New Windows Metafile (WMF) 0-day exploit in the wild

**SpywareDr** · December 29th, 2005, 07:25 AM

http://blogs.zdnet.com/Spyware/index.php?p=734

December 28, 2005
New zero day exploit seen in the wild
Posted by Suzi Turner @ 9:45 pm

... a new exploit that affects fully patched Windows XP SP2 machines. Landing on an infected web page can set off the exploit with no user interaction. Firefox and Opera do not prevent this exploit but should prompt the user first. SecurityFocus calls it: Microsoft Windows Graphics Rendering Engine WMF Format Unspecified Code Execution Vulnerability

Microsoft Windows WMF graphics rendering engine is affected by a remote code execution vulnerability. The problem presents itself when a user views a malicious WMF formatted file, triggering the vulnerability when the engine attempts to parse the file. The issue may be exploited remotely or by a local attacker. Any code execution that occurs will be with SYSTEM privileges due to the nature of the affected engine. Microsoft Windows XP is considered to be vulnerable at the moment. It is likely that other Windows operating systems are affected as well.

Sunbelt researchers have collected more than 50 variants of the WindowsMetafiles (WMF) and documented a number of domains running this exploit. Email, blog talkbacks, guestbook links, all could be used to spread this infection. ... F-Secure also says Google Desktop's indexing of metadata of image files can cause the infected file to execute, and gives this warning:

Do note that it's really easy to get burned by this exploit if you're analysing it under Windows. All you need to do is to access an infected web site with IE or view a folder with infected files with the Windows Explorer.

...

Workarounds have been posted at SunbeltBLOG. (http://sunbeltblog.blogspot.com/2005...f-exploit.html)

...

More: http://news.google.com/news?hl=en&ne...nG=Search+News

**SuperSparks** · December 29th, 2005, 01:06 PM

Yes, this one is very worrisome - all it takes is a visit to a malicious website

More here:

http://news.bbc.co.uk/1/hi/technology/4566504.stm

http://www.microsoft.com/technet/sec...ry/912840.mspx

**ProfessorU** · December 29th, 2005, 01:27 PM

An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

-microsoft.com

If this is true, how could it be exploited locally?

**HAN** · December 29th, 2005, 10:03 PM

It's pretty bad. From what I have been told by some researching this, it cannot be repaired. If you're hit with it, a format and reinstall is the only way to fix it...

http://www.dslreports.com/forum/remark,15115819

**SpywareDr** · December 30th, 2005, 07:13 AM

Temporary workaround: http://www.grc.com/sn/notes-020.htm

(Disable/unregister "shimgvw.dll")

**HAN** · December 30th, 2005, 08:52 AM

One of our members is dealing with this already. At this point, if you get hit, there does not appear to be any way to clean things out!

See the thread for info and f-secure's blog about it...
http://discussions.virtualdr.com/sho...d.php?t=199356

**imadreamer2** · December 31st, 2005, 05:12 AM

If you have your harddrive partitioned into two or three partitions and you would happen to get hit would you need to format all three partitions or just the c drive? Just in case, it would be nice to know.

**Welshjim** · December 31st, 2005, 02:06 PM

Note there are downsides to disabling the shimgvw.dll file
http://www.thex.com/security/
(see about 50% of the way down the page)
Not that anyone should lower their defenses, but MS seems to think the problem can be avoided by practicing safe surfing and email opening as noted in the link posted by SuperSparks
http://www.microsoft.com/technet/sec...ry/912840.mspx
And both IESpyAds
https://netfiles.uiuc.edu/ehowes/www/resource.htm
and MVPS HOSTS file
http://www.mvps.org/winhelp2002/hosts.htm
have added sites to their lists which will assist in avoiding sites known to cause the problem.
And another source of sites to be blocked
http://www.psepc-sppcc.gc.ca/prg/em/...v05-038-en.asp
Interestingly, and disturbingly, each of the mentioned sites rarely lists the same sites to block.

**poppy4** · December 31st, 2005, 02:10 PM

a-squared updates has (today) added a WMF detection engine.

**SpywareDr** · December 31st, 2005, 02:51 PM

Lots of bad advice for critical WMF vulnerability! | George Ou | ZDNet.com
http://blogs.zdnet.com/Ou/?p=143

**LindaHewitt** · December 31st, 2005, 04:22 PM

Based on what I have been reading there are two good defenses against this WMF malware and that is to deploy either hardware DEP or software DEP. The problem occurs because Microsoft allows a graphic to contain executable code and to call home.

Mmany of the antivirus applications will now detect and block malicious .wmf files and other files that are actually WMF files with a different extension. Microsoft AntiSpyware will let you know that you have been infected and will try to clean the infection.

Unregistering the Picture and Fax viewer will help - as long as there are no other vulnerable image file viewers on your PC.

More Detailed information about the WMF issue:

1. This is not a coding mistake, but a vulnerability *by design* due to the
ability to include callback functions in the WMF file format. If there's one fundamental thing Microsoft should have learned by now, it is that data
files -- *graphics* files especially -- should not have the ability to execute code.

2. Why did it take a bunch of security bloggers to bring up the limitations
of software DEP, and over three days for this to be reflected in the
security advisory? It really looks like it took outside pressure for this
particular line item in the advisory to be modified.

A Fsecure blog entry whose url is:

http://www.f-secure.com/weblog/

notes that, Ilfak Guilfanov, a reputed world master of reverse
engineering Microsoft object code has come up with a quick fix. From
what the blog entry suggests, the fix kind of "no-op's" the miscreant
instruction sequence. Maybe Microsoft could "rebadge" it?

The language of the anti-virus industry will now have to be revised. In
addition to 0 day exploits, we will have to speak in terms of -N day
exploits where N = the number of days from the release of the exploit to
the release of the fix by the software supplier.

For these kinds of -N day exploit situations Microsoft should have an
internal reward system of, say $100,000 (I am not kidding) for the first
Microsoft engineer, admin assistant, janitor, whatever to come up with
a viable fix. It has been suggested, the loss of reputational equity of the
Microsoft brand to Microsoft AND its distribution channel partners of
each hour of delay is probably at least that much, if not more.

Hopefully, today we will see a patch of some kind from Microsoft, so we
can start off 2006 with a clean slate (in the U.S. at least, if not
Asia), of no in the wild exploits like this nasty miscreant.

I have fellow folks who have just software DEP and it did
protect...[vmware] I think what has gone on is that we have way too many
third party apps that do end runs around around programs [Irfanview for
example on a box would go around the DEP].

Cheers,

Linda

**Tuttle** · December 31st, 2005, 09:49 PM

There's a new exploit generator out which makes this hard to pick up by virus scanners and IDS appliances:

http://isc.sans.org/diary.php?storyid=992

The exploit generates files:

with a random size;
no .wmf extension, (.jpg), but could be any other image extension actually;
a random piece of junk in front of the bad call; carefully crafted to be larger than the MTU on an ethernet network;
a number of possible calls to run the exploit are listed in the source;
a random trailer

**poppy4** · December 31st, 2005, 10:21 PM

Getting mad about malware

WMF exploit in use.
...as the author says..."maddening"....

http://blogs.zdnet.com/Spyware/

**HAN** · December 31st, 2005, 10:28 PM

imadreamer2: I don't think I've read an answer for your particular question. If the partitions are just different drive letters running under the same operating system (like D, E etc., all on the same physical "C" HD), I would be concerned. If my understanding is correct, once the C drive is exploited, anything on the disk would have to suffer the same fate as C. (That still doesn't necessarily mean data couldn't be salvaged...)

If you have 2 bootable operating systems on one drive, that might be different/better. But I have also read this thing can place rootkit corruptions in Windows system files. So I guess no one really knows how bad this could get...

**Welshjim** · January 1st, 2006, 02:42 PM

I enabled DEP for all programs yesterday (per posts from SpywareDr and Linda Hewitt). So far no adverse results.
Of course, I have no idea how much WMF protection I am getting.

I have not used any of the other defenses except IESpyAds and HOSTS.
I also do not use Windows Picture and Fax Viewer to execute any image files.

Thread: New Windows Metafile (WMF) 0-day exploit in the wild

Thread Tools

Search Thread

Display

New Windows Metafile (WMF) 0-day exploit in the wild

Thread Information

Users Browsing this Thread

Posting Permissions