Windows WMF Security Flaw

[cfitz]

Another big, gaping hole in Microsoft's rather rusty armor:

http://www.microsoft.com/technet/securi ... 12840.mspx

This one is particularly bad for several reasons:

1. It affects just about every Microsoft OS back through Windows 98
2. It is what is called a "Zero Day" flaw, meaning that the bad guys had already deployed exploits to take advantage of this flaw before the good guys even knew it existed.
3. You can be infected by simply viewing an image on a web site or in an email.

There is no fix yet, but there are several things you can do to help protect yourself:

1. Make sure your antivirus software is up-to-date and is configured to scan web content (http) and email (pop) in real time. Scanning files alone won't protect you.
2. Run the following in a command prompt to disable one of the main known vectors of attack (this will provide some protection at the expense of some loss of function - e.g. no more image previews in Explorer):

Code: Select all

regsvr32 -u %windir%\system32\shimgvw.dll

3. Don't read email from unkown senders or follow links to unkown web sites.
4. Configure your email client to display email in plain text only.
5. Switch to Apple, Linux, etc. (sigh)

For what it is worth, using non-Microsoft browsers (Firefox, Opera) and mail readers (Thunderbird, Eudora) will not protect you. The problem lies in a lower level Window's component that third-party browsers and mail readers also utilize.

Also, for any of you who have been partially following this issue and who have implemented the registry fix, that "fix" has since been proven to be ineffective. As of now the only work-around known to provide at least some protection is the regsvr32 command in step 2 above (and as listed in Microsoft's security bulletin).

cfitz

[dodecahedron]

hi cfitz, nice to see you here again.

thanks for the heads up.

sigh, another reason to hate stupid M$ and Bill Gates and his cursed products.

[cfitz]

You're welcome.

cfitz

[MediumRare]

Wish you'd post more often and with better news, cfitz- Happy New Year!

Although Microsoft has not yet released a patch, there seems to be a private "temporary fixup" to avoid this problem (information from heise- seems to be legitimate: you have to be careful with this sort of thing!)

The patch by Ilfak Guilfanov has bee vetted by ISC and should work for Windows 2000 and newer.

G

[VEFF]

Thanks a lot for the warning cfitz!

Hopefully they'll release a patch soon.

The other patch seems tempting in the meantime, as a temporary fix.
Thanks MediumRare.

[cfitz]

Wish you'd post more often and with better news, cfitz- Happy New Year!

Happy New Year to you too, MediumRare! Sorry to be bearing bad news, though...

Although Microsoft has not yet released a patch, there seems to be a private "temporary fixup" to avoid this problem (information from heise- seems to be legitimate: you have to be careful with this sort of thing!)

Yes, you do have to be careful. But I trust that source. As you say, it has been vetted by various reputable organizations such as ISC/SANS/GRC. I installed the patch earlier today on an XP machine and later today on a 2000 machine. Both seem to be fine.

Mr. Guilfanov has also released a tool to check your Windows 2000 or higher machines for the vulnerability. Since all Windows machines from 98 on up do have the vulnerability, there isn't any sense in just running the tool to see if your particular machine is vulnerable. Instead, run it after you have installed Mr. Guilfanov's patch (and subsequently rebooted your machine) to ensure that the patch was installed successfully.

This is just a temporary patch, and may not protect against all possible attack vectors. However, I am of the opinion that it is better than nothing. And it is easily installed and later, once Microsoft releases an official patch, uninstalled (it has an uninstall entry in Control Panel->Add/Remove Programs).

Those of you who trust in Steve Gibson of GRC may wish to follow along for developments at his site:

http://www.grc.com/sn/notes-020.htm

Stay safe out there!

cfitz

[cfitz]

Microsoft have updated their official security bulletin to indicate that they will release an official patch on January 10 as part of their normal patch release schedule. They said they don't want to release it earlier because they want to ensure that it is well tested.

Researchers have continued to explore the flaw, and the latest findings indicate that although this flaw affects all versions of Windows, it is most likely to affect XP and 2003. The reason is that only XP and 2003 have default handlers for the .WMF file type. Microsoft "upgraded" their Fax and Picture viewer in XP to add support for this obsolete file format and in the process provided a built-in exploit path for the vulnerability.

Older versions of Windows do not have the new viewer, so they appear to require installation of some third-party software that does add default handling for .WMF files (e.g. Lotus Notes) in order to be as vulnerable as XP and 2003.

Since this is a developing story, the above information is subject to change.

cfitz

[cfitz]

Mr. Guilfanov's personal web-site has been shut down to due to excessive bandwidth usage by the huge number of people trying to access it. If you still wish to download the patch, you should be able to get it directly from SANS:

http://handlers.sans.org/tliston/wmffix_hexblog14.exe

Or, you can get the patch and the checker from GRC.com:

http://www.grc.com/miscfiles/wmffix_hexblog14.exe
http://www.grc.com/miscfiles/wmf_checker_hexblog.exe

cfitz

[cfitz]

Microsoft decided not to wait until the normal monthly patch release data after all. They released the official patch today. If you don't have automatic updates configured, then go to Windows Update and get the patch manually:

http://update.microsoft.com

You can also uninstall Mr. Guilfanov's patch (Control Panel -> Add/Remove Programs) if you installed it earlier, and you can re-register shimgvw.dll if you un-registerd it earlier:

Code: Select all

regsvr32 %windir%\system32\shimgvw.dll

cfitz

[Ian]

Microsoft decided not to wait until the normal monthly patch release data after all. They released the official patch today.

Let's hope to hell that they tested it.

[cfitz]

Microsoft decided not to wait until the normal monthly patch release data after all. They released the official patch today.

Let's hope to hell that they tested it.

From what I read it has been well tested by both Microsoft and independent security experts who got hold of an early release version. For what it is worth, I ran Ilfak Guilfanov's vulnerability tester after applying Microsoft's official patch, and it indicated that my machine is protected.

cfitz

[algrinch]

Here is the lastest podcast from Security Now.

Scroll down to:
The Windows MetaFile Backdoor?
http://www.grc.com/securitynow.htm


Steve Gibson is making the accusation that this is a backdoor, built into Windows on purpose by Microsoft. He makes some interesting points.

[LoneWolf]

Gibson's a rather flaky source, though (If you mean Steve Gibson of Gibson Research fame). Tends to have that tinfoil hat on reeeally tight. When you look into how WMF is handled in context with the security flaw, and you consider that this flaw is in every version of Windows since Win95, I think he's just being overly paranoid (and I have a tendency towards paranoia myself). I think Microsoft just designed this at a time when security wasn't the big deal it was today. Heck, NOBODY had broadband internet when Windows 95 was popular, and tons of people didn't even have dialup internet access or e-mail, and the flaw just carried over from version to version up to a point where security, now a major issue, has caused people to go over code a lot more carefully, and analysis revealed a flaw.

[algrinch]

Its quicker to read than it is to listen too. This is the HTML transcript.
http://www.grc.com/sn/SN-022.htm

It is hard to summarize, but the function used to exploit the file shouldn't have been there in the first place. Add to that, there is a very specific way to trigger the exploit. Or to put it another way, the windows function you are calling on shouldn't have been there in the first place, its like the function was added in with this special tigger. Because of this, he believes it wouldn't fall into the category of an error, but, something that was intentionally added. He gives his opinion as his first impression based on what he has learned so far. He goes on to say he may prove himself wrong after further investigation.

I find the technical aspect of this, beyond my understanding, yet still interesting to read. I am generally interested to hear the conspiracy theorys.



Here is a quote of Steve Gibson from the podcast

But, for example, if Microsoft was worried that for some reason in the future they might have cause to get visitors to their website to execute code, even if ActiveX is turned off, even if security is up full, even if firewalls are on, basically if Microsoft wanted a short circuit, a means to get code run in a Windows machine by visiting their website, they have had that ability, and this code gave it to them.

What I find interesting, is how this exploit would benefit Microsoft. With this expoit in place a visit to a Microsoft webpage would allow them to gather information about you, or manipulate your computer without your knowledge.

Gibson's a rather flaky source, though (If you mean Steve Gibson of Gibson Research fame). Tends to have that tinfoil hat on reeeally tight.

I don't have the knowledge to dispute the above statement. Although, I have been seen sporting a tinfoil hat myself, from time to time.

[algrinch]

I guess I can put away my Tinfoil hat.....

You can listen to Steve Gibson backpeddle here...

http://www.grc.com/securitynow.htm

or read it here:
http://www.grc.com/sn/SN-023.htm

Good call LoneWolf...

Al

[cfitz]

Steve Gibson has always had a tendency towards, shall we say, over excitability. You can tell by the breathless tone in which he writes his website. Thus, it is best to turn down the volume a notch when reading his work. Despite this characteristic, though, he still puts out good information and useful tools.

cfitz