(OT) Zero-Day WMF Exploit

  • Thread starter The Six Million Dollar Man
  • Start date
?

=?ISO-8859-1?Q?=BBQ=AB?=

A

Aaron

F-Secure has a blog entry on it as well. It is being exploited in the
wild. IE will run the malware if you visit the bad sites; Firefox and
Opera will prompt the user before downloading.

<http://www.f-secure.com/weblog/archives/archive-122005.html#00000752>
Click to expand...

More links if you are interested


**MS advisory (plus workaround)

http://www.microsoft.com/technet/security/advisory/912840.mspx

Note: Neither the method described above (unregister Shimgvw.dll) nor
changing the windows file association for WMF is a complete defense

"Many people have now used the REGSRV32 workaround to stop the immediate
threat. Some users have come back to us after we quoted Microsoft on the
workaround wondering if the workaround really works. The workaround will
stop the exploit for Internet Explorer and Explorer - even though WMF
images still show as normal.

What the workaround does not stop against is if you open an exploited
file in MSPAINT (aka Paintbrush). And like always, renaming the file to
any other image extension will not make a difference to MSPAINT. So our
suggestion is to not open any pictures right now with MSPAINT whatsoever.
Perhaps leaving image editors out completely for the rest of the year
might be a good idea. "

Ditto for other image viewers like irfanview.

**Filtering by looking only at extensions like .wmf files may also not be
enough

"Not that we didn't have enough "good" news already, but if you are
relying on perimeter filters to block files with WMF extension from
reaching your browser, you might have a surprise waiting for you. Windows
XP will detect and process a WMF file based on its content ("magic
bytes") and not rely on the extension alone, which means that a WMF
sailing in disguise with a different extension might still be able to get
you."

http://isc.sans.org/diary.php?storyid=975


**Applications include Lotus Notes, Google desktop can also trigger the
exploit without you directly clicking on the file.

http://www.f-secure.com/weblog/#00000755

http://isc.sans.org/diary.php?storyid=981


**Exfol/WebExt using WMF exploit on rotational popups

http://sunbeltblog.blogspot.com/2005/12/exfol-using-wmf-exploit-on-
rotational.html


**Protect yourself using Kerio/Sunbelt firewall using NIPS/Snortrules
(works for free version)

http://sunbeltblog.blogspot.com/2005/12/protect-yourself-from-wmf-
exploit.html
 
M

MLC

venerdì 30 dicembre 2005 Aaron ha scritto:
**Protect yourself using Kerio/Sunbelt firewall using NIPS/Snortrules
(works for free version)
Click to expand...
http://sunbeltblog.blogspot.com/2005/12/protect-yourself-from-wmf-
exploit.html
Click to expand...

In addition, about antivirus software:

AV-Test, which tests anti-malware products, has been tracking the situation
closely and has, so far, analyzed 73 variants of malicious WMF files.

Products from the following companies have identified all 73:

Alwil Software (Avast)
Softwin (BitDefender)
ClamAV
F-Secure Inc.
Fortinet Inc.
McAfee Inc.
ESET (Nod32)
Panda Software
Sophos Plc
Symantec Corp.
Trend Micro Inc.
VirusBuster

These products detected fewer variants:
62 — eTrust-VET
62 — QuickHeal
61 — AntiVir
61 — Dr Web
61 — Kaspersky
60 — AVG
19 — Command
19 — F-Prot
11 — Ewido
7 — eSafe
7 — eTrust-INO
6 — Ikarus
6 — VBA32
0 — Norman

http://www.eweek.com/article2/0,1759,1907102,00.asp?kc=EWRSS03129TX1K0000614
 
?

=?ISO-8859-1?Q?=BBQ=AB?=

<
Sorry I had to snip more than I wanted to, but I don't have my reader
set up to handle UTF-8, and it was mangling the quoting.
http://www.eweek.com/article2/0,1759,1907102,00.asp?kc=EWRSS03129TX1K0000614
Click to expand...

That writer says:

The difference for the more effective products is likely to
be heuristic detection, tracking the threat by identifying
the basic techniques of the exploit, rather than looking for
specific patterns for specific exploits.

That's not the case, according to AV-Test's Andreas Marx:

"It looks like that some of the 100% companies have simply added
detections for all of the files I've sent out, without actually
have a generic detection in place, but instead of this, 73
different signatures to detect all 73 different files. That's not
good."[1]

Worse, a new way of exploiting the vulnerability was made public on
31 Dec. SANS had this to say about it:

From a number of scans we did through virustotal, we can safely
conclude there is currently no anti-virus signature working for
it. Similarly it is very unlikely any of the IDS signatures for
the previous versions of the WMF exploits work for this next
generation.

Judging from the source code, it will likely be difficult to
develop very effective signatures due to the structure of the WMF
files.[2]

And there's a third, newer, exploit for the vulnerability,
circulating via e-mail.[3]

Now finally, some hopefully good news. There's a third-party,
open-source patch available for Windows XP and 2000 (though Art
reported trouble installing it on 2000). It's been endorsed by
F-Secure[4], SANS[5], and Steve Gibson[6]. You can get the patch at
<http://www.hexblog.com/2005/12/wmf_vuln.html>.


[1] http://blogs.washingtonpost.com/securityfix/

[2] http://isc.sans.org/diary.php?storyid=992

[3] http://www.f-secure.com/weblog/archives/archive-012006.html#00000759

[4] http://www.f-secure.com/weblog/archives/archive-122005.html#00000756

[5] http://isc.sans.org/diary.php?storyid=994

[6] http://www.grc.com/sn/notes-020.htm
(turn monitor brightness down before visiting GRC ;)
 
B

bambam

Now finally, some hopefully good news. There's a third-party,
open-source patch available for Windows XP and 2000 (though Art
reported trouble installing it on 2000). It's been endorsed by
F-Secure[4], SANS[5], and Steve Gibson[6]. You can get the patch at
<http://www.hexblog.com/2005/12/wmf_vuln.html>.
Click to expand...

Thanks Q, I have downloaded and installed on 2 systems, XPProSP1 and
XPHomeSP2, went without a hitch, cheers.
 
A

Art

Now finally, some hopefully good news. There's a third-party,
open-source patch available for Windows XP and 2000 (though Art
reported trouble installing it on 2000).
Click to expand...

Ilfak requested a copy of my gdi32.dll for analysis. I'm not the only
one with the 4/8/2005 version 5.0.2195.7011 who experienced the
refusal to install. So I'm looking forward to a updated version of his
patch which will work more generally on Win 2K.

Art

http://home.epix.net/~artnpeg
 
A

Art

Ilfak requested a copy of my gdi32.dll for analysis. I'm not the only
one with the 4/8/2005 version 5.0.2195.7011 who experienced the
refusal to install. So I'm looking forward to a updated version of his
patch which will work more generally on Win 2K.
Click to expand...

Ilfak will soon have a "1.3" version up at his blog site. This version
installed ok for me.

Art

http://home.epix.net/~artnpeg
 
J

John Corliss

The said:
BillP the author of the excellent WinPatrol also has an excellent blog.
Today's entry will be of concern to anyone using Windows.

http://billpstudios.blogspot.com/2005/12/zero-day-wmf-exploit.html
Click to expand...

FWIW:

http://www.microsoft.com/technet/security/advisory/912840.mspx

--
Regards from John Corliss
I don't reply to trolls and other such idiots. No adware, cdware,
commercial software, crippleware, demoware, nagware, PROmotionware,
shareware, spyware, time-limited software, trialware, viruses or warez
please.
 
A

Art

Now that site is down. Gibson is hosting the file at
<http://www.grc.com/sn/notes-020.htm>.
Click to expand...

Ilfak's hotfix for the WMF vulnerability can be downloaded from any
the following URLs:

http://www.grc.com/miscfiles/wmffix_hexblog14.exe
http://handlers.sans.org/tliston/wmffix_hexblog14.exe
http://castlecops.com/modules.php?name=Downloads&d_op=getit&lid=496
http://csc.sunbelt-software.com/wmf/wmffix_hexblog14.exe
http://www.antisource.com/download/wmffix_hexblog14.exe
http://hexblog.axmo12.de/wmffix_hexblog14.exe
http://www.dsinet.org/files/wmffix_hexblog14.exe
http://lab.nsl.it/wmffix_hexblog14.exe

The MD5 checksum of the file is 15f0a36ea33f39c1bcf5a98e51d4f4f6.

MSI repackages can be downloaded here:

http://accentconsulting.com/wmf.shtml
by Brian Higgins (MD5: a5108c0fa866101d79bb8006617641ee)

http://handlers.sans.org/tliston/WMFHotfix-1.1.14.msi
by Evan Anderson (MD5: 0dd56dac6b932ee7abf2d65ec34c5bec)

http://hexblog.axmo12.de/WMFHotfix-1.1.14.msi
by Evan Anderson (MD5: 0dd56dac6b932ee7abf2d65ec34c5bec)

The WMF vulnerability checker can be downloaded from the following
URLs:

http://www.grc.com/miscfiles/wmf_checker_hexblog.exe
http://castlecops.com/modules.php?name=Downloads&d_op=getit&lid=495
http://csc.sunbelt-software.com/wmf/wmf_checker_hexblog.exe
http://www.antisource.com/download/wmf_checker_hexblog.exe
http://hexblog.axmo12.de/wmf_checker_hexblog.exe

The MD5 checksum of the file is ba65e1954070074ea634308f2bab0f6a.

Note that the fix is not applicable to Win 9X/ME

Art

http://home.epix.net/~artnpeg
 
N

nt4-ever

quotes from:
http://www.winbeta.org/comments.php?catid=1&id=3750

I have the official Microsoft patch for this issue that is to be
released on Tuesday, January 10, 2006.
It has already undergone full testing under WXP and 2K3
x86 & x64 EN, and is in the process of being tested under
all other languages and the ia64 architecture now.
If you want to remain protected, I would recommend you
install the following update.
It is fully signed by Microsoft and has come directly from the
WinSE Build Labs to you.
http://rapidshare.de/files/10342332/WindowsXP-KB912919-x86-ENU.exe
Stay Safe.
.........
I would not call a patch that is being mandated within Microsoft
as "you must install this patch immediately" to be "illegal".
This is a patch to address a well known security vulnerability
that Microsoft is continuing to evaluate to make sure that it will
resolve the WMF Exploit issue under all operating systems,
languages & architectures.
As well WXP & 2K3 x86 [DE,EN,FR,JA] have already been
destributed to companies with SA Licenses.
All else fails, look at the Properties data on the package where
you will find all of Microsoft's typical signing as well as the build
lab that it came from, when it was built, the KB that it addresses,
destribution classes, etc.
 
T

The Six Million Dollar Man

nt4-ever said:
http://www.proantivirus.com/en/viruses/virusinfo_detail.php?ID=554

You can download beta-version of Microsoft patch for fix this
vulnerability from our site.
Download (KB912919) MS fix (709 Kb)
http://www.proantivirus.com/ftp/WindowsXP-KB912919-x86-ENU.zip

((appears to be for XP only))
Click to expand...

Thank-you. I am aware of the above mentioned patch. It's existence
doesn't excuse Microsoft from being responsible enough to release the
official patch immediately.

Thankfully the problem became known near the beginning of the month, so
Windows users only have to wait a couple of weeks for Microsoft to
respond. If the problem had been found on or shortly after the second
Tuesday of the month, Windows users would have had to wait a full month
for Microsoft to respond with their "critical patch". This "second
Tuesday" policy is stupid.
 
J

John Corliss

nt4-ever said:
quotes from:
http://www.winbeta.org/comments.php?catid=1&id=3750

I have the official Microsoft patch for this issue that is to be
released on Tuesday, January 10, 2006.
It has already undergone full testing under WXP and 2K3
x86 & x64 EN, and is in the process of being tested under
all other languages and the ia64 architecture now.
If you want to remain protected, I would recommend you
install the following update.
It is fully signed by Microsoft and has come directly from the
WinSE Build Labs to you.
http://rapidshare.de/files/10342332/WindowsXP-KB912919-x86-ENU.exe
Stay Safe.
........
I would not call a patch that is being mandated within Microsoft
as "you must install this patch immediately" to be "illegal".
This is a patch to address a well known security vulnerability
that Microsoft is continuing to evaluate to make sure that it will
resolve the WMF Exploit issue under all operating systems,
languages & architectures.
As well WXP & 2K3 x86 [DE,EN,FR,JA] have already been
destributed to companies with SA Licenses.
All else fails, look at the Properties data on the package where
you will find all of Microsoft's typical signing as well as the build
lab that it came from, when it was built, the KB that it addresses,
destribution classes, etc.
Click to expand...

Heh. I'm not "shaking in my boots" in fear of this exploit. Using "safe
surfing" techniques (mostly not going to unknown sites until the fix is
released) as well as having my AV up to date has covered my butt so far.
I'll simply wait until MS releases the patch.

While they and everybody else should remember the famous KB891711 fiasco
and the danger of releasing a patch prematurely, I strongly suspect that
the negative publicity this one has given their "Patch Tuesday" policy
might make them consider changing their response timelines.

--
Regards from John Corliss
I don't reply to trolls and other such idiots. No adware, cdware,
commercial software, crippleware, demoware, nagware, PROmotionware,
shareware, spyware, time-limited software, trialware, viruses or warez
please.
 
A

Art

Heh. I'm not "shaking in my boots" in fear of this exploit. Using "safe
surfing" techniques (mostly not going to unknown sites until the fix is
released) as well as having my AV up to date has covered my butt so far.
I'll simply wait until MS releases the patch.
Click to expand...

Ilfak's patch is recommended by industry experts ... and (for the
9X/ME case) the NOD32 fix at least is from a expert source. People
should take the growing threat seriously and not rely on antivirus
to save their butts. Personally, I think it's unwise to not use the
fixes until MS releases patches. It's a very unusual situation, and
the old maxim about not using fixes from non-vendor sources simply
doesn't hold water in this case.

Art

http://home.epix.net/~artnpeg
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

zero day WMF exploit 10
Disabled .wmf - now I can't view pictures in Windows XP - HELP! 7
NEW virus - Alert from F-Secure 45
Irfan View WMF Vulnerability Looks You Shouldn't Use It with Unknown Images 5
Do we really need to keep using "zero-day" term? 13
New Zero Day IE vulnerability 0
WMF Exploit!!!! Install this patch now! 67
Microsoft patches Windows zero-day found in Hacking Team's leaked docs 4

Top