Author Topic: Microsoft Windows WMF Handling - Arbitrary Code Execution  (Read 12084 times)

0 Members and 1 Guest are viewing this topic.

Offline Eric the Red

  • ISO/IEC 27001:2005
  • Administrator
  • Hero Member
  • *****
  • Posts: 1617
  • Would somebody please pass me a beer!
    • View Profile
Microsoft Windows WMF Handling - Arbitrary Code Execution
« on: December 28, 2005, 12:45:35 PM »
"The time to start running is around about the "e" in "Hey, you!" "
Proud member Since 2004 

The information I provide is provided "AS IS" without warranty, and confers no rights.

Offline Eric the Red

  • ISO/IEC 27001:2005
  • Administrator
  • Hero Member
  • *****
  • Posts: 1617
  • Would somebody please pass me a beer!
    • View Profile
Re: Microsoft Windows WMF Handling - Arbitrary Code Execution
« Reply #1 on: December 28, 2005, 11:22:16 PM »
This vulnerability is being tracked by the Internet Storm Center, see isc.sans.org/diary.php?storyid=975 for the latest news

Users of Google Desktop are also vulnerable to this exploit, see http://www.f-secure.com/weblog/archives/archive-122005.html#00000753
"The time to start running is around about the "e" in "Hey, you!" "
Proud member Since 2004 

The information I provide is provided "AS IS" without warranty, and confers no rights.

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 15968
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Microsoft Windows WMF Handling - Arbitrary Code Execution
« Reply #2 on: December 29, 2005, 12:47:40 AM »


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Eric the Red

  • ISO/IEC 27001:2005
  • Administrator
  • Hero Member
  • *****
  • Posts: 1617
  • Would somebody please pass me a beer!
    • View Profile
Re: Microsoft Windows WMF Handling - Arbitrary Code Execution
« Reply #3 on: December 29, 2005, 04:04:15 PM »
After you have installed IESPYAD (version December 27th) be sure to also apply the interim update that can be found at dslreports.com/forum/remark,15121689

This should be added to the December 27th update - do not remove that before applying this addition.
"The time to start running is around about the "e" in "Hey, you!" "
Proud member Since 2004 

The information I provide is provided "AS IS" without warranty, and confers no rights.

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 15968
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Microsoft Windows WMF Handling - Arbitrary Code Execution
« Reply #4 on: December 30, 2005, 11:25:49 AM »
Harry Waldron's Blog has a nice set of instructions:

Quote
Current recommendations for Malicious WMF Exploits in-the-wild

1. Keep your Anti-Virus and Anti-Spyware software as up-to-date as possible.  For example, McAfee users should install DAT 4661 or higher immediately
2. Stay away from all questionable websites.  Do not open WMF files or links in any environment (e.g., IM, email, web surfing, explorer, etc.).
3. Filter and block WMF files in email or content filtering systems in the corporate environment.
4. Don't rely just on the WMF extension.  Windows metadata processing can process a disguised and renamed extension.  For example, the extension for a corrupted WMF file might renamed to GIF and when Windows opens it, it may recognize that it was a WMF file originally and an infection could result.
5. As an extra safety precaution, you can turn off the vulnerable DLL.   The Full Disclosure workaround has downloadable *.REG file that allows toggling shimgvw.dll on and off.  Another option might be to turn off the shimgvw.dll service completely.  Turning services completely off will result in a minor loss of functionality for thumbnail previews in Explorer and the Windows Fax & Picture viewer can be affected.  Still it's easy to restore this service later after better protective solutions emerge, as noted in the Full Disclosure link.



Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Eric the Red

  • ISO/IEC 27001:2005
  • Administrator
  • Hero Member
  • *****
  • Posts: 1617
  • Would somebody please pass me a beer!
    • View Profile
Re: Microsoft Windows WMF Handling - Arbitrary Code Execution
« Reply #5 on: December 30, 2005, 03:44:58 PM »
From F-Secure blog:

Quote
The amount of trojans using the zero-day WMF exploit is increasing rapidly.

There is an important note on that page about the danger of using mspaint until the WMF issue is resolved.
"The time to start running is around about the "e" in "Hey, you!" "
Proud member Since 2004 

The information I provide is provided "AS IS" without warranty, and confers no rights.

Offline Die Hard

  • LzD Fallen Heroes
  • Hero Member
  • *****
  • Posts: 971
  • The Northern Berserk
    • View Profile
Re: Microsoft Windows WMF Handling - Arbitrary Code Execution
« Reply #6 on: December 30, 2005, 07:09:31 PM »


I create and edit my posts in GS-NOTES

Offline Eric the Red

  • ISO/IEC 27001:2005
  • Administrator
  • Hero Member
  • *****
  • Posts: 1617
  • Would somebody please pass me a beer!
    • View Profile
Re: Microsoft Windows WMF Handling - Arbitrary Code Execution
« Reply #7 on: December 30, 2005, 10:17:40 PM »
One of the best articles that I have seen which analyses this exploit comes from Websense

This one also includes a .wmv showing the exploit in action, best run at full screen size  :breakkie:
"The time to start running is around about the "e" in "Hey, you!" "
Proud member Since 2004 

The information I provide is provided "AS IS" without warranty, and confers no rights.

Offline roddy32

  • LzD Fallen Heroes
  • Hero Member
  • *****
  • Posts: 1083
    • View Profile
Re: Microsoft Windows WMF Handling - Arbitrary Code Execution
« Reply #8 on: January 01, 2006, 12:25:27 PM »
Here is the latest info on this from the Internet Storm Center.

This one is the updates thread that changes as new information is released or more exploits are released.
http://isc.sans.org/diary.php?n&storyid=992

This one is an overview of the situation.
http://isc.sans.org/diary.php?n&storyid=993

This one is the WMF FAQ
http://isc.sans.org/diary.php?n&storyid=994

This is the latest from this morning
"2nd generation WMF 0day Expliot Spammed"
http://isc.sans.org/diary.php?n&storyid=995

Microsoft MVP Consumer Security 2006 - 2012

Log'N'Rock Computer Security


Offline Eric the Red

  • ISO/IEC 27001:2005
  • Administrator
  • Hero Member
  • *****
  • Posts: 1617
  • Would somebody please pass me a beer!
    • View Profile
Re: Microsoft Windows WMF Handling - Arbitrary Code Execution
« Reply #9 on: January 01, 2006, 05:05:24 PM »
The Internet Storm Center (SANS Institute) is proving to be the most reliable source of information in respect of the WMF exploit and it is strongly recommended that you check that site regularly for updated information, this exploit should be taken seriously.

Latest information from the ISC at time of posting:

Trustworthy Computing
http://isc.sans.org/diary.php?storyid=996

Recommended Block List
http://isc.sans.org/diary.php?storyid=997

2nd generation WMF exploit: status of the anti-virus products after one day
http://isc.sans.org/diary.php?storyid=998

Updated version of Ilfak Guilfanov's patch
http://isc.sans.org/diary.php?storyid=999


"The time to start running is around about the "e" in "Hey, you!" "
Proud member Since 2004 

The information I provide is provided "AS IS" without warranty, and confers no rights.

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 15968
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Microsoft Windows WMF Handling - Arbitrary Code Execution
« Reply #10 on: January 01, 2006, 06:35:00 PM »
The strongest recommendations from around the net are to install Ilfak's Temporary WMF Patch until Microsoft issues a patch.  Ilfak's temp can then be removed via Add/Remove Programs.

http://www.grc.com/sn/notes-020.htm


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 15968
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Microsoft Windows WMF Handling - Arbitrary Code Execution
« Reply #11 on: January 01, 2006, 06:41:46 PM »
Recommended block lists from SANS:

InterCage Inc.: 69.50.160.0/19 (69.50.160.0 - 69.50.191.255)
Inhoster: 85.255.112.0/20 (85.255.112.0 - 85.255.127.255)


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Eric the Red

  • ISO/IEC 27001:2005
  • Administrator
  • Hero Member
  • *****
  • Posts: 1617
  • Would somebody please pass me a beer!
    • View Profile
Re: Microsoft Windows WMF Handling - Arbitrary Code Execution
« Reply #12 on: January 01, 2006, 07:14:06 PM »
UNIRAS (UK Government Briefing) 1/06, released 19:31 UTC January 1st:

Quote
A new exploit has been released for the Windows WMF vulnerability.  The exploit
is embedded in image files with a .jpg extension and which are designed to make
detection with IDS more difficult.  At the time of release this exploit was not
detectable by anti-virus software although signatures are now being released.

There are further reports that this exploit has been used to construct
malicious emails that have been spammed out.  F-Secure have given the following
details for this email:

  Subject:    Happy New Year
  Body:       "picture of 2006"
  Attachment: HappyNewYear.jpg (MD5: DBB27F839C8491E57EBCC9445BABB755)
 
When the HappyNewYear.jpg is accessed (i.e. the file is opened, a folder containing
the file is viewed, or the file is indexed by, for example, Google Desktop), it
executes and downloads a Bifrose variant from www[dot]ritztours.com.

Full briefing at http://www.uniras.gov.uk/niscc/docs/br-20060101-00001.html?lang=en
"The time to start running is around about the "e" in "Hey, you!" "
Proud member Since 2004 

The information I provide is provided "AS IS" without warranty, and confers no rights.

Offline Eric the Red

  • ISO/IEC 27001:2005
  • Administrator
  • Hero Member
  • *****
  • Posts: 1617
  • Would somebody please pass me a beer!
    • View Profile
Re: Microsoft Windows WMF Handling - Arbitrary Code Execution
« Reply #13 on: January 01, 2006, 10:27:35 PM »
System Administrators may wish to know that SANS are now hosting a MSI version of the unofficial hotfix. It may be downloaded from a link on this page.
"The time to start running is around about the "e" in "Hey, you!" "
Proud member Since 2004 

The information I provide is provided "AS IS" without warranty, and confers no rights.

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 15968
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Microsoft Windows WMF Handling - Arbitrary Code Execution
« Reply #14 on: January 02, 2006, 10:37:36 AM »
The latest information --

If your computer is Windows 2000, Windows XP, (SP1 and SP2), Windows 2003 (NOT Win98 or ME) it is extremely vulnerable. After applying the temporary fix by Ilfax, you can check your system to ensure it is protected with the vulnerability checker.  Further discussion on this top;ic is available in the SunbeltBlog http://sunbeltblog.blogspot.com/2006/01/wmf-vulnerability-checker.html

FIX DIRECT DOWNLOAD LINK:  http://www.hexblog.com/security/files/wmffix_hexblog13.exe

Fix Described Here:  http://www.hexblog.com/2005/12/wmf_vuln.html

VULNERABILITY CHECKER DIRECT DOWNLOAD LINK:  http://www.hexblog.com/security/files/wmf_checker_hexblog.exe

Checker Described here:  http://www.hexblog.com/2006/01/wmf_vulnerability_checker.html#more





Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.