Tech Talk Discuss PC Hardware, Software, Internet and Other Technology

Critical Flaw Detected in Windows Metafile

Old 12-30-05, 10:28 AM
  #1  
Admin-Thanos
Thread Starter
 
VinVega's Avatar
 
Join Date: Nov 2000
Location: Caught between the moon and NYC
Posts: 31,143
Critical Flaw Detected in Windows Metafile

Yahoo linky
Jay Wrolstad, newsfactor.com
Thu Dec 29, 4:10 PM ET

A vulnerability has been discovered in Microsoft Windows that allows hackers to remotely access PCs and install malware through an imaging-handling technology in the operating system.

Microsoft acknowledged the release of exploit code that could allow an attacker to execute arbitrary code when someone visits a Web site that contains a specially crafted Windows Metafile (WMF) image. Security authority Secunia labeled the vulnerability "extremely critical."


Malicious Graphics Files

WMF images are graphical files that can contain both vector and bitmap-based picture information. Microsoft Windows contains routines for displaying such files, but a lack of input validation in one of these routines may allow a buffer overflow to occur, which in turn may allow remote code execution.

The vulnerability can also be triggered from the Internet Explorer browser if the malicious file has been saved to a folder and renamed to other image file extensions such as ".jpg," ".gif," ".tif," and ".png." It has been detected on a patched system running Microsoft Windows XP SP2. Microsoft Windows XP SP1 and Microsoft Windows Server 2003 systems also are affected.

Current exploits use the Windows Picture and Fax Viewer to attack any application that can handle Windows Metafiles. Disabling the Windows Picture and Fax Viewer will not eliminate the risk as the flaw exists in the Windows Graphical Device Interface library.

The flaw has also raised concerns that Google Desktop may be another potential attack vector, and that various antivirus software products cannot detect all known exploits for this vulnerability.

A Familiar Problem

By default, Explorer on those operating systems runs in a restricted mode known as Enhanced Security Configuration, which Microsoft said mitigates this vulnerability as far as e-mail is concerned, although clicking on a link in a message would still put users at risk.

Yankee Group senior analyst Andrew Jaquith characterized the vulnerability as a serious security issue that has cropped up before in browsers, including Firefox and Safari. "It's particularly nasty because the browser automatically loads images when users visit a Web site. There is no built-in protection," he said.

Jaquith predicted that additional exploits of the vulnerability are expected since there is no patch available and the security hole is difficult to plug.

People who use Windows are advised to be wary when opening e-mail and links in e-mail from sources they don't trust. They should not save, open or preview image files from unfamiliar sources. And, as always, people are encouraged to update the patches for their operating systems.

Microsoft vowed to investigate the vulnerability and to provide a security update when it becomes available. Customers who believe they may have been affected may contact the company's Product Support Services.
I'm pretty sure I got hit by this the other day (I was at a site, I probably shouldn't have been at and I'll leave it at that). I wound up wiping my PC as a result of this. The Windows picture and fax viewer popped up briefly and my machine seemed to freeze. Within minutes my virus software and antispyware where going off like a Christmas tree. It installed some SpySherriff crap on my machine and I followed all the steps to remove it, but my broswer was still acting strangely and a day later another trojan decided to install itself and there were weird http requests coming from my machine, so I just said screw it to be safe and wiped it. It doesn't sound like a patch for this is coming any time soon, so just be aware.

Last edited by VinVega; 12-30-05 at 02:54 PM.
VinVega is offline  
Old 12-31-05, 10:16 PM
  #2  
DVD Talk Legend
 
Join Date: Jan 2000
Posts: 16,173
A couple of security firms, including Verisign's iDefense, have published workarounds that appear to mitigate the threat. According to iDefense, Windows users can disable the rendering of WMF files using the following hack:

1. Click on the Start button on the taskbar.
2. Click on Run...
3. Type "regsvr32 /u shimgvw.dll" to disable.
4. Click ok when the change dialog appears.
4KRG is offline  
Old 12-31-05, 11:31 PM
  #3  
DVD Talk Legend
 
Join Date: Apr 2002
Posts: 20,687
Current exploits use the Windows Picture and Fax Viewer to attack any application that can handle Windows Metafiles.
Not sure what this means. This flaw still can affect users of non-IE browsers?

But the malware still could infect other computers in the network by drawing in worms to bounce around.
Ranger is offline  
Old 01-01-06, 05:42 PM
  #4  
DVD Talk Legend
 
Join Date: Apr 2002
Posts: 20,687
Ok, read up a bit more on it. Brief summary of what I got from the link below.

http://www.aota.net/forums/showthread.php?p=143053

It can happen automatically with IE but for other browsers like FF, you get a confirmation dialog or a request to download the image. The dll fix works but ms paint can get around it so avoid using the program. Other suggestion was getting rid of browser toolbars, google toolbar will index all wmf files and automatically run the code in them.
Ranger is offline  
Old 01-02-06, 10:10 AM
  #5  
Admin-Thanos
Thread Starter
 
VinVega's Avatar
 
Join Date: Nov 2000
Location: Caught between the moon and NYC
Posts: 31,143
WMF flaw can't wait for Microsoft fix, researchers say

Computerworld article
JANUARY 02, 2006 (IDG NEWS SERVICE) - Users of the Windows OS should install an unofficial security patch now without waiting for Microsoft Corp. to make its move, security researchers at The SANS Institute's Internet Storm Center (ISC) advised yesterday.

Their recommendation follows a new wave of attacks on a flaw in the way versions of Windows from 98 through XP handle malicious files in the WMF (Windows Metafile) format. One such attack arrives in an e-mail message entitled "happy new year," bearing a malicious file attachment called "HappyNewYear.jpg" that is really a disguised WMF file, security research companies including iDefense Inc. and F-Secure Corp. said (see "Risk of Windows WMF attacks jumps 'significantly,' security firm warns").

Even though the file is labelled as a JPEG, Windows recognizes the content as a WMF and attempts to execute the code it contains.

Microsoft said in an advisory last week that to exploit a WMF vulnerability by e-mail, "customers would have to be persuaded to click on a link within a malicious e-mail or open an attachment that exploited the vulnerability."

However, simply viewing the folder that contains the affected file, or even allowing the file to be indexed by desktop search utilities such as the Google Desktop, can trigger its payload, F-Secure's Chief Research Officer Mikko Hypponen wrote in the company's blog.

In addition, source code for a new exploit was widely available on the Internet by Saturday, allowing the creation of new attacks with varied payloads.The file "HappyNewYear.jpg," for example, attempts to download the Bifrose backdoor, researchers said.

Alarmed by the magnitude of the threat, staff at the ISC worked over the weekend to validate and improve an unofficial patch developed by Ilfak Guilfanov to fix the WMF problem, according to an entry in the Handler's Diary, a running commentary on major IT security problems on the ISC Web site

"We have very carefully scrutinized this patch. It does only what is advertised, it is reversible, and, in our opinion, it is both safe and effective," Tom Liston wrote in the diary.

"You cannot wait for the official MS patch, you cannot block this one at the border, and you cannot leave your systems unprotected," Liston wrote.

In the diary, ISC provided a link to the version of the patch it has examined, including a version designed for unattended installation on corporate systems.

While ISC recognizes that corporate users will find it unacceptable to install an unofficial patch, "Acceptable or not, folks, you have to trust someone in this situation," Liston wrote.

Microsoft representatives could not immediately be reached for comment on this morning.

Guilfanov published his patch on his Web site on Saturday. His introduction to it can be found at http://www.hexblog.com/2005/12/wmf_vuln.html.

F-Secure's Hypponen highlighted Guilfanov's patch in the F-Secure company's blog on Saturday night, and then yesterday echoed the ISC's advice to install the patch.

Not all computers are vulnerable to the WMF threat: those running non-Windows operating systems are not affected.

According to Ken Dunham, director of the rapid response team at iDefense Inc., Windows machines running Windows Data Execution Prevention (DEP) software are at least safe from the WMF attacks seen so far. However, Microsoft said that software DEP offered no protection from the threat, although hardware DEP may help.
VinVega is offline  
Old 01-03-06, 02:08 PM
  #6  
DVD Talk Platinum Edition
 
Join Date: Jan 2002
Posts: 3,236
“The potential [security threat] is huge,” said Mikko Hyppönen, chief research officer at F-Secure, an antivirus company. “It’s probably bigger than for any other vulnerability we’ve seen. Any version of Windows is vulnerable right now.”


This is huge. We will be dealing with this one for months. Even worse, MS does not plan to issue a patch for ME or 98. I expect that public pressure will force them to re-think that stance.

I'm surprised there are only 4 posts in this 2 day old thread. I hope that more publicity will alert people about the problem.
Pistol Pete is offline  
Old 01-03-06, 06:45 PM
  #7  
DVD Talk Hero
 
CRM114's Avatar
 
Join Date: Jun 2001
Posts: 42,726
All I can say is once again, I'm glad I have Macs and my place of work is 95% Macs.

CRM114 is offline  
Old 01-03-06, 06:56 PM
  #8  
DVD Talk Hall of Fame
 
Lateralus's Avatar
 
Join Date: Jun 2001
Location: Valley of Megiddo
Posts: 9,569
"Although the issue is serious and malicious attacks are being attempted, Microsoft's intelligence sources indicate that the scope of the attacks are not widespread."

"Customers who follow safe browsing best practices are not likely to be compromised by any exploitation of the WMF vulnerability. Users should take care not to visit unfamiliar or un-trusted Web sites that could potentially host the malicious code."


- Microsoft Security Advisory (912840)

Frickin idiots!
Lateralus is offline  
Old 01-03-06, 06:59 PM
  #9  
DVD Talk Hall of Fame
 
Lateralus's Avatar
 
Join Date: Jun 2001
Location: Valley of Megiddo
Posts: 9,569
http://isc.sans.org/

This page changes everyday but today and the last couple days is all about this exploit, Pistol Pete is right This is huge, it won't be patched till Jan 10th.

"And remember, if something bad does happen to you during the next seven days, Billy Wonka and his Magic Metafiles aren't to blame. You are!"
Lateralus is offline  
Old 01-03-06, 08:54 PM
  #10  
DVD Talk Gold Edition
 
Join Date: Feb 2002
Posts: 2,969
Actually, I have read if you constantly update AVG Anti-Virus 7.1 you will be able to avoid the problem, as AVG will stop the attack in its tracks.
RayChuang is offline  
Old 01-03-06, 08:59 PM
  #11  
Suspended
 
Join Date: Jan 2002
Posts: 52,192
I have AVG and have it automatically install updates. Much better than Norton which is just a hog of a program.
DVD Polizei is offline  
Old 01-05-06, 01:41 PM
  #12  
DVD Talk Legend
 
Join Date: Apr 2002
Location: Michigan
Posts: 10,989
Better late than never I suppose..

http://www.cnn.com/2006/TECH/interne...eut/index.html

Here is an *unofficial* Hotfix.
http://handlers.sans.org/tliston/WMFHotfix-1.4.msi

They say to remove the HotFix via Add/Remove programs before applying the official Microsoft patch when that arrives next week.
Snowmaker is offline  
Old 01-05-06, 03:30 PM
  #13  
HN
DVD Talk Hall of Fame
 
Join Date: Oct 1999
Location: Los Angeles, CA
Posts: 8,359
Official patch available: (remember to uninstall the unofficial fix before installing MS')
http://www.microsoft.com/technet/sec.../ms06-jan.mspx
HN is offline  
Old 01-05-06, 04:46 PM
  #14  
DVD Talk Gold Edition
 
Join Date: May 2002
Location: waiting for forum.dvdtalk.com ...
Posts: 2,755
download page for windows xp sp1/sp2.

requires a restart.
kms_md is offline  
Old 01-05-06, 05:03 PM
  #15  
DVD Talk Legend
 
Join Date: Apr 2003
Location: Land of the Lobstrosities
Posts: 10,300
I haven't applied any patches or workarounds but I tried out this test image and Avast caught it.

You can use our test image at http://sipr . net/test . wmf as a test to make sure you are not vulnerable. The test image will start the calculator if you are vulnerable.
wmansir is offline  
Old 01-05-06, 05:47 PM
  #16  
DVD Talk Legend
 
Join Date: Apr 2002
Location: Michigan
Posts: 10,989
It just came up in my Auto Updates. Now I don't have to use the unofficial one.
Snowmaker is offline  
Old 01-05-06, 07:23 PM
  #17  
DVD Talk Legend
 
Join Date: Apr 2002
Posts: 20,687
Originally Posted by wmansir
I haven't applied any patches or workarounds but I tried out this test image and Avast caught it.
Just tested this. IE and FF just prompted for it to save as a download. I think with IE w/o the patch, the flaw would have happened automatically so I guess this patch is a start.
Ranger is offline  
Old 01-05-06, 08:04 PM
  #18  
DVD Talk Hero
 
Join Date: Aug 2000
Location: Bartertown due to it having a better economy than where I really live, Buffalo NY
Posts: 29,694
mcafee caught that test too
FF prompted to save or open, I canceled, then the mcafee warning came up
mikehunt is offline  
Old 01-05-06, 08:14 PM
  #19  
X
Administrator
 
X's Avatar
 
Join Date: Oct 1987
Location: AA-
Posts: 10,690
Originally Posted by Ranger
Just tested this. IE and FF just prompted for it to save as a download. I think with IE w/o the patch, the flaw would have happened automatically so I guess this patch is a start.
I tried it without any patch and IE prompted me. I have my system tied down pretty tightly.
X is offline  
Old 01-05-06, 09:06 PM
  #20  
DVD Talk Legend
 
Join Date: Apr 2002
Posts: 20,687
What setting in IE would have forced the prompt without the patch?
Ranger is offline  
Old 01-05-06, 09:29 PM
  #21  
X
Administrator
 
X's Avatar
 
Join Date: Oct 1987
Location: AA-
Posts: 10,690
I don't specifically know. I just don't allow much of anything to happen automatically in IE. Certainly, no ActiveX execution. I barely have pdfs showing without confirmation.
X is offline  
Old 01-06-06, 12:39 PM
  #22  
Admin-Thanos
Thread Starter
 
VinVega's Avatar
 
Join Date: Nov 2000
Location: Caught between the moon and NYC
Posts: 31,143
Originally Posted by X
I don't specifically know. I just don't allow much of anything to happen automatically in IE. Certainly, no ActiveX execution. I barely have pdfs showing without confirmation.
Tools/Internet Options/Security tab - internet security level to high?

That would make for a lot more clicking as you browse the internet.
VinVega is offline  
Old 01-06-06, 02:45 PM
  #23  
DVD Talk Legend
 
Join Date: Apr 2002
Posts: 20,687
Yeah, the general suggestion was to just put your ie security settings on high. I'm trying to narrow down which options specifically block the code in the meta image from running automatically. I suppose it's the active-x and plug-ins and all downloads options but I think there might be a few more and since it's IE, I'm sure that there'd be a virus that could easily get around the ie security setting by exploiting an ie flaw.

This and the exploit being able to run off from any app (besides ie) is why it's usually a good idea to use something like a third party program to block scripts, active-x, etc. There's the no flash program which I think X uses and other anti-virus/security suites.
Ranger is offline  

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Thread Tools
Search this Thread

Archive Advertising Cookie Policy Privacy Statement Terms of Service

Copyright © 2018 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.