posted
I don't know if anyone knows about this. There is a major Windows exploit that is unpatchable right now. I have been getting emails from our security department. I thought I would just post them here.
At this time there is no solution for determining the signature of this exploit due to the structures of WMF files. There is no anti-virus not IDS signature working at this time.
Q: Why is this issue so important? A: The WMF vulnerability uses images (WMF images) to execute arbitrary code. It will execute just by viewing the image. In most cases, you don't have click anything. Even images stored on your system may cause the exploit to be triggered if it is indexed by some indexing software. Viewing a directory in Explorer with 'Icon size' images will cause the exploit to be triggered as well.
Q: Is it better to use Firefox vs. Internet Explorer? A: Internet Explorer will view the image and trigger the exploit without warning. New versions of Firefox will prompt you before opening the image. However, in most environments this offers little protection given that these are images and are thus considered 'safe'.
Q: What versions of Windows are affected? A: All. Windows 2000, Windows XP, (SP1 and SP2), Windows 2003. All are affected to some extent. Mac OS-X, Unix, or BSD are NOT affected.
Q: What can I do to protect myself? A: 1. Microsoft has not yet released a patch. An unofficial patch was made available by Ilfak Guilfanov, available at: handlers.sans.org/tliston/wmffix_hexblog11.exe (MD5: 99b27206824d9f128af6aa1cc2ad05bc). 2. You can unregister the related DLL. Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK. A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box. 3. Virus checkers provide some protection. It is recommended you do both items 1 and 2.
Q: How does the unofficial patch work? A: The wmfhotfix.dll is injected into any process loading user32.dll. The DLL then patches (in memory) gdi32.dll's Escape() function so that it ignores any call using the SETABORTPROC (ie. 0x09) parameter. This should allow Windows programs to display WMF files normally while still blocking the exploit. The version of the patch has been carefully checked against the source code provided as well as tested against all known versions of the exploit. It should work on WinXP (SP1 and SP2) and Win2K.
Q: Will unregistering the DLL (without using the unofficial patch) protect me? A: It might help. But it is not foolproof. There very stong indications that simply unregistering the shimgvw.dll isn't always successful. The .dll can be re-registered by malicious processes or other installations, and there may be issues where re-registering the .dll on a running system that has had an exploit run against it allowing the exploit to succeed. In addition it might be possible for there to be other avenues of attack against the Escape() function in gdi32.dll. Until there is a patch available from MS, it is recommend using the unofficial patch in addition to un-registering shimgvw.dll.
Q: Should I just delete the DLL? A: It might not be a bad idea, but Windows File Protection will probably replace it. You'll need to turn off Windows File Protection first. Also, once an official patch is available you'll need to replace the DLL. (renaming, rather than deleting is probably better so it will still be handy).
Q: Should I just block all .WMF images? A: This may help, but it is not sufficient. WMF files are recognized by a special header and the extension is not needed. The files could arrive using any extension, or embeded in Word or other documents.
Q: What is DEP (Data Execution Protection) and how does it help me? A: With Windows XP SP2, Microsoft introduced DEP. It protects against a wide range of exploits, by preventing the execution of 'data segements'. However, to work well, it requires hardware support. Some CPUs, like AMD's 64 Bit CPUs, will provide full DEP protection and will prevent the exploit.
Q: How good are Anti Virus products to prevent the exploit? A: At this point, versions of the exploit will not be detected by antivirus engines. It is anticipated they will catch up soon. But it will be a hard battle to catch all versions of the exploit. Up to date AV systems are necessary but likely not sufficient.
Q: How could a malicious WMF file enter my system? A: There are too many methods to mention them all. E-mail attachments, web sites, instant messaging are probably the most likely sources. Don't forget P2P file sharing and other sources.
Q: Is it sufficient to tell my users not to visit untrusted web sites? A: No. It helps, but its likely not sufficient. At least one widely trusted web site (knoppix-std.org) was compromissed. As part of the compromise, a frame was added to the site redirecting users to a corrupt WMF file. "Trusted" sites have been used like this in the past.
Q: What is the actual problem with WMF images here? A: WMF images are a bit different then most other images. Instead of just containing simple 'this pixel has that color' information, WMF images can call external procedures. One of these procedure calls can be used to execute the code.
Q: Should I use something like "dropmyrights" to lower the impact of an exploit. A: By all means yes. Also, do not run as an administrator level user for every day work. However, this will only limit the impact of the exploit, and not prevent it. Also: Web browsing is only one way to trigger the exploit. If the image is left behind on your system, and later viewed by an administrator, you may get 'hit'.
Q: Are my servers vulnerable? A: Maybe. Do you allow the uploading of images? email? Are these images indexed? Do you sometimes use a web browser on the server? In short: If someone can get a image to your server, and if the vulnerable DLL may look at it, your server may very well be vulnerable.
Q: What can I do at my perimeter / firewall to protect my network? A: Not much. A proxy server that strips all images from web sites probably won't go over well with your users. At least block .WMF images (see above about extensions...). If your proxy has some kind of virus checker, it may catch it. Same for mail servers. The less you allow your users to initiate outbound connections, the better. Close monitoring of user workstations may provide a hint if a work station is infected.
Q: Can I use an IDS to detect the exploit? A: Most IDS vendors are working on signatures. Contact your vendor for details. Bleedingsnort.org is providing some continuosly improving signatures for snort users.
Q: If I get hit by the exploit, what can I do? A: Not much. It very much depends on the exact exploit you are hit with. Most of them will download additional components. It can be very hard, or even impossible, to find all the pieces. Microsoft offers free support for issues like that at 866-727-2389 and 866-727-2338.
posted
Wait. What does it do? Like, how would you know if you had it?
And also, is this at all related to the IMs I've gotten lately along the lines of, "lol check this pic, i wuz sooo drunk last nite" from friends who don't type that way and have no idea why their computer is sending messages to everyone?
posted
Very probably. Right now, this is mostly an Instant Messaging problem, but it can spread if non-IM people are idiots.
Posts: 37449 | Registered: May 1999
| IP: Logged |
posted
Hmmm...interesting. Thanks for posting, human.
The point about indexing being an access is an important one. If you have not done so already, everyone running a Windows NT 4.0, 2000 or XP machine should do the following:
Start Menu--> Run. In the blank, type "services.msc". This will open the Services menu, allowing you to edit exactly which services your computer is currently running (sometime later, I'll write a post explaining how massive the bloatware in windows, especially XP, is, and how to disable most of the junk you don't need).
The list of services is alphabetical. Find "Indexing Service" and right click it. Click Properties. This should bring up a new window with four tabs: you should be in the General tab. Next to the words "Startup type" there is a drop down menu: select "Disabled." Under that, there should be "Service status" - if this is running, hit the STOP button. Click OK and close the Services window.
This will keep Windows' indexing service from accidentally triggering the above mentioned virus. Note: this will not stop other programs that index your computer, e.g. Google Desktop, from doing so!
Posts: 4313 | Registered: Sep 2004
| IP: Logged |
posted
The Microsoft link you reference above says that you have to go to a malicious website where the WMF resides in order to be infected or actively select a link in an email. That isn't quite as bad as you lead us to believe in your post.
posted
Anything that causes an image to render in the browser triggers this virus. The image has to be saved somewhere, so anything that brings you to it -- clicking on a link in an email, a webpage, or an IM chat session, viewing a page that has had its images replaced with infected WMFs, etc. -- will infect you, but indeed there's little risk if you stick to sites that you are SURE (for a given value of "sure") cannot be infected and make a point of not following any links you get from ANYONE over the next few days.
If you have the Preview Pane active in Outlook or Outlook Express, previewing an email that contains an infected WMF can infect you. So turn off the Preview Pane for the time being.
Note that even one compromised major site -- like, say, Movies.com or Yahoo -- could transform this from an annoying Instant Messaging virus to an enormous problem.
Posts: 37449 | Registered: May 1999
| IP: Logged |
posted
Microsoft will of course, try to play it down I believe the other instances human_2.0 mentioned in his post are when the indexing service accesses the image or if it is displayed in Explorer as an icon. Since WMF external processes are executed each time an image is accessed/displayed, that sounds logical. Since we have no idea which sites are affected and which are not (the webmasters themselves might not be aware of the issue) this might not be as benign as MS makes you believe on their site Posts: 136 | Registered: Aug 2003
| IP: Logged |
posted
Luckily, I don't foresee major issues with the Indexing Service or icon problems, since both of those require getting the WMF on an accessible partition. Which hopefully no one would have reason to do, since accessing the WMF in the first place is what we're trying to avoid.
(The big danger I can see with Indexing -- and correct me if I'm missing something here, Fahim -- is if someone with non-administrative rights winds up getting this virus, which then potentially replicates itself to a networked drive to be indexed by a server under an account with elevated permissions. That could be semi-nasty.)
Posts: 37449 | Registered: May 1999
| IP: Logged |
quote:Originally posted by erosomniac: Start Menu--> Run. In the blank, type "services.msc". This will open the Services menu, allowing you to edit exactly which services your computer is currently running (sometime later, I'll write a post explaining how massive the bloatware in windows, especially XP, is, and how to disable most of the junk you don't need).
That'd be great, eros. I just made the move from 98SE to XP this weekend.
quote:Originally posted by erosomniac: The list of services is alphabetical. Find "Indexing Service" and right click it. Click Properties. This should bring up a new window with four tabs: you should be in the General tab. Next to the words "Startup type" there is a drop down menu: select "Disabled." Under that, there should be "Service status" - if this is running, hit the STOP button. Click OK and close the Services window.
This will keep Windows' indexing service from accidentally triggering the above mentioned virus. Note: this will not stop other programs that index your computer, e.g. Google Desktop, from doing so!
Will it prevent me from being able to search files on my computer? Or do I just have to get a third party search tool?
Posts: 12266 | Registered: Jul 2005
| IP: Logged |
posted
Neither will it protect you from this virus, Lisa. I'd actually keep the Indexing Service on, if it already is.
While there's SOME useless junk in a default install of XP Home, a lot of it does in fact have a use. *grin*
Posts: 37449 | Registered: May 1999
| IP: Logged |
posted
Indexing service really has no purpose for 99% of home users - especially ones with mild computer education. You can still search for files on your computer without a problem.
Primarily the services I'm interested in disabling are related to things like remote registry editing, remote desktop capabilities, etc. - all things that the average home user does not need short of an authorized technician requiring access for support purposes, and any technician should know how to re-enable stuff.
The other services I think everyone should disable are the vast majority of programs that autolaunch on startup. All they do is eat up valuable system resources - why not just launch programs when you need them? (There are obviously exceptions - programs that you use more or less constantly, like post-it note programs and/or messenger programs).
I think I'll also explain how to replace Explorer with Litestep, since the recent installer updates have made it ridiculously easy for anyone to do it.
Posts: 4313 | Registered: Sep 2004
| IP: Logged |
quote:I think I'll also explain how to replace Explorer with Litestep, since the recent installer updates have made it ridiculously easy for anyone to do it.
posted
Gee ... "involved" makes it sound so subversive But yes, I did do LS development in the early days Posts: 136 | Registered: Aug 2003
| IP: Logged |
posted
Oh, if anybody wants to read more about this WMF vulnerability and so on, Steve Gibson over at GRC has a page up about it. He tends to get his undergarmets in a twist from time to time about perceived (and actual) Windows vulnerabilities ... but it always makes good reading And he also has a link to a tiny little utility which checks your system to see if your system is succeptible to this particular vulnerability or not. Here's the direct link.
Posts: 136 | Registered: Aug 2003
| IP: Logged |
posted
Er...if I'm getting an error message that says account for domain hexblog.com has been suspended, this would be a bad thing?
Posts: 13123 | Registered: Feb 2002
| IP: Logged |
posted
hexblog.com comes up in neither Windows nor Linux. In Windows, I get the account suspended message. In Linux, it just churns and eventually times out in several different browsers. Tracerouting gets about half way there and then dies at some IP.
posted
Storm Saxon, the HexBlog site was suspended, not because they did anything bad but probably because everybody and their grandmother hit his site to get the WMF fix and he ran over his bandwidth The GRC link that I posted above, among other places, has the patch for download. But quid just showed me that the site was working (it wasn't in the morning when I checked ) so you should be able to get the patch there as well Posts: 136 | Registered: Aug 2003
| IP: Logged |
posted
Does this vulnerability allow exploiting of any other types of image files? Does anyone know? I have a friend who is having issues with AVI files going missing and lots of brand new popups that her firewall refuses to block. Plus, she's getting quite a bit more exploratory ping traffic recently.
Posts: 499 | Registered: Mar 2004
| IP: Logged |
posted
Got my patch and the home machine seems to be protected now... crossing fingers.
quote:(sometime later, I'll write a post explaining how massive the bloatware in windows, especially XP, is, and how to disable most of the junk you don't need).
Would love love love to see some instructions on this, eros!!
Posts: 4515 | Registered: Jul 2004
| IP: Logged |
The SANS Institute, a trusted source of computer security training and certification, says that hundreds of web sites are using a WMF (Windows Metafile) vulnerability to install malicious software on people's Windows-based computers. WMF files are used to present graphic images, including those found on web sites or within e-mail messages. The "bad guys" may hide malicious code within those graphics. For example, an email message is circulating with the subject line "happy new year." Attached to the message is the file, "HappyNewYear.jpg." If a user opens the file, intending to see a picture, the file installs malicious code on the user's PC without the user knowing it.
This is just one example. SANS says that this vulnerability is particularly "insidious" because it can infect computers when users merely visit web sites or view images in the preview pane of Microsoft Outlook or other e-mail programs. Users don't have to click on anything or open any files to be exposed. Microsoft is investigating the issue and says it will issue a patch, but no patch is available as of this writing. A patch is expected on January 10th, but until then, you could be at risk.
What can worms do?
Computer worms can take over your computer and use it to attack other computers, monitor and log your keystrokes in an attempt to capture sensitive information such as passwords or account numbers, and other nefarious activities.
What should I do about this?
To reduce the risk of compromise until a patch is available and installed on your PC, Microsoft Windows users are advised to:
1. Keep your antivirus software up to date 2. Do not click on *any* links in emails or instant messages 3. Do not open *any* attached files this week and 4. Do not visit *any* new web sites this week, at least until a patch is provided.
If you have administrative rights on your computer, rights which allow you to install and remove software on your PC, you may be at greater risk than someone whose computer is administered by a department computer administrator. It is recommended that you speak to your department's computer administrator about configuring your machine's rights.
Your home computer is likely configured with administrative rights. University security experts recommend that you set up a separate non-administrative user account on your PC for "every day" use.
Posts: 1209 | Registered: Dec 2003
| IP: Logged |
posted
Today the School of Computing on my campus sent out an email to their staff and faculty warning about this and called this "the worst security hole in the history of Windows".
Posts: 1209 | Registered: Dec 2003
| IP: Logged |
posted
Hexblog security patch uninstalled, rebooted, MS security patch installed, rebooted. Ran the Hexblog WMF vulnerability checker and it says my system is protected against the vulnerability. So hopefully, MS got it right this time Posts: 136 | Registered: Aug 2003
| IP: Logged |
If you don't use Window's Firewall you may have trouble getting into the Update Program. If it is your non-windows firewall preventing you from accessing the site you can turn on Windows firewall, and turn off your other firewall, for the duration of the download. Remember to turn off window's firewall afterward, since two firewalls are a no-no.
If you choose "Express Install" all of the windows Critical Updates that you need will be downloaded, or choose "Custom" and just pick the ones you want.
Posts: 337 | Registered: Nov 2005
| IP: Logged |
posted
Is this the update that my autoinstaller popped up with when I booted tonight? And if so, will uninstalling the Hexblog patch mess up the Windows patch at all?
Posts: 4515 | Registered: Jul 2004
| IP: Logged |
quote:Originally posted by Goody Scrivener: Is this the update that my autoinstaller popped up with when I booted tonight? And if so, will uninstalling the Hexblog patch mess up the Windows patch at all?
I would assume yes, but you can check at the Update site, by clicking the link which lists all of the installed updates.
Human or another techie will have to answer the Hexblog question - I have no idea.
Posts: 337 | Registered: Nov 2005
| IP: Logged |
posted
Thanks, Silkie, for your quick responses, both earlier and now.
Waited for Microsoft myself, Goody Scrivner. But it is generally recommended that the hexablog/etc/Guilfanov patch's uninstall option be used before installing the Microsoft patch.
Posts: 8501 | Registered: Jul 2001
| IP: Logged |
posted
This morning, my XP had an alert, which turned out to be the Windows Update thing with this patch. So I installed it. More fool I.
When I let it reboot, it came up fine. And 5 seconds later, it spontaneously rebooted. Again. Same thing happened when it came up the next time. I'm hoping that when I get home tonight, it'll be working. I don't want to have to go into safe mode and fiddle. I don't know enough about operating systems to screw around in there.
What the hell did they do other than close that security hole?
Posts: 12266 | Registered: Jul 2005
| IP: Logged |
posted
Final word on this from my campus security office:
If you installed the unofficial patch, or did other recommended workarounds, here is the recommended steps for updating your system:
1. Reboot your system to clear any vulnerable files from memory 2. Download and apply the new patch 3. Reboot 4. Uninstall the unofficial patch, by using one of these methods: a. Add/Remove Programs on single systems. Look for "Windows WMF Metafile Vulnerability HotFix" b. or at a command prompt: "C:\Program Files\WindowsMetafileFix\unins000.exe" /SILENT c. or, if you used msi to install the patch on multiple machines you can uninstall it with this: msiexec.exe /X{E1CDC5B0-7AFB-11DA-8CD6-0800200C9A66} /qn 5. Re-register the .dll if you previously unregistered it (use the same command but without the "-u"): regsvr32 %windir%\system32\shimgvw.dll 6. Optionally, reboot one more time just for good measure (not required, but doesn't hurt)
If you experience any problems with the official patch, check <http://support.microsoft.com> and call the toll-free number listed for free assistance. Microsoft will not support the unofficial patch. As an alternative to the sequence shown above, you may want to uninstall the unofficial patch first. But make sure you keep shimgvw.dll unregistered until the official patch is applied. Either sequence works in our testing. Removing the unofficial patch later provides an extra layer of protection.
To test if you are vulnerable, visit: <http://sipr.net/test.wmf> The test image in question will start your calculator if you are vulnerable.
UPDATED News on the official WMF patch and DLL registration A. If you installed the LEAKED Microsoft patch, make sure that you un-install it before installing the officially released patch. Windows Update will detect the presence of the leaked patch. Bad things may happen. B. If you installed the un-official Ilfak patch, you can un-install it before or after the official Microsoft patch. The order doesn't matter, should work either way. Windows Update will apparently not detect the un-official patch. C. If you un-registered the DLL (shimgvw.dll) you will need to re-register it in order to regain the functionality. The official Microsoft patch will NOT re-register the DLL for you. You will have to do it via the followng command: regsvr32 %windir%\\system32\\shimgvw.dll
Posts: 1209 | Registered: Dec 2003
| IP: Logged |
posted
starLisa, sorry to hear that the official patch messed things up for you. We have two machines here which were patched with the official patch and are working fine. Did you have any other patches/workarounds in place when you installed the official one?
Posts: 136 | Registered: Aug 2003
| IP: Logged |
Printer-friendly view of this topic
![[Smile]](smile.gif)
I believe the other instances human_2.0 mentioned in his post are when the indexing service accesses the image or if it is displayed in Explorer as an icon. Since WMF external processes are executed each time an image is accessed/displayed, that sounds logical. Since we have no idea which sites are affected and which are not (the webmasters themselves might not be aware of the issue) this might not be as benign as MS makes you believe on their site ![[Razz]](tongue.gif)
![[Wink]](wink.gif)
![[Dont Know]](graemlins/dontknow.gif)
![[Mad]](mad.gif)
