From: "Geo." 

handy information

Handler's Diary January 1st 2006

previous - next

WMF FAQ (NEW)
Published: 2006-01-03,
Last Updated: 2006-01-03 12:56:19 UTC by Johannes Ullrich (Version: 4(click
to highlight changes))
[a few users offered translations of this FAQ into various languages.
Obviously, we can not check the translation for accuracy, nor can we update
them. Most of these translations are hosted on servers operated by the
translation authors. So use at your own risk: Deutsch and Deutsch (pdf),
Catalan , Espa¤ol , Italiana and Italiana, Polski, Suomenkielinen, Danish,
Japanese, Slovenian, Chinese, Norwegian and Nederlands ]


Why is this issue so important?
The WMF vulnerability uses images (WMF images) to execute arbitrary code.
It will execute just by viewing the image. In most cases, you don't have
click anything. Even images stored on your system may cause the exploit to
be triggered if it is indexed by some indexing software. Viewing a
directory in Explorer with 'Icon size' images will cause the exploit to be
triggered as well. Microsoft announced that an official patch will not be
available before January 10th 2006 (next regular update cycle).

Is it better to use Firefox or Internet Explorer? Internet Explorer will
view the image and trigger the exploit without warning. New versions of
Firefox will prompt you before opening the image. However, in most
environments this offers little protection given that these are images and
are thus considered 'safe'.

What versions of Windows are affected? Windows XP, (SP1 and SP2), Windows
2003 are affected by the currently circulating exploits.  Other versions
may be affected to some extent. Mac OS-X, Unix or BSD is not affected.

Note: If you're still running on Win98/ME, this is a watershed moment: we
believe (untested) that your system is vulnerable and there will be no
patch from MS.  Your mitigation options are very limited. You really need
to upgrade.

What can I do to protect myself?
Microsoft has not yet released a patch. An unofficial patch was made
available by Ilfak Guilfanov. Our own Tom Liston reviewed the patch and we
tested it. The reviewed and tested version is available here (now at v1.4,
MD5: 15f0a36ea33f39c1bcf5a98e51d4f4f6), PGP signature (signed with ISC key)
here. THANKS to Ilfak Guilfanov for providing the patch!! You can
unregister the related DLL. Virus checkers provide some protection. To
unregister the DLL:

Click Start, click Run, type "regsvr32 -u
%windir%\system32\shimgvw.dll" (without the quotation marks... our
editor keeps swallowing the backslashes... its
%windir%(backslash)system32(backslash)shimgvw.dll), and then click OK.
A dialog box appears to confirm that the un-registration process has
succeeded. Click OK to close the dialog box. Our current "best
practice" recommendation is to both unregister the DLL and to use the
unofficial patch.

How does the unofficial patch work? The wmfhotfix.dll is injected into any
process loading user32.dll.  The DLL then patches (in memory) gdi32.dll's
Escape() function so that it ignores any call using the SETABORTPROC (ie.
0x09) parameter.  This should allow Windows programs to display WMF files
normally while still blocking the exploit.  The version of the patch
located here has been carefully checked against the source code provided as
well as tested against all known versions of the exploit.  It should work
on WinXP (SP1 and SP2) and Win2K.

Will unregistering the DLL (without using the unofficial patch) protect me?
It might help. But it is not foolproof. We want to be very clear on this:
we have some very stong indications that simply unregistering the
shimgvw.dll isn't always successful. The .dll can be re-registered by
malicious processes or other installations, and there may be issues where
re-registering the .dll on a running system that has had an exploit run
against it allowing the exploit to succeed.  In addition it might be
possible for there to be other avenues of attack against the Escape()
function in gdi32.dll.  Until there is a patch available from MS, we
recommend using the unofficial patch in addition to un-registering
shimgvw.dll.
Should I just delete the DLL?
It might not be a bad idea, but Windows File Protection will probably
replace it. You'll need to turn off Windows File Protection first. Also,
once an official patch is available you'll need to replace the DLL.
(renaming, rather than deleting is probably better so it will still be
handy).

Should I just block all .WMF images? This may help, but it is not
sufficient. WMF files are recognized by a special header and the extension
is not needed. The files could arrive using any extension, or embeded in
Word or other documents.

What is DEP (Data Execution Protection) and how does it help me? With
Windows XP SP2, Microsoft introduced DEP. It protects against a wide range
of exploits, by preventing the execution of 'data segements'. However, to
work well, it requires hardware support. Some CPUs, like AMD's 64 Bit CPUs,
will provide full DEP protection and will prevent the exploit.

How good are Anti Virus products to prevent the exploit? At this point, we
are aware of versions of the exploit that will not be detected by antivirus
engines. We hope they will catch up soon. But it will be a hard battle to
catch all versions of the exploit. Up to date AV systems are necessary but
likely not sufficient.

How could a malicious WMF file enter my system? There are too many methods
to mention them all. E-mail attachments, web sites, instant messaging are
probably the most likely sources. Don't forget P2P file sharing and other
sources.

Is it sufficient to tell my users not to visit untrusted web sites? No. It
helps, but its likely not sufficient. We had at least one widely trusted
web site (knoppix-std.org) which was compromissed. As part of the
compromise, a frame was added to the site redirecting users to a corrupt
WMF file. "Tursted" sites have been used like this in the past.

What is the actual problem with WMF images here? WMF images are a bit
different then most other images. Instead of just containing simple 'this
pixel has that color' information, WMF images can call external procedures.
One of these procedure calls can be used to execute the code.

Should I use something like "dropmyrights" to lower the impact of
an exploit.
By all means yes. Also, do not run as an administrator level users for
every day work. However, this will only limit the impact of the exploit,
and not prevent it. Also: Web browsing is only one way to trigger the
exploit. If the image is left behind on your system, and later viewed by an
administrator, you may get 'hit'.

Are my servers vulnerable?
Maybe... do you allow the uploading of images? email? Are these images
indexed? Do you sometimes use a web browser on the server? In short: If
someone can get a image to your server, and if the vulnerable DLL may look
at it, your server may very well be vulnerable.

What can I do at my perimeter / firewall to protect my network? Not much. A
proxy server that strips all images from web sites? Probably wont  go over
well with your users. At least block .WMF images (see above about
extensions...). If your proxy has some kind of virus checker, it may catch
it. Same for mail servers. The less you allow your users to initiate
outbound connections, the better. Close monitoring of user workstations may
provide a hint if a work station is infected.

Can I use an IDS to detect the exploit? Most IDS vendors are working on
signatures. Contact your vendor for details. Bleedingsnort.org is providing
some continuosly improving signatures for snort users. Recent releases of
this exploit take advantage of http compression and randomization of the
exploit to evade IDS signatures.

If I get hit by the exploit, what can I do? Not much :-(. It very much
depends on the exact exploit you are hit with. Most of them will download
additional components. It can be very hard, or even impossible, to find all
the pieces. Microsoft offers free support for issues like that at
866-727-2389 (866 PC SAFETY).

Does Microsoft have information available?
http://www.microsoft.com/technet/security/advisory/912840.mspx
Microsoft announced that there will be a patch on January 10th, the next
regular "black Tuesday".


What does CERT have to say?
http://www.kb.cert.org/vuls/id/181038
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4560

--- BBBS/NT v4.01 Flag-5