Will disabling the file extension's default program to open wmf files, to
none do the job, along with deinstalling windows media player?

--
Jonny
"Jim" <reply@groups.please> wrote in message
news:EKtuf.37300$Lb1.23573@bignews3.bellsouth.net. ..
> In case you have been living under a rock for the last week or so, you may
> not have heard about the WMF Windows exploit.
>
> For those rock dwellers, here's the scoop.....short and sweet. Reprinted
> here without permission from SANS at
> http://isc.sans.org/diary.php?storyid=994. Hope they don't mind.... .
>
> ---------------------------------------------
>
> WMF FAQ (NEW)
> Published: 2006-01-03,
> Last Updated: 2006-01-03 08:55:06 UTC by Johannes Ullrich (Version:
3(click
> to highlight changes))
>
> [a few users offered translations of this FAQ into various languages.
> Obviously, we can not check the translation for accuracy, nor can we
update
> them. So use at your own risk: Deutsch and Deutsch (pdf), Catalan ,
Español
> , Italiana and Italiana, Polski, Suomenkielinen, Danish, Japanese,
> Slovenian, Chinese, Norwegian and Nederlands (in progress) ]
>
>
> a.. Why is this issue so important?
> The WMF vulnerability uses images (WMF images) to execute arbitrary code.
It
> will execute just by viewing the image. In most cases, you don't have
click
> anything. Even images stored on your system may cause the exploit to be
> triggered if it is indexed by some indexing software. Viewing a directory
in
> Explorer with 'Icon size' images will cause the exploit to be triggered as
> well.
>
> a.. Is it better to use Firefox or Internet Explorer?
> Internet Explorer will view the image and trigger the exploit without
> warning. New versions of Firefox will prompt you before opening the image.
> However, in most environments this offers little protection given that
these
> are images and are thus considered 'safe'.
>
> a.. What versions of Windows are affected?
> All. Windows 2000, Windows XP, (SP1 and SP2), Windows 2003. All are
affected
> to some extent. Mac OS-X, Unix or BSD is not affected.
>
> Note: If you're still running on Win98/ME, this is a watershed moment: we
> believe (untested) that your system is vulnerable and there will be no
patch
> from MS. Your mitigation options are very limited. You really need to
> upgrade.
>
> a.. What can I do to protect myself?
> 1.. Microsoft has not yet released a patch. An unofficial patch was made
> available by Ilfak Guilfanov. Our own Tom Liston reviewed the patch and we
> tested it. The reviewed and tested version is available here (now at v1.4,
> MD5: 15f0a36ea33f39c1bcf5a98e51d4f4f6), PGP signature (signed with ISC
key)
> here. THANKS to Ilfak Guilfanov for providing the patch!!
> 2.. You can unregister the related DLL.
> 3.. Virus checkers provide some protection.
> To unregister the DLL:
>
> a.. Click Start, click Run, type "regsvr32 -u
%windir%system32shimgvw.dll"
> (without the quotation marks... our editor keeps swallowing the
> backslashes... its %windir%(backslash)system32(backslash)shimgvw.dll) , and
> then click OK.
> b.. A dialog box appears to confirm that the un-registration process has
> succeeded. Click OK to close the dialog box.
> Our current "best practice" recommendation is to both unregister the DLL
and
> to use the unofficial patch.
>
> a.. How does the unofficial patch work?
> The wmfhotfix.dll is injected into any process loading user32.dll. The
DLL
> then patches (in memory) gdi32.dll's Escape() function so that it ignores
> any call using the SETABORTPROC (ie. 0x09) parameter. This should allow
> Windows programs to display WMF files normally while still blocking the
> exploit. The version of the patch located here has been carefully checked
> against the source code provided as well as tested against all known
> versions of the exploit. It should work on WinXP (SP1 and SP2) and Win2K.
>
> a.. Will unregistering the DLL (without using the unofficial patch)
> protect me?
> It might help. But it is not foolproof. We want to be very clear on this:
we
> have some very stong indications that simply unregistering the shimgvw.dll
> isn't always successful. The .dll can be re-registered by malicious
> processes or other installations, and there may be issues where
> re-registering the .dll on a running system that has had an exploit run
> against it allowing the exploit to succeed. In addition it might be
> possible for there to be other avenues of attack against the Escape()
> function in gdi32.dll. Until there is a patch available from MS, we
> recommend using the unofficial patch in addition to un-registering
> shimgvw.dll.
> a.. Should I just delete the DLL?
> It might not be a bad idea, but Windows File Protection will probably
> replace it. You'll need to turn off Windows File Protection first. Also,
> once an official patch is available you'll need to replace the DLL.
> (renaming, rather than deleting is probably better so it will still be
> handy).
>
> a.. Should I just block all .WMF images?
> This may help, but it is not sufficient. WMF files are recognized by a
> special header and the extension is not needed. The files could arrive
using
> any extension, or embeded in Word or other documents.
>
> a.. What is DEP (Data Execution Protection) and how does it help me?
> With Windows XP SP2, Microsoft introduced DEP. It protects against a wide
> range of exploits, by preventing the execution of 'data segements'.
However,
> to work well, it requires hardware support. Some CPUs, like AMD's 64 Bit
> CPUs, will provide full DEP protection and will prevent the exploit.
>
> a.. How good are Anti Virus products to prevent the exploit?
> At this point, we are aware of versions of the exploit that will not be
> detected by antivirus engines. We hope they will catch up soon. But it
will
> be a hard battle to catch all versions of the exploit. Up to date AV
systems
> are necessary but likely not sufficient.
>
> a.. How could a malicious WMF file enter my system?
> There are too many methods to mention them all. E-mail attachments, web
> sites, instant messaging are probably the most likely sources. Don't
forget
> P2P file sharing and other sources.
>
> a.. Is it sufficient to tell my users not to visit untrusted web sites?
> No. It helps, but its likely not sufficient. We had at least one widely
> trusted web site (knoppix-std.org) which was compromissed. As part of the
> compromise, a frame was added to the site redirecting users to a corrupt
WMF
> file. "Tursted" sites have been used like this in the past.
>
> a.. What is the actual problem with WMF images here?
> WMF images are a bit different then most other images. Instead of just
> containing simple 'this pixel has that color' information, WMF images can
> call external procedures. One of these procedure calls can be used to
> execute the code.
>
> a.. Should I use something like "dropmyrights" to lower the impact of an
> exploit.
> By all means yes. Also, do not run as an administrator level users for
every
> day work. However, this will only limit the impact of the exploit, and not
> prevent it. Also: Web browsing is only one way to trigger the exploit. If
> the image is left behind on your system, and later viewed by an
> administrator, you may get 'hit'.
>
> a.. Are my servers vulnerable?
> Maybe... do you allow the uploading of images? email? Are these images
> indexed? Do you sometimes use a web browser on the server? In short: If
> someone can get a image to your server, and if the vulnerable DLL may look
> at it, your server may very well be vulnerable.
>
> a.. What can I do at my perimeter / firewall to protect my network?
> Not much. A proxy server that strips all images from web sites? Probably
> wont go over well with your users. At least block .WMF images (see above
> about extensions...). If your proxy has some kind of virus checker, it may
> catch it. Same for mail servers. The less you allow your users to initiate
> outbound connections, the better. Close monitoring of user workstations
may
> provide a hint if a work station is infected.
>
> a.. Can I use an IDS to detect the exploit?
> Most IDS vendors are working on signatures. Contact your vendor for
details.
> Bleedingsnort.org is providing some continuosly improving signatures for
> snort users.
>
> a.. If I get hit by the exploit, what can I do?
> Not much :-(. It very much depends on the exact exploit you are hit with.
> Most of them will download additional components. It can be very hard, or
> even impossible, to find all the pieces. Microsoft offers free support for
> issues like that at 866-727-2389 (866 PC SAFETY).
>
> a.. Does Microsoft have information available?
> http://www.microsoft.com/technet/sec...ry/912840.mspx
> But there is no patch at the time of this writing.
>
>
> a.. What does CERT have to say?
> http://www.kb.cert.org/vuls/id/181038
> http://www.cve.mitre.org/cgi-bin/cve...=CVE-2005-4560
>
>
> -----------------------------------------
>
> So run the patch, reboot and keep your fingers crossed!
>
> Jim
>
>