http://blogs.zdnet.com/Spyware/index.php?p=734
December 28, 2005
New zero day exploit seen in the wild
Posted by Suzi Turner @ 9:45 pm

... a new exploit that affects fully patched Windows XP SP2 machines. Landing on an infected web page can set off the exploit with no user interaction. Firefox and Opera do not prevent this exploit but should prompt the user first. SecurityFocus calls it: Microsoft Windows Graphics Rendering Engine WMF Format Unspecified Code Execution VulnerabilityMicrosoft Windows WMF graphics rendering engine is affected by a remote code execution vulnerability. The problem presents itself when a user views a malicious WMF formatted file, triggering the vulnerability when the engine attempts to parse the file. The issue may be exploited remotely or by a local attacker. Any code execution that occurs will be with SYSTEM privileges due to the nature of the affected engine. Microsoft Windows XP is considered to be vulnerable at the moment. It is likely that other Windows operating systems are affected as well.Sunbelt researchers have collected more than 50 variants of the WindowsMetafiles (WMF) and documented a number of domains running this exploit. Email, blog talkbacks, guestbook links, all could be used to spread this infection. ... F-Secure also says Google Desktop's indexing of metadata of image files can cause the infected file to execute, and gives this warning:Do note that it's really easy to get burned by this exploit if you're analysing it under Windows. All you need to do is to access an infected web site with IE or view a folder with infected files with the Windows Explorer....

Workarounds have been posted at SunbeltBLOG. (http://sunbeltblog.blogspot.com/2005/12/workaround-for-wmf-exploit.html)

...More: http://news.google.com/news?hl=en&ned=us&q=wmf&btnG=Search+News

Yes, this one is very worrisome - all it takes is a visit to a malicious website :(

More here:

http://news.bbc.co.uk/1/hi/technology/4566504.stm

http://www.microsoft.com/technet/security/advisory/912840.mspx

An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
-microsoft.com

If this is true, how could it be exploited locally?

It's pretty bad. From what I have been told by some researching this, it cannot be repaired. If you're hit with it, a format and reinstall is the only way to fix it... :(
http://www.dslreports.com/forum/remark,15115819

Temporary workaround: http://www.grc.com/sn/notes-020.htm

(Disable/unregister "shimgvw.dll")

One of our members is dealing with this already. At this point, if you get hit, there does not appear to be any way to clean things out!

See the thread for info and f-secure's blog about it...
http://discussions.virtualdr.com/showthread.php?t=199356

If you have your harddrive partitioned into two or three partitions and you would happen to get hit would you need to format all three partitions or just the c drive? Just in case, it would be nice to know.

Note there are downsides to disabling the shimgvw.dll file
http://www.thex.com/security/
(see about 50% of the way down the page)
Not that anyone should lower their defenses, but MS seems to think the problem can be avoided by practicing safe surfing and email opening as noted in the link posted by SuperSparks
http://www.microsoft.com/technet/security/advisory/912840.mspx
And both IESpyAds
https://netfiles.uiuc.edu/ehowes/www/resource.htm
and MVPS HOSTS file
http://www.mvps.org/winhelp2002/hosts.htm
have added sites to their lists which will assist in avoiding sites known to cause the problem.
And another source of sites to be blocked
http://www.psepc-sppcc.gc.ca/prg/em/ccirc/2005/av05-038-en.asp
Interestingly, and disturbingly, each of the mentioned sites rarely lists the same sites to block.

a-squared updates has (today) added a WMF detection engine.

Lots of bad advice for critical WMF vulnerability! | George Ou | ZDNet.com
http://blogs.zdnet.com/Ou/?p=143

Based on what I have been reading there are two good defenses against this WMF malware and that is to deploy either hardware DEP or software DEP. The problem occurs because Microsoft allows a graphic to contain executable code and to call home.

Mmany of the antivirus applications will now detect and block malicious .wmf files and other files that are actually WMF files with a different extension. Microsoft AntiSpyware will let you know that you have been infected and will try to clean the infection.

Unregistering the Picture and Fax viewer will help - as long as there are no other vulnerable image file viewers on your PC.

More Detailed information about the WMF issue:

1. This is not a coding mistake, but a vulnerability *by design* due to the
ability to include callback functions in the WMF file format. If there's one fundamental thing Microsoft should have learned by now, it is that data
files -- *graphics* files especially -- should not have the ability to execute code.

2. Why did it take a bunch of security bloggers to bring up the limitations
of software DEP, and over three days for this to be reflected in the
security advisory? It really looks like it took outside pressure for this
particular line item in the advisory to be modified.

A Fsecure blog entry whose url is:

http://www.f-secure.com/weblog/

notes that, Ilfak Guilfanov, a reputed world master of reverse
engineering Microsoft object code has come up with a quick fix. From
what the blog entry suggests, the fix kind of "no-op's" the miscreant
instruction sequence. Maybe Microsoft could "rebadge" it?

The language of the anti-virus industry will now have to be revised. In
addition to 0 day exploits, we will have to speak in terms of -N day
exploits where N = the number of days from the release of the exploit to
the release of the fix by the software supplier.

For these kinds of -N day exploit situations Microsoft should have an
internal reward system of, say $100,000 (I am not kidding) for the first
Microsoft engineer, admin assistant, janitor, whatever to come up with
a viable fix. It has been suggested, the loss of reputational equity of the
Microsoft brand to Microsoft AND its distribution channel partners of
each hour of delay is probably at least that much, if not more.

Hopefully, today we will see a patch of some kind from Microsoft, so we
can start off 2006 with a clean slate (in the U.S. at least, if not
Asia), of no in the wild exploits like this nasty miscreant.

I have fellow folks who have just software DEP and it did
protect...[vmware] I think what has gone on is that we have way too many
third party apps that do end runs around around programs [Irfanview for
example on a box would go around the DEP].

Cheers,

Linda

;) :rolleyes: :cool:

There's a new exploit generator out which makes this hard to pick up by virus scanners and IDS appliances:

http://isc.sans.org/diary.php?storyid=992
The exploit generates files: with a random size;
no .wmf extension, (.jpg), but could be any other image extension actually;
a random piece of junk in front of the bad call; carefully crafted to be larger than the MTU on an ethernet network;
a number of possible calls to run the exploit are listed in the source;
a random trailer

Getting mad about malware

WMF exploit in use.
...as the author says..."maddening".... :mad:


http://blogs.zdnet.com/Spyware/

imadreamer2: I don't think I've read an answer for your particular question. If the partitions are just different drive letters running under the same operating system (like D, E etc., all on the same physical "C" HD), I would be concerned. If my understanding is correct, once the C drive is exploited, anything on the disk would have to suffer the same fate as C. (That still doesn't necessarily mean data couldn't be salvaged...)

If you have 2 bootable operating systems on one drive, that might be different/better. But I have also read this thing can place rootkit corruptions in Windows system files. So I guess no one really knows how bad this could get...

I enabled DEP for all programs yesterday (per posts from SpywareDr and Linda Hewitt). So far no adverse results.
Of course, I have no idea how much WMF protection I am getting. :)
I have not used any of the other defenses except IESpyAds and HOSTS.
I also do not use Windows Picture and Fax Viewer to execute any image files.

whoops... :D

A temporary WMF Exploit patch is available. Started reading about it on Steve Gibson's site: Security Now
http://www.grc.com/sn/notes-020.htm More about this WMF Patch can be found on the author's site (Ilfak Guilfanov):Windows WMF Metafile Vulnerability HotFix
http://www.hexblog.com/2005/12/wmf_vuln.html Ilfak has also written a little utility named:WMF Vulnerability Checker
http://www.hexblog.com/2006/01/wmf_vulnerability_checker.html Tip: For those of you that have used the CMD:regsvr32 -u shimgvw.dllyou can now run the CMD:regsvr32 shimgvw.dllto restore the "Thumbnail" view in Windows Explorer and Window's Image and FAX viewer.

There's unconfirmed talk that this one runs all the way back to Windows 3.0.

If that's true, and Microsoft stick to their support policy, everyone out there running stuff earlier than Windows 2000 had better start to think about an upgrade.

Both the Internet Storm Center and F-Secure have endorsed Ilfak Guilfanov's unofficial patch (posted above).

MSNBC: Windows PCs face 'huge' virus threat
http://msnbc.msn.com/id/10684853/

Everything that I have read says that Ilfak Guilfanov's patch works and its recommended by everyone.
My question is, someone who has been affected by this exploit, will running the patch solve his problem? I would think so, but I am not 100% sure.
If you have your harddrive partitioned into two or three partitions and you would happen to get hit would you need to format all three partitions or just the c drive? Just in case, it would be nice to know.
No, the exploit isn't a virus and doesn't contaminate your system. What it does is take advantage of a flaw in Windows that will allow a hacker to take over your computer. Once you plug that hole, I think you are safe (unless someone tells me otherwise). You would not need to format your computer.

My question is, someone who has been affected by this exploit, will running the patch solve his problem? I would think so, but I am not 100% sure.
usil, from all that I've read, I know of no evidence that the exploit is fixed with the patch if someone already caught it. Nothing has been stated that it would clean an infected system.

I disagree. I think this patch plugs the vulnerability, not allowing hackers to take advantage of the flaw and hack your computer. But I will research it in more depth.

Relying on DEP is no good:
"We've tested on AMD and Intel platforms and HW DEP seemed initially to prevent successful exploitation in Internet Explorer and Windows Explorer. However, when testing the latest builds of third party image viewers like Irfanview and XnView HW DEP didn't prevent exploitation, even with HW DEP enabled for all programs. This is because both Irfanview and XnView are packed with ASPack and Windows disables HW DEP for ASPack packed files."
http://castlecops.com/a6446-Update_on_WMF.html

I wrote this in another thread, here it is again.
Regarding whether the patch will fix the exploit of someone who is already affected by it, the answer is yes. It will plug the vulnerability, but it won't get rid of the malware. What happens is, your computer is affected by the exploit, allowing rogue anti-spyware programs to install themselves on your computer without asking you. So the patch will plug the hole, not allowing anything else to get installed by remote, but you would still have to get rid of the rogue anti-spyware malware using the conventional methods (HijackThis etc.).

Thanks for the clarification...:)

Microsoft's WMF patch is available early ... get it now.

Microsoft Security Bulletin MS06-001
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (912919)
Published: January 5, 2006

http://www.microsoft.com/technet/security/bulletin/ms06-001.mspx

Note: If you have Automatic Updates enabled, it will install automatically:

http://h1.ripway.com/SpywareDr/VirtualDr/images/kb912919.gif

About time. Thanks!

No problem. :)

ran the checker at home and it said I wasn't vunerable, tried installing the patch and couldn't.

Using mainly WinMe and Win98Se at home and I see from the MS link that it only affects Win2000, WinXP and Win2003.

I knew there was a reason I haven't upgraded to XP. ;)

Actually, it has been reported that this OS code vulnerability problem goes all the way back to W95. Since Microsoft no longer supports any W9x systems, maybe this is the reason that this fix will not work on those systems. Or maybe there is another reason as to why this vulnerability does not affect W9x systems.

Linda

http://www.grc.com/sn/notes-020.htm Microsoft is not fixing Windows 98/ME
. . . so GRC will.

Microsoft has now "reclassified" the WMF vulnerability in Windows 95, 98, and ME as non-critical (instead of just fixing it!). This means that it will probably NOT be updated and patched to eliminate the WMF handling vulnerability that those older versions of Windows apparently still have. (This vulnerability still needs to be confirmed.)

So, if Microsoft does not produce an update to repair those older versions of Windows, GRC will make one available.

In my web travels, I have not seen tests on older versions of Windows that prove beyond any doubt that 98, 98SE and ME are not vunerable like MS seems to be saying. I have to admit that I seriously doubt MS's committment to owners of these older Win versions (even though they said they would stand by us.)

FWIW, there was (and for the moment, is) a patch that will run on older versions of Windows that was put out by eset, makers of NOD32. Apparently, MS contacted eset corporate and asked them to no longer list it. The reason given can be seen here. (FWIW, Mr. Monti is the writer of many of NOD32's standalone cleanup utilities.) http://www.wilderssecurity.com/showthread.php?t=114251&page=2

The patch has been looked at by a user here (5th post from the bottom) http://www.dslreports.com/forum/remark,15115819~days=9999~start=740

The download link posted still works at this moment http://www.eset.com/download/wmfpatch11.zip

I have downloaded it and ran it on my 98SE laptop. So far, I have no negative issues at all and my install looks the same as the user I posted about above. I plan to install the patch on all PCs I have contact with that are Win 98 thru ME. Thought some of you may find this useful... :)

Thanks HAN! I too still deal with Win98 machines on a daily basis.

Find it interesting that Microsoft has decided not to release a WMF patch for 95/98/Me -and- has ask ESET to pull theirs? :confused:

Anyway ... for all you/us Windows 95/98/Me users:

http://www.wilderssecurity.com/showthread.php?t=114251&page=2
Wilders Security Forums > Official Eset NOD32 Antivirus Forum > NOD32 version 2 Forum
Microsoft Media File Vulnerability

Paolo Monti
Eset Moderator
Join Date: Oct 2002
Location: Rome, Italy
Posts: 278

AFAIK, Microsoft asked Eset to withdraw the patch to avoid any possible issue with the upcoming official patch. Up to now, we didn't get any request from MS, so the patch is still available on our website (I mean, nod32.it).

I want to clarify that I'm the sole author of the patch and that Eset didn't endorse my unofficial patch in any way. I just wrote it for the PCs in my LAN, then when I read that Ilfak released his own unofficial patch I decided to do the same, since Ilfak's patch doesn't work on Win 9x/ME.

Like Ilfak, I also strongly suggest to uninstall the patch as soon as MS will release an official one.

ciao,
Paolo.--

http://www.nod32.ch/en/download/tools.php
ESET > NOD32 > Free ToolsPaolo Monti (NOD32 Italy) provides convenient stand-alone cleaners for a great number of malware.WMF Patch by Paolo Monti
Update January 5 2006 [23:10 UTC+1]:

...

Paolo Monti has released a temporary patch for the WMF vulnerability ( see Microsoft Security Bulletin 912840 (http://www.microsoft.com/technet/security/advisory/912840.mspx) ). This patch intercepts the Escape GDI32 API in order to filter the SETABORTPROC (function number 9). It uses dynamic API hooks avoiding patching/modifying of the GDI32 code. Advantages of this approach: fully dynamic - no reboot is required.

This patch also works on Windows 9x/ME. Administrator rights are required to install it on WinNT,2000,XP, 2003 systems.

Installation: unzip the file WMFPATCH11.ZIP and run the provided INSTALL.EXE file. Follow the instructions of the installer.

Uninstallation: go into Windows Control Panel, Add/Remove Programs, select "GDI32 - WMF Patch" and remove it.

Download Site 1: WMFPATCH11.ZIP
http://d1.nod32.ch/download/wmfpatch11.zip

Download Site 2: WMFPATCH11.ZIP
http://www.idiosyn.ch/download/wmfpatch11.zip

...

This patch is provided without warranties of any kind. Use it at your own risk. We recommend to uninstall this temporary patch before applying [any] official Microsoft patch ... As an alternative to this patch you can also install the 30 day free trial version of NOD32 antivirus.

Eset claim that someone using Nod32 was protected against this flaw in any case through the heurisitic filter called Threatsense. If that is true, it makes me feel whole a lot safer using Nod32. Great product!

Here is an interesting short article about which AVs would have detected the latest Windows exploit.
AV-Test, an independent test lab that tracks malware and anti-malware products, has been closely tracking detection of exploits based on the WMF flaw. Below is an update as of the morning of January 4 to the anti-virus detection stats for WMF variants we published earlier in the week. There's both good news and not so good news in it. The original numbers are below the first set on this page.

Read the rest to see which AVs would have kept you safe, as of January 4th.
http://www.pcmag.com/article2/0,1895,1907518,00.asp

Usil,

Thanks for posting this.

Cheers,

Linda

I know you are a big fan of Panda, Linda. Unfortunately, they didn't make the grade. Panda and TrendMicro are the only two that surprise me, especially as Panda usually have daily updates (more than one sometimes).
Whoever is using AVG, please stop using it. They fail so many tests I've lost count. Avast is much more superior in all testing done, and its also free.

Thanks for the link usil.
I agree about avast.
works well, and free.

Looks like someone was trying to use the WMF for spying...
http://news.zdnet.com/2100-1009_22-6029691.html