagination, compromising a Windows box has become a lot tougher of late. At least that seemed to be the case until 2005 started drawing to a close.
With mere days left on the calendar, and among the distractions of the holidays, a flaw was discovered in the way Windows processes WMF graphics files. An exploit quickly followed. Yes, a zero-day was in the wild; the words that no security-minded administrator wants to hear.
IT workers were caught in the middle as they waited for Microsoft to come to their rescue on Tuesday, January 10th. While some anti-virus makers were able to add signatures that block the troublesome code, protection was spotty. All most admins could do was block WMF attachments, issue stern warnings to end-users and hope for the best.
Or they could have tried something a little more daring...
A WMF-busting patch became available, but it was unauthorized. Nonetheless, it attracted the attention of some exasperated techies and brave souls willing to give it a go.
The consensus? It worked.
Naturally, without Microsoft's stamp of approval, there is no telling how it will complicate matters down the road. Few organizations are willing to risk the fallout of making unauthorized changes to the OS for a myriad of reasons including support and software compatibility.
Luckily, Microsoft issued an update much sooner. But for many admins, the unease still lingers.
Note: Any opinions expressed below are solely those of the individual posters on the AntiOnline forums.
HEADS UP - IE vulnerability - EXTREMELY CRITICAL
Counter WMF Exploit with the WMF Exploit
Heads up indeed. ByTeWrangler explains what Windows users are in for.
A vulnerability has been identified in Microsoft Windows, which could be exploited by remote attackers to execute arbitrary commands. This flaw is due to an error in the rendering of Windows Metafile (WMF) image formats, which could be exploited by attackers to remotely take complete control of an affected system by convincing a user to open a malicious WMF file using a vulnerable application that renders WMF images (e.g. Windows Picture and Fax Viewer), or visit a specially crafted Web page that is designed to automatically exploit this vulnerability through Internet Explorer.
thehorse13 offers this workaround:
Pffft. Easy work around tested by yours truly.
1. Click on the Start button on the taskbar.
2. Click on Run...
3. Type "regsvr32 /u shimgvw.dll" to disable.
4. Click ok when the change dialog appears.
When a patch is available, re-register the shimgvw.dll (regsvr32 shimgvw.dll).
Also, all you Firefox users, you too can be hosed by this exploit. If you have the Google toolbar installed you will be autopwn3d.
But it's not without some caveats.
shimgvw.dll is a library which contains COM functions used for image rendering. It's used when displaying images and/or faxes. If shimgvw.dll is unavailable, windows may not be able to display faxes or images. If this is not a problem for you, you can safely remove this file.
Agent_Steal wanted to see just how much damage the exploit could do. Don't say you weren't warned.
I actually clicked on that link what basically happened to my computer was as follows:
1. All my icons were deleted with the exception of some obscure file being created can't remember the name...
2. My wallpaper just disappeared and the background image was just random colours flashing...
3. Pressing ATL+CTRL+DEL would not allow me to access Windows Task Manager... Kept on telling me that I didn't have Administrative rights...
4. Right Click was disabled as well so I wasn't able to access my Display Properties...
5. Norton Internet Security Suite was completely disabled ... Heck I wasn't even able to use it in Safe Mode...
That's what happened when I clicked on it...
B.T.W. I was running Windows XP SP2 fully patched, Norton Internet Security 2005 latest definitions ... Ewido Anti-Malware 3.5 ... I did a scan with Ewido and before I was clean but once I clicked that link and did a full scan it found Spyware.MiniBug and Spyware.CoolWebSearch well registry entries to be exact...
Dont let your curiosity get the best of ya...
dynamoo raises some troubling possibilities.
At the moment, it seems to be a few infected web sites but there are many other ways that the exploit could be used:
Embedded in an email message (it doesn't need to be an attachment). If you have autopreview on, then the exploit would run automatically without having to do very much.
In the past, legitimate advertising networks have been compromised to spread exploits. It seems that you can rename the WMF extension to something else, and it's STILL possible to infect the machine as the OS doesn't rely on the extension alone.
Through network shares on a corporate network (because of the thumbnailing function).
It must also be theoretically possible to infect a Windows-based web server by uploading an infected file to somewhere that the DLL will trigger. That site could then be used to serve up infected WMF files to visitors. We've seen exploits like this before.
Share your WMF experiences. And be sure to patch today if you haven't already!