Skip to comments.
WMF flaw can't wait for Microsoft fix, researchers say
computerworld.co.nz ^
| Wednesday, 4 January, 2006
| Peter Sayer, Paris |
Posted on 01/03/2006 9:41:05 AM PST by Ernest_at_the_Beach
Users of the Windows OS should install an unofficial security patch now, without waiting for Microsoft to make its move, advise security researchers at The SANS Institute's Internet Storm Center (ISC).
Their recommendation follows a new wave of attacks on a flaw in the way versions of Windows from 98 through XP handle malicious files in the WMF (Windows Metafile) format. One such attack arrives in an email message entitled "happy new year," bearing a malicious file attachment called "HappyNewYear.jpg" that is really a disguised WMF file, security research companies including iDefense and F-Secure say. Even though the file is labelled as a JPEG, Windows recognises the content as a WMF and attempts to execute the code it contains.
Microsoft advised on 28 December that to exploit a WMF vulnerability by email, "customers would have to be persuaded to click on a link within a malicious email or open an attachment that exploited the vulnerability."
However, simply viewing the folder that contains the affected file, or even allowing the file to be indexed by desktop search utilities such as the Google Desktop, can trigger its payload, F-Secure's Chief Research Officer Mikko Hypponen writes in the company's blog.
In addition, source code for a new exploit was widely available on the internet by Saturday, allowing the creation of new attacks with varied payloads.The file "HappyNewYear.jpg," for example, attempts to download the Bifrose backdoor, researchers say.
These factors exacerbate the problem, according to Ken Dunham, director of the rapid response team at iDefense.
"Risk has gone up significantly in the past 24 hours for any network still not protected against the WMF exploit," Dunham warns.
Alarmed by the magnitude of the threat, staff at the ISC worked over the weekend to validate and improve an unofficial patch developed by Ilfak Guilfanov to fix the WMF problem, according to an entry in the Handler's Diary, a running commentary on major IT security problems on the ISC web site.
"We have very carefully scrutinised this patch. It does only what is advertised, it is reversible, and, in our opinion, it is both safe and effective," Tom Liston writes in the diary.
"You cannot wait for the official MS patch, you cannot block this one at the border, and you cannot leave your systems unprotected," Liston writes.
In the diary, ISC provides a link to the version of the patch it has examined, including a version designed for unattended installation on corporate systems.
While ISC recognises that corporate users will find it unacceptable to install an unofficial patch, "Acceptable or not, folks, you have to trust someone in this situation," Liston writes.
Due to public holidays in Europe, Microsoft representatives could not immediately be reached for comment.
F-Secure's Hypponen highlighted Guilfanov's patch in the F-Secure company's blog on Saturday night, and then on Sunday echoed the ISC's advice to install the patch.
Not all computers are vulnerable to the WMF threat: those running non-Windows operating systems are not affected.
According to iDefense's Dunham, Windows machines running Windows Data Execution Prevention (DEP) software are at least safe from the WMF attacks seen so far. However, Microsoft said that software DEP offered no protection from the threat, although hardware DEP may help.
TOPICS: Business/Economy; Computers/Internet
KEYWORDS: malware; wmf
Navigation: use the links below to view more comments.
first 1-20, 21 next last
To: ShadowAce
To: rdb3; chance33_98; Calvinist_Dark_Lord; Bush2000; PenguinWry; GodGunsandGuts; CyberCowboy777; ...
3
posted on
01/03/2006 10:19:45 AM PST
by
ShadowAce
(Linux -- The Ultimate Windows Service Pack)
To: ShadowAce
You know this is all because IBM uses linux in China....
4
posted on
01/03/2006 10:34:05 AM PST
by
Salo
(He hath touched me with his noodly appendage. Ramen.)
To: Salo
You know this is all because IBM uses linux in China....I heard some crapper say it's because George Bush dosen't like Windows.
5
posted on
01/03/2006 10:41:12 AM PST
by
GaltMeister
(“All that is necessary for the triumph of evil is that good men do nothing.”)
To: Ernest_at_the_Beach
I notice that any machine using an AMD64 CPU is not vulnerable to this or to any similar exploit. This is probably true of Intel 64 bit enabled chips also.
6
posted on
01/03/2006 10:52:15 AM PST
by
js1138
(Great is the power of steady misrepresentation.)
To: Ernest_at_the_Beach
Not all computers are vulnerable to the WMF threat: those running non-Windows operating systems are not affected.Sometimes it pays to be different.
Actually, it pays almost all the time in this case.
7
posted on
01/03/2006 10:54:25 AM PST
by
zeugma
(Warning: Self-referential object does not reference itself.)
To: GaltMeister
Bush has been known to stay up past his 9:30 bed time coding 'sploits against MS on his powerbook. He's pure evil, man.
8
posted on
01/03/2006 11:14:35 AM PST
by
Salo
(He hath touched me with his noodly appendage. Ramen.)
To: Salo; All
From ...http://isc.sans.org/diary.php..........
- Does Microsoft have information available?
To: All
From source I just referenced above there is this:
**********************************
- What versions of Windows are affected?
Windows XP, (SP1 and SP2), Windows 2003 are affected by the currently circulating exploits. Other versions may be affected to some extent. Mac OS-X, Unix or BSD is not affected.
********************************************
Note: If you're still running on Win98/ME, this is a watershed moment: we believe (untested) that your system is vulnerable and there will be no patch from MS. Your mitigation options are very limited. You really need to upgrade.
To: js1138
I'm not sure that is true....the software must implement the feature....if you are not running the 64 bit version of Windows it doesn't know anything about the hardware feature.....
Seems to me,,,,
To: Ernest_at_the_Beach
XP uses the feature. I don't think W2k or 98 use the feature.
12
posted on
01/03/2006 11:36:43 AM PST
by
js1138
(Great is the power of steady misrepresentation.)
To: Ernest_at_the_Beach
Note: If you're still running on Win98/ME, this is a watershed moment: we believe (untested) that your system is vulnerable and there will be no patch from MS. Your mitigation options are very limited. You really need to upgrade.I smell lawsuit!
To: GaltMeister
I heard some crapper say it's because George Bush dosen't like Windows.
I learn to respect Bush a little bit more each day.
14
posted on
01/03/2006 12:13:04 PM PST
by
youngtechster
(I had college once, but I drank some fluids, got a lot of rest, and eventually I was cured.)
To: Ernest_at_the_Beach
No, Microsoft never sits on a patch, or so the cheerleaders here tell us.
To: antiRepublicrat
|
|
Microsoft Security Advisory (912840)
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution.
Published: December 28, 2005 | Updated: January 3, 2006
On Tuesday, December 27, 2005, Microsoft became aware of public reports of malicious attacks on some customers involving a previously unknown security vulnerability in the Windows Meta File (WMF) code area in the Windows platform. Upon learning of the attacks, Microsoft mobilized under its Software Security Incident Response Process (SSIRP) to analyze the attack, assess its scope, define an engineering plan, and determine the appropriate guidance for customers, as well as to engage with anti-virus partners and law enforcement. Microsoft confirmed the technical details of the attack on December 28, 2005 and immediately began developing a security update for the WMF vulnerability on an expedited track. Microsoft has completed development of the security update for the vulnerability. The security update is now being localized and tested to ensure quality and application compatibility. Microsoft’s goal is to release the update on Tuesday, January 10, 2006, as part of its monthly release of security bulletins. This release is predicated on successful completion of quality testing. The update will be released worldwide simultaneously in 23 languages for all affected versions of Windows once it passes a series of rigorous testing procedures. It will be available on Microsoft’s Download Center, as well as through Microsoft Update and Windows Update. Customers who use Windows’ Automatic Updates feature will be delivered the fix automatically. Based on strong customer feedback, all Microsoft’s security updates must pass a series of quality tests, including testing by third parties, to assure customers that they can be deployed effectively in all languages and for all versions of the Windows platform with minimum down time. Microsoft has been carefully monitoring the attempted exploitation of the WMF vulnerability since it became public last week, through its own forensic capabilities and through partnerships within the industry and law enforcement. Although the issue is serious and malicious attacks are being attempted, Microsoft’s intelligence sources indicate that the scope of the attacks are not widespread. In addition, anti-virus companies indicate that attacks based on exploiting the WMF vulnerability are being effectively mitigated through up-to-date signatures. Customers are encouraged to keep their anti-virus software up-to-date. The Microsoft Windows AntiSpyware (Beta) can also help protect your system from spyware and other potentially unwanted software. Customers can also visit Windows Live Safety Center and are encouraged to use the Complete Scan option to check for and remove malicious software that takes advantage of this vulnerability. We will continue to investigate these public reports. If you are a Windows OneCare user and your current status is green, you are already protected from known malware that uses this vulnerability to attempt to attack systems. Customers who follow safe browsing best practices are not likely to be compromised by any exploitation of the WMF vulnerability. Users should take care not to visit unfamiliar or un-trusted Web sites that could potentially host the malicious code. Microsoft encourages users to exercise caution when they open e-mail and links in e-mail from untrusted sources. While we have not encountered any situation in which simply opening an email can result in attack, clicking on a link in an email could result in navigation to a malicious site. For more information about Safe Browsing, visit the Trustworthy Computing Web site. Microsoft considers the intentional use of exploit code, in any form, to cause damage to computer users to be a criminal offense. Accordingly, we continue to work closely with our anti-virus partners and we are assisting law enforcement with its investigation of the attacks in this case. Customers who believe they have been attacked should contact their local FBI office or post their complaint on the Internet Fraud Complaint Center Web site. Customers outside the U.S. should contact the national law enforcement agency in their country. We continue to encourage customers to follow our Protect Your PC guidance of enabling a firewall, applying software updates and installing antivirus software. Customers can learn more about these steps at the Protect Your PC Web site. The Microsoft Windows AntiSpyware (Beta) can also help protect your system from spyware and other potentially unwanted software. Customers who believe they may have been affected by this issue can also contact Product Support Services. You can contact Product Support Services in the United States and Canada at no charge using the PC Safety line (1 866-PCSAFETY). Customers outside of the United States and Canada can locate the number for no-charge virus support by visiting the Microsoft Help and Support Web site. Mitigating Factors:
| • |
In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site. |
| • |
In an E-mail based attack involving the current exploit, customers would have to be persuaded to click on a link within a malicious e-mail or open an attachment that exploited the vulnerability. At this point, no attachment has been identified in which a user can be attacked simply by reading mail. |
| • |
An attacker who successfully exploited this vulnerability could only gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. |
| • |
By default, Internet Explorer on Windows Server 2003, on Windows Server 2003 Service Pack 1, on Windows Server 2003 with Service Pack 1 for Itanium-based Systems, and on Windows Server 2003 x64 Edition runs in a restricted mode that is known as Enhanced Security Configuration This mode mitigates this vulnerability where the e-mail vector is concerned although clicking on a link would still put users at risk. In Windows Server 2003, Microsoft Outlook Express uses plain text for reading and sending messages by default. When replying to an e-mail message that is sent in another format, the response is formatted in plain text. See the FAQ section of this vulnerability for more information about Internet Explorer Enhanced Security Configuration. |
Purpose of Advisory: To provide customers with initial notification of the publicly disclosed and exploited vulnerability. For more information see the “Suggested Actions” section of the security advisory. Advisory Status: Issue Confirmed, Security Update Planned Recommendation: Review the suggested actions and configure as appropriate.
This advisory discusses the following software.
|
Microsoft Windows 2000 Service Pack 4 |
|
Microsoft Windows XP Service Pack 1 |
|
Microsoft Windows XP Service Pack 2 |
|
Microsoft Windows XP Professional x64 Edition |
|
Microsoft Windows Server 2003 |
|
Microsoft Windows Server 2003 for Itanium-based Systems |
|
Microsoft Windows Server 2003 Service Pack 1 |
|
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems |
|
Microsoft Windows Server 2003 x64 Edition |
|
Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) |
Note Microsoft Windows Server 2003 Service Pack 1 and Microsoft Windows Server 2003 x64 Edition also refer to Microsoft Windows Server 2003 R2.
|
|
Frequently Asked Questions
|
What is the scope of the advisory?
Microsoft is aware of a new vulnerability report affecting the Graphics Rendering Engine in Microsoft Windows. This vulnerability affects the software that is listed in the “Overview” section. Is this a security vulnerability that requires Microsoft to issue a security update?
Yes, Microsoft has confirmed this vulnerability and will include the fix for this issue in an upcoming security bulletin. What causes the vulnerability?
A vulnerability exists in the way specially crafted Windows Metafile (WMF) images are handled that could allow arbitrary code to be executed. What is the Windows Metafile (WMF) image format?
A Windows Metafile (WMF) image is a 16-bit metafile format that can contain both vector information and bitmap information. It is optimized for the Windows operating system.
For more information about image types and formats, see Microsoft Knowledge Base Article 320314. Additional information about these file formats is also available at the MSDN Library Web site. What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take complete control of the affected system. This issue is not known to be wormable. In a Web-based attack scenario, an attacker would host a Web site that exploits this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site. It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems. How could an attacker exploit the vulnerability?
An attacker could host a malicious Web site that is designed to exploit this vulnerability through Internet Explorer and then persuade a user to view the Web site. I am reading e-mail in plain text, does this help mitigate the vulnerability?
Yes. Reading e-mail in plain text does mitigate this vulnerability where the e-mail vector is concerned although clicking on a link would still put users at risk.
Note In Windows Server 2003, Microsoft Outlook Express uses plain text for reading and sending messages by default. When replying to an e-mail message that is sent in another format, the response is formatted in plain text. I have DEP enabled on my system, does this help mitigate the vulnerability?
Software based DEP does not mitigate the vulnerability. However, Hardware based DEP may work when enabled. Please consult with your hardware manufacturer for more information on how to enable this feature and whether it can provide mitigation. Does this vulnerability affect image formats other than Windows Metafile (WMF)?
The only image format affected is the Windows Metafile (WMF) format. It is possible however that an attacker could rename the file extension of a WMF file to that of a different image format. In this situation, it is likely that the Graphic Rendering engine would detect and render the file as a WMF image which could allow exploitation. Windows Metafile (WMF) images can be embedded in other files such as Word documents. Am I vulnerable to an attack from this vector?
No. While we are investigating the public postings which seek to utilize specially crafted WMF files through IE, we are looking thoroughly at all instances of WMF handling as part of our investigation. While we're not aware of any attempts to embed specially crafted WMF files in, for example Microsoft Word documents, our advice is to accept files only from trusted source would apply to any such attempts. If I block .wmf files by extension, can this protect me against attempts to exploit this vulnerability?
No. Because the Graphics Rendering Engine determines file type by means other than just looking at the file extensions, it is possible for WMF files with changed extensions to still be rendered in a way that could exploit the vulnerability. Does the workaround in this advisory protect me from attempts to exploit this vulnerability through WMF files with changed extensions?
Yes. Microsoft has tested and can confirm the workaround in this advisory help protect against WMF files with changed extensions. It has been reported that malicious files indexed by MSN Desktop Search could lead to exploitation of the vulnerability. Is this true?
We have received reports and are investigating them thoroughly as part of our ongoing investigation. We are not aware at this time of issues around the MSN Desktop Indexer, but we are continuing to investigate. Is this issue related to Microsoft Security Bulletin MS05-053 - Vulnerabilities in Graphics Rendering Engine Could Allow Code Execution (896424) which was released in November?
No, these are different and separate issues. Will my anti-virus software protect me from exploitation of this vulnerability?
As of the latest update to this advisory the following members of the Virus Information Alliance have indicated that their anti-virus software provides protection from exploitation of Windows Metafile (WMF) files using the vulnerability discussed in this advisory.
In addition Microsoft is providing heuristic protection against exploitation of this vulnerability through Windows Metafile (WMF) files in our new Windows OneCare Live Beta.
As currently known attacks can change, the level of protection offered by anti-virus vendors at any time may vary. Customers are advised to contact their preferred anti-virus vendor with any questions they may have or to confirm additional information regarding their vendor’s method of protection against exploitation of this vulnerability. When this security advisory was issued, had Microsoft received any reports that this vulnerability was being exploited?
Yes. When the security advisory was released, Microsoft had received information that this vulnerability was being actively exploited. What’s Microsoft’s response to the availability of third party patches for the WMF vulnerability?
Microsoft recommends that customers download and deploy the security update for the WMF vulnerability that we are targeting for release on January 10, 2006.
As a general rule, it is a best practice to utilize security updates for software vulnerabilities from the original vendor of the software. With Microsoft software, Microsoft carefully reviews and tests security updates to ensure that they are of high quality and have been evaluated thoroughly for application compatibility. In addition, Microsoft’s security updates are offered in 23 languages for all affected versions of the software simultaneously.
Microsoft cannot provide similar assurance for independent third party security updates. Why is it taking Microsoft so long to issue a security update?
Creating security updates that effectively fix vulnerabilities is an extensive process. There are many factors that impact the length of time between the discovery of a vulnerability and the release of a security update. When a potential vulnerability is reported, designated product specific security experts investigate the scope and impact of a threat on the affected product. Once the MSRC knows the extent and the severity of the vulnerability, they work to develop an update for every supported version affected. Once the update is built, it must be tested with the different operating systems and applications it affects, then localized for many markets and languages across the globe.
| • |
Un-register the Windows Picture and Fax Viewer (Shimgvw.dll) on Windows XP Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and Windows Server 2003 Service Pack 1 Microsoft has tested the following workaround. While this workaround will not correct the underlying vulnerability, it helps block known attack vectors. When a workaround reduces functionality, it is identified in the following section. Note The following steps require Administrative privileges. It is recommended that the machine be restarted after applying this workaround. It is also possible to log out and log back in after applying the workaround. However, the recommendation is to restart the machine. To un-register Shimgvw.dll, follow these steps:
|
1. |
Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK. |
|
2. |
A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box. |
Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer. To undo this change, re-register Shimgvw.dll by following the above steps. Replace the text in Step 1 with “regsvr32 %windir%\system32\shimgvw.dll” (without the quotation marks). |
| • |
Microsoft encourages users to exercise caution when they open e-mail and links in e-mail from untrusted sources. For more information about Safe Browsing, visit the Trustworthy Computing Web site. |
| • |
Customers in the U.S. and Canada who believe they may have been affected by this possible vulnerability can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support that is associated with security update issues or viruses." International customers can receive support by using any of the methods that are listed at Security Help and Support for Home Users Web site. |
| • |
All customers should apply the most recent security updates released by Microsoft to help ensure that their systems are protected from attempted exploitation. Customers who have enabled Automatic Updates will automatically receive all Windows updates. For more information about security updates, visit the Microsoft Security Web site. |
| • |
Protect Your PC We continue to encourage customers follow our Protect Your PC guidance of enabling a firewall, getting software updates and installing ant-virus software. Customers can learn more about these steps by visiting Protect Your PC Web site. |
| • |
For more information about staying safe on the Internet, customers can visit the Microsoft Security Home Page. |
| • |
Keep Windows Updated All Windows users should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit the Microsoft Update Web site, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have Automatic Updates enabled, the updates are delivered to you when they are released, but you have to make sure you install them. |
Resources:
Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions:
| • |
December 28, 2005: Advisory published |
| • |
December 29, 2005: Advisory updated. FAQ section updated. |
| • |
December 30, 2005: Advisory updated. FAQ section updated. |
| • |
January 3, 2006: Information has been added to the beginning of the advisory as well as the FAQ section to provide updated information about the state of the investigation. Information has also been added to the FAQ section regarding reports of a third party security update for this issue. |
|
To: Dont Mention the War
I smell lawsuit! The Microsoft site says they'll provide critical security updates for Windows 98SE in the U.S. through June 30, 2006. Of course, they could just redefine it as non-critical to get around the problem.
To: antiRepublicrat; Dont Mention the War
To: Ernest_at_the_Beach; All
I have some links handy ( rummaging around old files hastily )...
John's Note:
I tried this-- seems OK on Win 2K:
Here's an update to the unofficial fix posted above. The folks at sans.org have taken the patch apart and modified it to work on WIN2K systems.. It's running on my system with no apparent ill effects. I'll be patching the other computers in the house shortly. The upshot is this: You cannot wait for the official MS patch, you cannot block this one at the border, and you cannot leave your systems unprotected. ----------------------------------------------------------------------------------------
Subnote: V-lan works fine on my home machines- others I know swear it "hosed my codecs"- so be advised I provide that and other links on a "use with caution" basis.
19
posted on
01/03/2006 4:23:03 PM PST
by
backhoe
(-30-)
To: antiRepublicrat
oddly enough, they've been absent on these WMF threads.
Navigation: use the links below to view more comments.
first 1-20, 21 next last
Disclaimer:
Opinions posted on Free Republic are those of the individual
posters and do not necessarily represent the opinion of Free Republic or its
management. All materials posted herein are protected by copyright law and the
exemption for fair use of copyrighted works.
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson
