Welcome to WebmasterWorld Guest from 54.159.214.250

Forum Moderators: bill

"Extremely Critical " Secunia Advisory

Extremely Critical Windows WMF Handling Arbitrary Code Execution

   
11:15 am on Dec 28, 2005 (gmt 0)
12:09 pm on Dec 28, 2005 (gmt 0)

WebmasterWorld Senior Member kaled is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Very odd description.....

As described, I would expect the problem to affect all browsers including Opera and Firefox rather than be limited to IE as implied.

Kaled.

10:21 pm on Dec 28, 2005 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



My reading says that it is a 'Windows' OS flaw and that IE with security set lower than 'high' will auto open/run a wmf file. As other browsers are (unlikely?) set to autorun an encountered wmf they are not mentioned.

So: set IE security to 'highest' and be inconvenienced all over the web or run an alternate browser and never open a wmf unless you are absolutely totally certain that is is not infected.

And wait for a Windows fix.
Shall we start a pool on when a quick and dirty fix is available?
When a comprehensive fix is available?

9:23 am on Dec 29, 2005 (gmt 0)

10+ Year Member



As described, I would expect the problem to affect all browsers including Opera and Firefox rather than be limited to IE as implied.

[kaspersky.com...]

Mentions Firefox but nothing about Opera is mentioned yet.

6:16 pm on Dec 29, 2005 (gmt 0)

10+ Year Member



Microsoft have a workaround: [microsoft.com...]

To un-register Shimgvw.dll, follow these steps:

1. Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK.

2. A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.

To undo this change, re-register Shimgvw.dll by following the above steps. Replace the text in Step 1 with “regsvr32 %windir%\system32\shimgvw.dll” (without the quotation marks).

The flaw is in Shimgvw.dll which is a system component. Therefore, lots of products are vulnerable (including Google Desktop). It is reported to be extremely easy to infect your PC. You don't even need to open the WMF file - just having it on your system may well trigger Shimgvw.dll loading up if it does any file operation on the WMF file at all.

In a corporate environment, it could potentially spread very quickly through network shares.

It's not just a browser thing. Hopefully, most of us have safe enough browsing habits to ensure that we don't get hit.. but it CAN be spread through email too. Since WMF files can be embedded in many types of email message, you don't need to click on an attachment.. simply viewing the mail will infect the PC, and that includes viewing it in a preview screen. In other words, there's the potential for this to spread in a virus with little or no user intervention.

Because the exploit code is now available for this, you can expect to see other variants. At the moment it seems to be web based, but I can't imaging it'll be long until someone does something else with it.

I should imagine that it's theoretically possible to infect a Windows-based web server by using this exploit too.

Here's a couple of useful resources:
[isc.sans.org...] is a great place to look for any emerging threats. (Including vulnerabilities in web applications)
You can download a little toolbar icon called ISCalert (see [isc.sans.org...] which will check the current ISC alert status for you and flash if something really important happens.

Also [f-secure.com...] is a good place to check regularly. At the moment it lists the "infected" websites with the trojan, so if you want you can block access to the sites at your firewall.

7:11 pm on Dec 29, 2005 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Mentions Firefox but nothing about Opera is mentioned yet.

Can't find it now, but earlier today I saw an article that specifically mentioned Opera as being vulnerable to this one.

WBF

7:30 pm on Dec 29, 2005 (gmt 0)

10+ Year Member



I've done the regsvr32 -u %windir%\system32\shimgvw.dll thing but can't see that actualy mentioned in the microsoft site link [microsoft.com...] . Seems that if the instructions were there before, they've gone now...hope this doesn't mean it doesn't solve the problem.

Apparently if you use Opera or Firefox you'll get a prompt before the browser opens the file (according to the bottom 28th december entry at the [f-secure.com...] already mentioned).

8:36 pm on Dec 29, 2005 (gmt 0)

10+ Year Member



You need to drill down and click Suggested Actions -> Workarounds -> Unregister etc etc and it's there.

I had to hunt around for it the first tieme too!

10:38 pm on Dec 29, 2005 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Oh man, with the workaround in you can't even see thumbnails, ouch!
12:03 am on Dec 30, 2005 (gmt 0)

5+ Year Member



There's a tool named Microsoft® Windows AntiSpyware (Beta). Does it work against this threat?
12:34 am on Dec 30, 2005 (gmt 0)

10+ Year Member



You can watch it spread here:

[pandasoftware.com...]

4:21 pm on Dec 30, 2005 (gmt 0)

10+ Year Member



Most vendors anti-virus products can detect the current range of exploits - but that doesn't mean that there won't be new versions out that AV software won't be able to detect. Most likely, AV and anti-spyware apps will detect some of the stuff dowloaded AFTER your machine becomes infected.

Personally, I believe that anti-spyware and anti-virus apps should be your LAST line of defence. If you've got a proper patching regime, a good firewall and email filtering and steer clear of vulnerable products such as Internet Explorer, then normally you would be OK. The problem with this flaw is that there are so many ways to exploit it, so the usual precautions are not enough.

Until MS come out with a patch, it's gonna be a struggle to keep this one out.

4:41 pm on Dec 30, 2005 (gmt 0)

WebmasterWorld Senior Member kaled is a WebmasterWorld Top Contributor of All Time 10+ Year Member



I just had a quick look at registry stuff (mime types, etc.) and it looks to me that .BMP, .ICO, .GIF, and .JPG files might also be affected (under XP - haven't checked other versions).

If I am correct, you would not even have to visit a website to get infected - if the favicon of a website were downloaded and rendered (e.g. by opening a bookmarks menu) then that would be sufficient - it's scary stuff! This might mean that IE is actually more secure than Firefox (since IE doesn't bother downloading icons very often) - now that really would be ironic if true.

Kaled.

6:25 pm on Dec 30, 2005 (gmt 0)

10+ Year Member



Firefox shouldn't be inherently vulnerable to this exploit. It uses its own cross-platform image rendering library, which does not support WMF files. Obviously, you can use Fx to download a corrupted file, which might infect your machine if you haven't taken appropriate precautions, but Firefox won't trigger the payload.

Of course, if you're running as an unprivileged user, this exploit would have a much harder time getting a foothold on your machine. Sadly that's not too common -- hands up all those who're logged in as an Administrator as you read this...

11:29 pm on Dec 30, 2005 (gmt 0)

10+ Year Member



You need to drill down and click Suggested Actions -> Workarounds -> Unregister etc etc and it's there.

Thanks Dynamoo - I'd clicked on just the plus by "suggested actions" previously but had missed the further plus by "workarounds". They don't make things easy to find do they.
6:01 pm on Jan 1, 2006 (gmt 0)

10+ Year Member



I would suggest re alerting yourself to the situation here.
Hot fixes and registry disabling...

[isc.sans.org...]

Happy and save computing

edited for the below info...

Three easy steps to the process to protect yourself.
1. Setup a restore point (XP users)...
Click "Start ---> "Programs" ----> "Accessories" -----> "System Tools" ---- "System Restore"
follow the instructions.
2. Click "Start" ----> "Run" then in the box cut and paste the following which will disable part one
of the ability of the virus to be exectued/spreading:

regsvr32 -u %windir%\system32\shimgvw.dll

This disables the file shimgvw.dll but if you read extensively the link above for SANS (Internet Storm Center) many programs and windows will re-enable the file, and the bad guys will for sure.

3. Download and run the patch from here:
http://handlers.sans.org/tliston/wmffix_hexblog11.exe
Windows WMF Metafile Vulnerablity HotFix1.1

[edited by: bill at 2:48 am (utc) on Jan. 2, 2006]
[edit reason] de-linked HotFix URL [/edit]

3:02 am on Jan 4, 2006 (gmt 0)

5+ Year Member



Secunia has offered the name EXTREMELY CRITICAL and so this means that all browsers are affected as with all windows versions
On Firefox, it will ask you before choosing to show a .wmf file, Microsoft AntiSpyware Beta will help to prevent this but will by no means stop it, it must be fully up-to-date and I must remind you that all antivirus companies have tracked articles but none have done anything, there is an unofficial one (supposed to be great but the one below is great too). out from a guy but I dont know where to go for it.
Microsoft are just as worried about it as we are.
If you are running from a system with the word windows in it, be careful
Favicons or Icons in a web site are ONLY .Ico files and have not been confirmed to affect/infect your computer
I feel this my duty to inform you that if you have WINDOWS you are Affected but if you are stupid you are Infected.
I am new here but wise to the net, set your IE explorer to high security and take head of whatever Firefox says to you.
Microsoft are issuing a patch next week providing that tests go well and if they dont, thats our problem and I am sure that this patch will be installed on Vista (longhorn).
Some articles are just read ups and reports whilst others explain, but for you and me the last is the most important

Links

[news.com.com...]

[wired.com...]

[techdirt.com...]

[it.slashdot.org...]

[biz.yahoo.com...]

[gcn.com...]

[russianewswire.com...]

[allyourtech.com...]

THIS IS A MUST READ

P.S. Some are small, yet useless articles, the last is the most important as it is an unofficial workaround.
I never used code 'caus it never works for me so Copy&Paste into your browser and from what I experienced, none are infected :)

2:54 pm on Jan 4, 2006 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Linux and Mac users are laughing.
12:48 am on Jan 6, 2006 (gmt 0)

WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member



MS has released their patches [microsoft.com] for this problem (select the proper version for your operating system).

Jim

1:08 am on Jan 6, 2006 (gmt 0)

WebmasterWorld Senior Member leosghost is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Not all versions of doze are vulnerable ..my XP had the file "shimgvw.dll" ( dealt with ) ..my 98II ( which is the only doze box allowed to talk to the outside doesn't have the affected .dll anyway ) ..the other 98II's didnt either

( interesting that although MS think they shipped the 98 series with this defect /hole ..they refuse to support their products in this series ..they weren't sold with "may contain unsafe and crappily done code" on the box )

again regmon and worm watchers will save you lots of grief ..as will running "out of date doze" to access the net.

the now two running ubuntu let me laugh with the others

9:26 am on Jan 6, 2006 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



OK, I've installed the official patch from Microsoft this morning. Do I now have to uninstall the unofficial patch I downloaded from Steve Gibson's site (wmffix_hexblog14.exe), or is it OK to leave it as it is?
12:30 pm on Jan 6, 2006 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



>>Oh man, with the workaround in you can't even see thumbnails, ouch!

I'd like them back too.

I know this will reinstall the XP viewer dll: regsvr32 -i %windir%\system32\shimgvw.dll

...but does this compromise the system?

1:55 pm on Jan 6, 2006 (gmt 0)

WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member



The proper sequence would seeem to be to remove the unofficial patch, then re-register shimgvw.dll, then install the official patch. In other words, reverse the installation order of the unofficial patch, and then add the official one.

You won't get your thumbnails back until shimgvw.dll is re-registered, and the unofficial patch had some confirmed negative effects on spooling to some printers on some systems.

Jim

3:17 pm on Jan 6, 2006 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



I'm sure the website I saw said it was safe to keep the unofficial patch installed while I ran the official update.

I never lost use of thumbnails or the windows viewer. I assume that only happens with the manual registry edit, not the .exe file.

Well I'm glad MS have released the patch early anyway. It seems crazy having an official release day (Tuesdays) for updates when Mozilla etc release a patch as soon as they can. (Often within 24 hours.) Although I understand the need for much wider testing by MS.

 

Featured Threads

My Threads

Hot Threads This Week

Hot Threads This Month