Thread: WMF Exploit!!! Install this patch now!
View Single Post
  #3  
Old 01-05-2006, 02:12 AM
Tom [Pepper] Willett
 
Posts: n/a
Default Re: WMF Exploit!!! Install this patch now!
MS has updated their security advisory to indicate the patch is expected to
be released on the next patch Tuesday, Jan 10th.
http://www.microsoft.com/technet/sec...ry/912840.mspx

Tom
"Jim" <reply@groups.please> wrote in message
news:vLtuf.37301$Lb1.28425@bignews3.bellsouth.net. ..
| In case you have been living under a rock for the last week or so, you may
| not have heard about the WMF Windows exploit.
|
| For those rock dwellers, here's the scoop.....short and sweet. Reprinted
| here without permission from SANS at
| http://isc.sans.org/diary.php?storyid=994. Hope they don't mind.... .
|
| ---------------------------------------------
|
| WMF FAQ (NEW)
| Published: 2006-01-03,
| Last Updated: 2006-01-03 08:55:06 UTC by Johannes Ullrich (Version:
3(click
| to highlight changes))
|
| [a few users offered translations of this FAQ into various languages.
| Obviously, we can not check the translation for accuracy, nor can we
update
| them. So use at your own risk: Deutsch and Deutsch (pdf), Catalan ,
Espaņol
| , Italiana and Italiana, Polski, Suomenkielinen, Danish, Japanese,
| Slovenian, Chinese, Norwegian and Nederlands (in progress) ]
|
|
| a.. Why is this issue so important?
| The WMF vulnerability uses images (WMF images) to execute arbitrary code.
It
| will execute just by viewing the image. In most cases, you don't have
click
| anything. Even images stored on your system may cause the exploit to be
| triggered if it is indexed by some indexing software. Viewing a directory
in
| Explorer with 'Icon size' images will cause the exploit to be triggered as
| well.
|
| a.. Is it better to use Firefox or Internet Explorer?
| Internet Explorer will view the image and trigger the exploit without
| warning. New versions of Firefox will prompt you before opening the image.
| However, in most environments this offers little protection given that
these
| are images and are thus considered 'safe'.
|
| a.. What versions of Windows are affected?
| All. Windows 2000, Windows XP, (SP1 and SP2), Windows 2003. All are
affected
| to some extent. Mac OS-X, Unix or BSD is not affected.
|
| Note: If you're still running on Win98/ME, this is a watershed moment: we
| believe (untested) that your system is vulnerable and there will be no
patch
| from MS. Your mitigation options are very limited. You really need to
| upgrade.
|
| a.. What can I do to protect myself?
| 1.. Microsoft has not yet released a patch. An unofficial patch was made
| available by Ilfak Guilfanov. Our own Tom Liston reviewed the patch and we
| tested it. The reviewed and tested version is available here (now at v1.4,
| MD5: 15f0a36ea33f39c1bcf5a98e51d4f4f6), PGP signature (signed with ISC
key)
| here. THANKS to Ilfak Guilfanov for providing the patch!!
| 2.. You can unregister the related DLL.
| 3.. Virus checkers provide some protection.
| To unregister the DLL:
|
| a.. Click Start, click Run, type "regsvr32 -u
%windir%system32shimgvw.dll"
| (without the quotation marks... our editor keeps swallowing the
| backslashes... its %windir%(backslash)system32(backslash)shimgvw.dll) , and
| then click OK.
| b.. A dialog box appears to confirm that the un-registration process has
| succeeded. Click OK to close the dialog box.
| Our current "best practice" recommendation is to both unregister the DLL
and
| to use the unofficial patch.
|
| a.. How does the unofficial patch work?
| The wmfhotfix.dll is injected into any process loading user32.dll. The
DLL
| then patches (in memory) gdi32.dll's Escape() function so that it ignores
| any call using the SETABORTPROC (ie. 0x09) parameter. This should allow
| Windows programs to display WMF files normally while still blocking the
| exploit. The version of the patch located here has been carefully checked
| against the source code provided as well as tested against all known
| versions of the exploit. It should work on WinXP (SP1 and SP2) and Win2K.
|
| a.. Will unregistering the DLL (without using the unofficial patch)
| protect me?
| It might help. But it is not foolproof. We want to be very clear on this:
we
| have some very stong indications that simply unregistering the shimgvw.dll
| isn't always successful. The .dll can be re-registered by malicious
| processes or other installations, and there may be issues where
| re-registering the .dll on a running system that has had an exploit run
| against it allowing the exploit to succeed. In addition it might be
| possible for there to be other avenues of attack against the Escape()
| function in gdi32.dll. Until there is a patch available from MS, we
| recommend using the unofficial patch in addition to un-registering
| shimgvw.dll.
| a.. Should I just delete the DLL?
| It might not be a bad idea, but Windows File Protection will probably
| replace it. You'll need to turn off Windows File Protection first. Also,
| once an official patch is available you'll need to replace the DLL.
| (renaming, rather than deleting is probably better so it will still be
| handy).
|
| a.. Should I just block all .WMF images?
| This may help, but it is not sufficient. WMF files are recognized by a
| special header and the extension is not needed. The files could arrive
using
| any extension, or embeded in Word or other documents.
|
| a.. What is DEP (Data Execution Protection) and how does it help me?
| With Windows XP SP2, Microsoft introduced DEP. It protects against a wide
| range of exploits, by preventing the execution of 'data segements'.
However,
| to work well, it requires hardware support. Some CPUs, like AMD's 64 Bit
| CPUs, will provide full DEP protection and will prevent the exploit.
|
| a.. How good are Anti Virus products to prevent the exploit?
| At this point, we are aware of versions of the exploit that will not be
| detected by antivirus engines. We hope they will catch up soon. But it
will
| be a hard battle to catch all versions of the exploit. Up to date AV
systems
| are necessary but likely not sufficient.
|
| a.. How could a malicious WMF file enter my system?
| There are too many methods to mention them all. E-mail attachments, web
| sites, instant messaging are probably the most likely sources. Don't
forget
| P2P file sharing and other sources.
|
| a.. Is it sufficient to tell my users not to visit untrusted web sites?
| No. It helps, but its likely not sufficient. We had at least one widely
| trusted web site (knoppix-std.org) which was compromissed. As part of the
| compromise, a frame was added to the site redirecting users to a corrupt
WMF
| file. "Tursted" sites have been used like this in the past.
|
| a.. What is the actual problem with WMF images here?
| WMF images are a bit different then most other images. Instead of just
| containing simple 'this pixel has that color' information, WMF images can
| call external procedures. One of these procedure calls can be used to
| execute the code.
|
| a.. Should I use something like "dropmyrights" to lower the impact of an
| exploit.
| By all means yes. Also, do not run as an administrator level users for
every
| day work. However, this will only limit the impact of the exploit, and not
| prevent it. Also: Web browsing is only one way to trigger the exploit. If
| the image is left behind on your system, and later viewed by an
| administrator, you may get 'hit'.
|
| a.. Are my servers vulnerable?
| Maybe... do you allow the uploading of images? email? Are these images
| indexed? Do you sometimes use a web browser on the server? In short: If
| someone can get a image to your server, and if the vulnerable DLL may look
| at it, your server may very well be vulnerable.
|
| a.. What can I do at my perimeter / firewall to protect my network?
| Not much. A proxy server that strips all images from web sites? Probably
| wont go over well with your users. At least block .WMF images (see above
| about extensions...). If your proxy has some kind of virus checker, it may
| catch it. Same for mail servers. The less you allow your users to initiate
| outbound connections, the better. Close monitoring of user workstations
may
| provide a hint if a work station is infected.
|
| a.. Can I use an IDS to detect the exploit?
| Most IDS vendors are working on signatures. Contact your vendor for
details.
| Bleedingsnort.org is providing some continuosly improving signatures for
| snort users.
|
| a.. If I get hit by the exploit, what can I do?
| Not much :-(. It very much depends on the exact exploit you are hit with.
| Most of them will download additional components. It can be very hard, or
| even impossible, to find all the pieces. Microsoft offers free support for
| issues like that at 866-727-2389 (866 PC SAFETY).
|
| a.. Does Microsoft have information available?
| http://www.microsoft.com/technet/sec...ry/912840.mspx
| But there is no patch at the time of this writing.
|
|
| a.. What does CERT have to say?
| http://www.kb.cert.org/vuls/id/181038
| http://www.cve.mitre.org/cgi-bin/cve...=CVE-2005-4560
|
|
| -----------------------------------------
|
| So run the patch, reboot and keep your fingers crossed!
|
| Jim
|
|


Reply With Quote