Thread: WMF Exploit!!! Install this patch now!
View Single Post
  #4  
Old 01-05-2006, 02:50 AM
Jim
 
Posts: n/a
Default Re: WMF Exploit!!! Install this patch now!
Thanks for the update.....meanwhile, run the patch on the SANS site or
you're open to anything.

Direct link to patch......
http://handlers.sans.org/tliston/wmffix_hexblog14.exe

Jim

"Tom [Pepper] Willett" <tompepper@mvps.invalid> wrote in message
news:%23qOHw%23GEGHA.3148@TK2MSFTNGP10.phx.gbl...
> MS has updated their security advisory to indicate the patch is expected
> to
> be released on the next patch Tuesday, Jan 10th.
> http://www.microsoft.com/technet/sec...ry/912840.mspx
>
> Tom
> "Jim" <reply@groups.please> wrote in message
> news:vLtuf.37301$Lb1.28425@bignews3.bellsouth.net. ..
> | In case you have been living under a rock for the last week or so, you
> may
> | not have heard about the WMF Windows exploit.
> |
> | For those rock dwellers, here's the scoop.....short and sweet.
> Reprinted
> | here without permission from SANS at
> | http://isc.sans.org/diary.php?storyid=994. Hope they don't mind.... .
> |
> | ---------------------------------------------
> |
> | WMF FAQ (NEW)
> | Published: 2006-01-03,
> | Last Updated: 2006-01-03 08:55:06 UTC by Johannes Ullrich (Version:
> 3(click
> | to highlight changes))
> |
> | [a few users offered translations of this FAQ into various languages.
> | Obviously, we can not check the translation for accuracy, nor can we
> update
> | them. So use at your own risk: Deutsch and Deutsch (pdf), Catalan ,
> Espaņol
> | , Italiana and Italiana, Polski, Suomenkielinen, Danish, Japanese,
> | Slovenian, Chinese, Norwegian and Nederlands (in progress) ]
> |
> |
> | a.. Why is this issue so important?
> | The WMF vulnerability uses images (WMF images) to execute arbitrary
> code.
> It
> | will execute just by viewing the image. In most cases, you don't have
> click
> | anything. Even images stored on your system may cause the exploit to be
> | triggered if it is indexed by some indexing software. Viewing a
> directory
> in
> | Explorer with 'Icon size' images will cause the exploit to be triggered
> as
> | well.
> |
> | a.. Is it better to use Firefox or Internet Explorer?
> | Internet Explorer will view the image and trigger the exploit without
> | warning. New versions of Firefox will prompt you before opening the
> image.
> | However, in most environments this offers little protection given that
> these
> | are images and are thus considered 'safe'.
> |
> | a.. What versions of Windows are affected?
> | All. Windows 2000, Windows XP, (SP1 and SP2), Windows 2003. All are
> affected
> | to some extent. Mac OS-X, Unix or BSD is not affected.
> |
> | Note: If you're still running on Win98/ME, this is a watershed moment:
> we
> | believe (untested) that your system is vulnerable and there will be no
> patch
> | from MS. Your mitigation options are very limited. You really need to
> | upgrade.
> |
> | a.. What can I do to protect myself?
> | 1.. Microsoft has not yet released a patch. An unofficial patch was
> made
> | available by Ilfak Guilfanov. Our own Tom Liston reviewed the patch and
> we
> | tested it. The reviewed and tested version is available here (now at
> v1.4,
> | MD5: 15f0a36ea33f39c1bcf5a98e51d4f4f6), PGP signature (signed with ISC
> key)
> | here. THANKS to Ilfak Guilfanov for providing the patch!!
> | 2.. You can unregister the related DLL.
> | 3.. Virus checkers provide some protection.
> | To unregister the DLL:
> |
> | a.. Click Start, click Run, type "regsvr32 -u
> %windir%system32shimgvw.dll"
> | (without the quotation marks... our editor keeps swallowing the
> | backslashes... its %windir%(backslash)system32(backslash)shimgvw.dll) ,
> and
> | then click OK.
> | b.. A dialog box appears to confirm that the un-registration process
> has
> | succeeded. Click OK to close the dialog box.
> | Our current "best practice" recommendation is to both unregister the DLL
> and
> | to use the unofficial patch.
> |
> | a.. How does the unofficial patch work?
> | The wmfhotfix.dll is injected into any process loading user32.dll. The
> DLL
> | then patches (in memory) gdi32.dll's Escape() function so that it
> ignores
> | any call using the SETABORTPROC (ie. 0x09) parameter. This should allow
> | Windows programs to display WMF files normally while still blocking the
> | exploit. The version of the patch located here has been carefully
> checked
> | against the source code provided as well as tested against all known
> | versions of the exploit. It should work on WinXP (SP1 and SP2) and
> Win2K.
> |
> | a.. Will unregistering the DLL (without using the unofficial patch)
> | protect me?
> | It might help. But it is not foolproof. We want to be very clear on
> this:
> we
> | have some very stong indications that simply unregistering the
> shimgvw.dll
> | isn't always successful. The .dll can be re-registered by malicious
> | processes or other installations, and there may be issues where
> | re-registering the .dll on a running system that has had an exploit run
> | against it allowing the exploit to succeed. In addition it might be
> | possible for there to be other avenues of attack against the Escape()
> | function in gdi32.dll. Until there is a patch available from MS, we
> | recommend using the unofficial patch in addition to un-registering
> | shimgvw.dll.
> | a.. Should I just delete the DLL?
> | It might not be a bad idea, but Windows File Protection will probably
> | replace it. You'll need to turn off Windows File Protection first. Also,
> | once an official patch is available you'll need to replace the DLL.
> | (renaming, rather than deleting is probably better so it will still be
> | handy).
> |
> | a.. Should I just block all .WMF images?
> | This may help, but it is not sufficient. WMF files are recognized by a
> | special header and the extension is not needed. The files could arrive
> using
> | any extension, or embeded in Word or other documents.
> |
> | a.. What is DEP (Data Execution Protection) and how does it help me?
> | With Windows XP SP2, Microsoft introduced DEP. It protects against a
> wide
> | range of exploits, by preventing the execution of 'data segements'.
> However,
> | to work well, it requires hardware support. Some CPUs, like AMD's 64 Bit
> | CPUs, will provide full DEP protection and will prevent the exploit.
> |
> | a.. How good are Anti Virus products to prevent the exploit?
> | At this point, we are aware of versions of the exploit that will not be
> | detected by antivirus engines. We hope they will catch up soon. But it
> will
> | be a hard battle to catch all versions of the exploit. Up to date AV
> systems
> | are necessary but likely not sufficient.
> |
> | a.. How could a malicious WMF file enter my system?
> | There are too many methods to mention them all. E-mail attachments, web
> | sites, instant messaging are probably the most likely sources. Don't
> forget
> | P2P file sharing and other sources.
> |
> | a.. Is it sufficient to tell my users not to visit untrusted web sites?
> | No. It helps, but its likely not sufficient. We had at least one widely
> | trusted web site (knoppix-std.org) which was compromissed. As part of
> the
> | compromise, a frame was added to the site redirecting users to a corrupt
> WMF
> | file. "Tursted" sites have been used like this in the past.
> |
> | a.. What is the actual problem with WMF images here?
> | WMF images are a bit different then most other images. Instead of just
> | containing simple 'this pixel has that color' information, WMF images
> can
> | call external procedures. One of these procedure calls can be used to
> | execute the code.
> |
> | a.. Should I use something like "dropmyrights" to lower the impact of
> an
> | exploit.
> | By all means yes. Also, do not run as an administrator level users for
> every
> | day work. However, this will only limit the impact of the exploit, and
> not
> | prevent it. Also: Web browsing is only one way to trigger the exploit.
> If
> | the image is left behind on your system, and later viewed by an
> | administrator, you may get 'hit'.
> |
> | a.. Are my servers vulnerable?
> | Maybe... do you allow the uploading of images? email? Are these images
> | indexed? Do you sometimes use a web browser on the server? In short: If
> | someone can get a image to your server, and if the vulnerable DLL may
> look
> | at it, your server may very well be vulnerable.
> |
> | a.. What can I do at my perimeter / firewall to protect my network?
> | Not much. A proxy server that strips all images from web sites? Probably
> | wont go over well with your users. At least block .WMF images (see
> above
> | about extensions...). If your proxy has some kind of virus checker, it
> may
> | catch it. Same for mail servers. The less you allow your users to
> initiate
> | outbound connections, the better. Close monitoring of user workstations
> may
> | provide a hint if a work station is infected.
> |
> | a.. Can I use an IDS to detect the exploit?
> | Most IDS vendors are working on signatures. Contact your vendor for
> details.
> | Bleedingsnort.org is providing some continuosly improving signatures for
> | snort users.
> |
> | a.. If I get hit by the exploit, what can I do?
> | Not much :-(. It very much depends on the exact exploit you are hit
> with.
> | Most of them will download additional components. It can be very hard,
> or
> | even impossible, to find all the pieces. Microsoft offers free support
> for
> | issues like that at 866-727-2389 (866 PC SAFETY).
> |
> | a.. Does Microsoft have information available?
> | http://www.microsoft.com/technet/sec...ry/912840.mspx
> | But there is no patch at the time of this writing.
> |
> |
> | a.. What does CERT have to say?
> | http://www.kb.cert.org/vuls/id/181038
> | http://www.cve.mitre.org/cgi-bin/cve...=CVE-2005-4560
> |
> |
> | -----------------------------------------
> |
> | So run the patch, reboot and keep your fingers crossed!
> |
> | Jim
> |
> |
>
>


Reply With Quote