In case you have been living under a rock for the last week or so,
you may not have heard about the WMF Windows exploit.
For those rock dwellers, here's the scoop.....short and sweet. Reprinted
here without permission from SANS at
http://isc.sans.org/diary.php?storyid=994. Hope they don't mind....
. ---------------------------------------------
WMF FAQ (NEW)
Published: 2006-01-03,
Last Updated: 2006-01-03 08:55:06 UTC by Johannes Ullrich (Version:
3(click to highlight changes))
[a few users offered translations of this FAQ into various languages.
Obviously, we can not check the translation for accuracy, nor can we
update them. So use at your own risk: Deutsch and Deutsch (pdf),
Catalan , Español , Italiana and Italiana, Polski, Suomenkielinen,
Danish, Japanese, Slovenian, Chinese, Norwegian and Nederlands (in
progress) ] a.. Why is this issue so important?
The WMF vulnerability uses images (WMF images) to execute arbitrary
code. It will execute just by viewing the image. In most cases, you
don't have click anything. Even images stored on your system may
cause the exploit to be triggered if it is indexed by some indexing
software. Viewing a directory in Explorer with 'Icon size' images
will cause the exploit to be triggered as well.
a.. Is it better to use Firefox or Internet Explorer?
Internet Explorer will view the image and trigger the exploit without
warning. New versions of Firefox will prompt you before opening the
image. However, in most environments this offers little protection
given that these are images and are thus considered 'safe'.
a.. What versions of Windows are affected?
All. Windows 2000, Windows XP, (SP1 and SP2), Windows 2003. All are
affected to some extent. Mac OS-X, Unix or BSD is not affected.
Note: If you're still running on Win98/ME, this is a watershed
moment: we believe (untested) that your system is vulnerable and
there will be no patch from MS. Your mitigation options are very
limited. You really need to upgrade.
a.. What can I do to protect myself?
1.. Microsoft has not yet released a patch. An unofficial patch
was made available by Ilfak Guilfanov. Our own Tom Liston reviewed
the patch and we tested it. The reviewed and tested version is
available here (now at v1.4, MD5: 15f0a36ea33f39c1bcf5a98e51d4f4f6),
PGP signature (signed with ISC key) here. THANKS to Ilfak Guilfanov
for providing the patch!! 2.. You can unregister the related DLL.
3.. Virus checkers provide some protection.
To unregister the DLL:
a.. Click Start, click Run, type "regsvr32 -u
%windir%system32shimgvw.dll" (without the quotation marks... our
editor keeps swallowing the backslashes... its
%windir%(backslash)system32(backslash)shimgvw.dll), and then click
OK. b.. A dialog box appears to confirm that the un-registration
process has succeeded. Click OK to close the dialog box.
Our current "best practice" recommendation is to both unregister the
DLL and to use the unofficial patch.
a.. How does the unofficial patch work?
The wmfhotfix.dll is injected into any process loading user32.dll. The
DLL then patches (in memory) gdi32.dll's Escape() function so
that it ignores any call using the SETABORTPROC (ie. 0x09)
parameter. This should allow Windows programs to display WMF files
normally while still blocking the exploit. The version of the patch
located here has been carefully checked against the source code
provided as well as tested against all known versions of the
exploit. It should work on WinXP (SP1 and SP2) and Win2K. a.. Will
unregistering the DLL (without using the unofficial patch)
protect me?
It might help. But it is not foolproof. We want to be very clear on
this: we have some very stong indications that simply unregistering
the shimgvw.dll isn't always successful. The .dll can be
re-registered by malicious processes or other installations, and
there may be issues where re-registering the .dll on a running
system that has had an exploit run against it allowing the exploit
to succeed. In addition it might be possible for there to be other
avenues of attack against the Escape() function in gdi32.dll. Until
there is a patch available from MS, we recommend using the
unofficial patch in addition to un-registering shimgvw.dll.
a.. Should I just delete the DLL?
It might not be a bad idea, but Windows File Protection will probably
replace it. You'll need to turn off Windows File Protection first.
Also, once an official patch is available you'll need to replace the
DLL. (renaming, rather than deleting is probably better so it will
still be handy).
a.. Should I just block all .WMF images?
This may help, but it is not sufficient. WMF files are recognized by
a special header and the extension is not needed. The files could
arrive using any extension, or embeded in Word or other documents.
a.. What is DEP (Data Execution Protection) and how does it help
me? With Windows XP SP2, Microsoft introduced DEP. It protects against a
wide range of exploits, by preventing the execution of 'data
segements'. However, to work well, it requires hardware support.
Some CPUs, like AMD's 64 Bit CPUs, will provide full DEP protection
and will prevent the exploit. a.. How good are Anti Virus products to
prevent the exploit?
At this point, we are aware of versions of the exploit that will not
be detected by antivirus engines. We hope they will catch up soon.
But it will be a hard battle to catch all versions of the exploit.
Up to date AV systems are necessary but likely not sufficient.
a.. How could a malicious WMF file enter my system?
There are too many methods to mention them all. E-mail attachments,
web sites, instant messaging are probably the most likely sources.
Don't forget P2P file sharing and other sources.
a.. Is it sufficient to tell my users not to visit untrusted web
sites? No. It helps, but its likely not sufficient. We had at least
one widely trusted web site (knoppix-std.org) which was
compromissed. As part of the compromise, a frame was added to the
site redirecting users to a corrupt WMF file. "Tursted" sites have
been used like this in the past. a.. What is the actual problem with WMF
images here?
WMF images are a bit different then most other images. Instead of
just containing simple 'this pixel has that color' information, WMF
images can call external procedures. One of these procedure calls
can be used to execute the code.
a.. Should I use something like "dropmyrights" to lower the impact
of an exploit.
By all means yes. Also, do not run as an administrator level users
for every day work. However, this will only limit the impact of the
exploit, and not prevent it. Also: Web browsing is only one way to
trigger the exploit. If the image is left behind on your system, and
later viewed by an administrator, you may get 'hit'.
a.. Are my servers vulnerable?
Maybe... do you allow the uploading of images? email? Are these
images indexed? Do you sometimes use a web browser on the server? In
short: If someone can get a image to your server, and if the
vulnerable DLL may look at it, your server may very well be
vulnerable. a.. What can I do at my perimeter / firewall to protect my
network?
Not much. A proxy server that strips all images from web sites?
Probably wont go over well with your users. At least block .WMF
images (see above about extensions...). If your proxy has some kind
of virus checker, it may catch it. Same for mail servers. The less
you allow your users to initiate outbound connections, the better.
Close monitoring of user workstations may provide a hint if a work
station is infected. a.. Can I use an IDS to detect the exploit?
Most IDS vendors are working on signatures. Contact your vendor for
details. Bleedingsnort.org is providing some continuosly improving
signatures for snort users.
a.. If I get hit by the exploit, what can I do?
Not much :-(. It very much depends on the exact exploit you are hit
with. Most of them will download additional components. It can be
very hard, or even impossible, to find all the pieces. Microsoft
offers free support for issues like that at 866-727-2389 (866 PC
SAFETY). a.. Does Microsoft have information available?
http://www.microsoft.com/technet/security/advisory/912840.mspx
But there is no patch at the time of this writing.
a.. What does CERT have to say?
http://www.kb.cert.org/vuls/id/181038
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4560
-----------------------------------------
So run the patch, reboot and keep your fingers crossed!
Jim