Microsoft Security Advisory (912840): Vulnerability in Graphics Rendering Engine Could Allow Remote

[Guest]

Thanks.

If that's the case, then the recommended action from CERT of blocking access
to windows metafiles at the network perimeter is just as useless.

CERT: www.kb.cert.org/vuls/id/181038

====
Mike

 

[PA Bear]

What about Windows 2000 Professional SP4?
Running that at work and that has

07/12/1999 12:00 52,496 shimgvw.dll

Is the workaround useless for Windows 2000?

According to here
http://www.updatexp.com/wmf-exploit.html
ME & 2000 are vulnerable

<QP>
This advisory discusses the following software.

Related Software
Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and
Microsoft Windows Millennium Edition (ME)
</QP>
Source: http://www.microsoft.com/technet/security/advisory/912840.mspx

 

[Ken Blake, MVP]

Has anyone just removed the .wmf file type?

Would this be equal to (or even better than) unregistering the
fax/picture viewer DLL?

I assume it would result in the user being prompted to specify a
program to open the file.

Not removing it, but changing it to Notepad, is one of the suggestions made
here:
http://sunbeltblog.blogspot.com/2005/12/workaround-for-wmf-exploit.html

 

[Gary Smith]

What about Windows 2000 Professional SP4?
Running that at work and that has

07/12/1999 12:00 52,496 shimgvw.dll

Is the workaround useless for Windows 2000?

So it would appear, since the article specifically states, "Un-register
the Windows Picture and Fax Viewer (Shimgvw.dll) on Windows XP Service
Pack 1; Windows XP Service Pack 2; Windows Server 2003 and Windows Server
2003 Service Pack 1." No mention of Windows 2000 or ME.

 

[Tom [Pepper] Willett]

In some older versions of Windows (Windows 2000 and Windows ME) there was a
little-known program called "Imaging" that was really a third-party program
from Kodak that allowed you to view image files such as .BMP, .JPG, .TIF,
and .PCX. This program could be installed from the Control Panel, Add
Windows Components under Accessories, and was very handy for viewing scanned
FAX documents.

In Windows XP, this program has been replaced by "Windows Picture and Fax
Viewer."


| In microsoft.public.windows.inetexplorer.ie6.browser Stephen Howe
<stephenPOINThoweATtns-globalPOINTcom> wrote:
| > > The FAQ section of
| > > http://www.microsoft.com/technet/security/advisory/912840.mspx has
been
| > > updated.
| > >
| > > Fully expand Suggest Actions > Workarounds subsection to see steps you
can
| > > take to "help block known attack vectors".
|
| > What about Windows 2000 Professional SP4?
| > Running that at work and that has
|
| > 07/12/1999 12:00 52,496 shimgvw.dll
|
| > Is the workaround useless for Windows 2000?
|
| So it would appear, since the article specifically states, "Un-register
| the Windows Picture and Fax Viewer (Shimgvw.dll) on Windows XP Service
| Pack 1; Windows XP Service Pack 2; Windows Server 2003 and Windows Server
| 2003 Service Pack 1." No mention of Windows 2000 or ME.
|
|
| > According to here
| > http://www.updatexp.com/wmf-exploit.html
| > ME & 2000 are vulnerable
|
| --
| Gary L. Smith
| Columbus, Ohio

 

[David H. Lipman]

From: "Tom [Pepper] Willett" <[email protected]>

| In some older versions of Windows (Windows 2000 and Windows ME) there was a
| little-known program called "Imaging" that was really a third-party program
| from Kodak that allowed you to view image files such as .BMP, .JPG, .TIF,
| and .PCX. This program could be installed from the Control Panel, Add
| Windows Components under Accessories, and was very handy for viewing scanned
| FAX documents.
|
| In Windows XP, this program has been replaced by "Windows Picture and Fax
| Viewer."


shimgvw.dll was found on both my Win2K SP4 PC and my WinME PC

 

[Tom [Pepper] Willett]

Yes, it was.

Tom
| From: "Tom [Pepper] Willett" <[email protected]>
|
|| In some older versions of Windows (Windows 2000 and Windows ME) there was
a
|| little-known program called "Imaging" that was really a third-party
program
|| from Kodak that allowed you to view image files such as .BMP, .JPG, .TIF,
|| and .PCX. This program could be installed from the Control Panel, Add
|| Windows Components under Accessories, and was very handy for viewing
scanned
|| FAX documents.
||
|| In Windows XP, this program has been replaced by "Windows Picture and Fax
|| Viewer."
|
|
| shimgvw.dll was found on both my Win2K SP4 PC and my WinME PC
|
| --
| Dave
| http://www.claymania.com/removal-trojan-adware.html
| http://www.ik-cs.com/got-a-virus.htm
|
|

 

[Gary Smith]

So are you saying that it's a different module with the same name, or the
same module with different functions, or what? Your posts are related to
the topic but don't appear to address it in any obvious way.

Yes, it was.

Tom
| From: "Tom [Pepper] Willett" <[email protected]>
|
|| In some older versions of Windows (Windows 2000 and Windows ME) there was
a
|| little-known program called "Imaging" that was really a third-party
program
|| from Kodak that allowed you to view image files such as .BMP, .JPG, .TIF,
|| and .PCX. This program could be installed from the Control Panel, Add
|| Windows Components under Accessories, and was very handy for viewing
scanned
|| FAX documents.
||
|| In Windows XP, this program has been replaced by "Windows Picture and Fax
|| Viewer."
|
|
| shimgvw.dll was found on both my Win2K SP4 PC and my WinME PC
|
| --
| Dave
| http://www.claymania.com/removal-trojan-adware.html
| http://www.ik-cs.com/got-a-virus.htm
|
|

 

[David H. Lipman]

From: "Gary Smith" <[email protected]>

| So are you saying that it's a different module with the same name, or the
| same module with different functions, or what? Your posts are related to
| the topic but don't appear to address it in any obvious way.
|

If your PC has shimgvw.dll registerd with the MS GDI graphic renderer then your PC is
vulnerable.

That's it.

Therefore if your PC has shimgvw.dll installed then it is likely you are vulnerable.

 

[Guest]

That might work in some cases, but if an infected WMF file was renamed as
JPG, the file would go into the graphics renderer and there it would try to
open as JPG, fail, then figure out it was a WMF file by the header info in
the file, and run the WMF rendering code. Blammo.

Bill

 

[Gary Smith]

From: "Gary Smith" <[email protected]>

| So are you saying that it's a different module with the same name, or the
| same module with different functions, or what? Your posts are related to
| the topic but don't appear to address it in any obvious way.
|

If your PC has shimgvw.dll registerd with the MS GDI graphic renderer then your PC is
vulnerable.

That's it.

Therefore if your PC has shimgvw.dll installed then it is likely you are vulnerable.

Okay, I un-registered it. I don't have any real way of knowing whether
that makes me more secure, but I suspect that I'm not using it anyway.

 

[Guest]

regsvr32 /u shimgvw.dll


Was just looking at the option of putting this into the logon script,
however I notice that it also breaks quite a bit of the Explorer
functionality in relation to other types of images, and it's the kind of
functionality that is heavily relied-on by the less computer-literate users.
This point might need to be carefully evaluated before rolling-out, to avoid
disruption.

 

[Ken Blake, MVP]

That might work in some cases, but if an infected WMF file was
renamed as JPG, the file would go into the graphics renderer and
there it would try to open as JPG, fail, then figure out it was a WMF
file by the header info in the file, and run the WMF rendering code.
Blammo.

Yes, that's pointed ot on the page I cited below. As the page says "it's a
pretty weak workaround."

 

[PA Bear]

[Followup-to set for microsoft.public.security]

The Advisory as updated on 30 Dec-05 now states that Software DEP does *not*
block the exploit.

http://www.microsoft.com/technet/security/advisory/912840.mspx

<QP>
I have DEP enabled on my system, does this help mitigate the
vulnerability?

Software based DEP does not mitigate the vulnerability. However,
Hardware based DEP may work when enabled: please consult with your
hardware manufacturer for more information on how to enable this and
whether it can provide mitigation.
</QP>

 

[cquirke (MVP Windows shell/user)]

On Fri, 30 Dec 2005 22:08:02 -0800, "Bill Gallagher"

That might work in some cases, but if an infected WMF file was renamed as
JPG, the file would go into the graphics renderer and there it would try to
open as JPG, fail, then figure out it was a WMF file by the header info in
the file, and run the WMF rendering code. Blammo.

A generic reason to KILL file interpretation based on hidden internal
information. The risks go beyond this particular WMF mess.

---------- ----- ---- --- -- - - - -

Don't pay malware vendors - boycott Sony

 

[Guest]

For those who may not have seen this yet, there is a third party fix posted.
Apparently, it works by patching the Escape() function in gdi32.dll -
disabling the SETABORT sequence. Of course, it is "use-at-your-own-risk" but
the site where it can be downloaded indicates that it does have a useful
silent install and can also be removed from Add/Remove Programs.

Computerworld, SANS & F-Secure have written about it - not in that order
<g>. SANS states that they have vetted the code and provides links to it.

http://www.hexblog.com/2005/12/wmf_vuln.html
http://isc.sans.org/
http://www.f-secure.com/weblog/

====
Mike

 

[~greg]

Does anyone know of a script (in perl, or whatever)
to check image files already on a hard drive
to see if any of them are actually renamed .wmf files?


~greg

 

[Jim Byrd]

FYI, in addition Ilfak Guilfanov, who developed the patch referred to has
also written a Vulnerablility Tester, available here:
http://www.hexblog.com/2006/01/wmf_vulnerability_checker.html

Read carefully! Use of both the patch and the tester (before and after
installing the patch) is Highly Recommended until MS comes out with a
permanent fix.

 

[Jon]

It looks like the patch alters the loaded gdi32.dll in memory, rather than
making any permanent changes to the gdi32.dll file on disk.

It installs a small dll "wmfhotfix.dll" in C:\WINDOWS\system32, which does
the work of maintaining the patched version of gdi32.dll in memory, and is
loaded via the registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows\AppInit_DLLs

More details here
http://www.grc.com/groups/securitynow:423


Jon

 

[Jon]

Looks like an official patch is on its way

http://www.microsoft.com/technet/security/advisory/912840.mspx

From the updated site......
Microsoft has completed development of the security update for the
vulnerability. The security update is now being localized and tested to
ensure quality and application compatibility. Microsoft’s goal is to release
the update on Tuesday, January 10, 2006, as part of its monthly release of
security bulletins. This release is predicated on successful completion of
quality testing.

The update will be released worldwide simultaneously in 23 languages for all
affected versions of Windows once it passes a series of rigorous testing
procedures. It will be available on Microsoft’s Download Center, as well as
through Microsoft Update and Windows Update. Customers who use Windows’
Automatic Updates feature will be delivered the fix automatically.

Jon