Welcome to WebmasterWorld Guest from 54.159.50.111

Forum Moderators: bill

Message Too Old, No Replies

"Extremely Critical " Secunia Advisory

Extremely Critical Windows WMF Handling Arbitrary Code Execution

     
11:15 am on Dec 28, 2005 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:July 18, 2001
posts:889
votes: 0

12:09 pm on Dec 28, 2005 (gmt 0)

Senior Member

WebmasterWorld Senior Member kaled is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 2, 2003
posts:3710
votes: 0


Very odd description.....

As described, I would expect the problem to affect all browsers including Opera and Firefox rather than be limited to IE as implied.

Kaled.

10:21 pm on Dec 28, 2005 (gmt 0)

Senior Member from CA 

WebmasterWorld Senior Member 10+ Year Member

joined:Nov 25, 2003
posts:889
votes: 57


My reading says that it is a 'Windows' OS flaw and that IE with security set lower than 'high' will auto open/run a wmf file. As other browsers are (unlikely?) set to autorun an encountered wmf they are not mentioned.

So: set IE security to 'highest' and be inconvenienced all over the web or run an alternate browser and never open a wmf unless you are absolutely totally certain that is is not infected.

And wait for a Windows fix.
Shall we start a pool on when a quick and dirty fix is available?
When a comprehensive fix is available?

9:23 am on Dec 29, 2005 (gmt 0)

Preferred Member

10+ Year Member

joined:Apr 14, 2003
posts:438
votes: 0


As described, I would expect the problem to affect all browsers including Opera and Firefox rather than be limited to IE as implied.

[kaspersky.com...]

Mentions Firefox but nothing about Opera is mentioned yet.

6:16 pm on Dec 29, 2005 (gmt 0)

Preferred Member

10+ Year Member

joined:Nov 13, 2002
posts:387
votes: 0


Microsoft have a workaround: [microsoft.com...]

To un-register Shimgvw.dll, follow these steps:

1. Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK.

2. A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.

To undo this change, re-register Shimgvw.dll by following the above steps. Replace the text in Step 1 with “regsvr32 %windir%\system32\shimgvw.dll” (without the quotation marks).

The flaw is in Shimgvw.dll which is a system component. Therefore, lots of products are vulnerable (including Google Desktop). It is reported to be extremely easy to infect your PC. You don't even need to open the WMF file - just having it on your system may well trigger Shimgvw.dll loading up if it does any file operation on the WMF file at all.

In a corporate environment, it could potentially spread very quickly through network shares.

It's not just a browser thing. Hopefully, most of us have safe enough browsing habits to ensure that we don't get hit.. but it CAN be spread through email too. Since WMF files can be embedded in many types of email message, you don't need to click on an attachment.. simply viewing the mail will infect the PC, and that includes viewing it in a preview screen. In other words, there's the potential for this to spread in a virus with little or no user intervention.

Because the exploit code is now available for this, you can expect to see other variants. At the moment it seems to be web based, but I can't imaging it'll be long until someone does something else with it.

I should imagine that it's theoretically possible to infect a Windows-based web server by using this exploit too.

Here's a couple of useful resources:
[isc.sans.org...] is a great place to look for any emerging threats. (Including vulnerabilities in web applications)
You can download a little toolbar icon called ISCalert (see [isc.sans.org...] which will check the current ISC alert status for you and flash if something really important happens.

Also [f-secure.com...] is a good place to check regularly. At the moment it lists the "infected" websites with the trojan, so if you want you can block access to the sites at your firewall.

7:11 pm on Dec 29, 2005 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Nov 1, 2002
posts:1834
votes: 0


Mentions Firefox but nothing about Opera is mentioned yet.

Can't find it now, but earlier today I saw an article that specifically mentioned Opera as being vulnerable to this one.

WBF

7:30 pm on Dec 29, 2005 (gmt 0)

Junior Member

10+ Year Member

joined:July 20, 2002
posts:118
votes: 0


I've done the regsvr32 -u %windir%\system32\shimgvw.dll thing but can't see that actualy mentioned in the microsoft site link [microsoft.com...] . Seems that if the instructions were there before, they've gone now...hope this doesn't mean it doesn't solve the problem.

Apparently if you use Opera or Firefox you'll get a prompt before the browser opens the file (according to the bottom 28th december entry at the [f-secure.com...] already mentioned).

8:36 pm on Dec 29, 2005 (gmt 0)

Preferred Member

10+ Year Member

joined:Nov 13, 2002
posts:387
votes: 0


You need to drill down and click Suggested Actions -> Workarounds -> Unregister etc etc and it's there.

I had to hunt around for it the first tieme too!

10:38 pm on Dec 29, 2005 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Sept 13, 2004
posts:801
votes: 2


Oh man, with the workaround in you can't even see thumbnails, ouch!
12:03 am on Dec 30, 2005 (gmt 0)

New User

10+ Year Member

joined:Nov 21, 2005
posts:6
votes: 0


There's a tool named Microsoft® Windows AntiSpyware (Beta). Does it work against this threat?
12:34 am on Dec 30, 2005 (gmt 0)

Full Member

10+ Year Member

joined:Apr 18, 2004
posts:223
votes: 0


You can watch it spread here:

[pandasoftware.com...]

4:21 pm on Dec 30, 2005 (gmt 0)

Preferred Member

10+ Year Member

joined:Nov 13, 2002
posts:387
votes: 0


Most vendors anti-virus products can detect the current range of exploits - but that doesn't mean that there won't be new versions out that AV software won't be able to detect. Most likely, AV and anti-spyware apps will detect some of the stuff dowloaded AFTER your machine becomes infected.

Personally, I believe that anti-spyware and anti-virus apps should be your LAST line of defence. If you've got a proper patching regime, a good firewall and email filtering and steer clear of vulnerable products such as Internet Explorer, then normally you would be OK. The problem with this flaw is that there are so many ways to exploit it, so the usual precautions are not enough.

Until MS come out with a patch, it's gonna be a struggle to keep this one out.

4:41 pm on Dec 30, 2005 (gmt 0)

Senior Member

WebmasterWorld Senior Member kaled is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 2, 2003
posts:3710
votes: 0


I just had a quick look at registry stuff (mime types, etc.) and it looks to me that .BMP, .ICO, .GIF, and .JPG files might also be affected (under XP - haven't checked other versions).

If I am correct, you would not even have to visit a website to get infected - if the favicon of a website were downloaded and rendered (e.g. by opening a bookmarks menu) then that would be sufficient - it's scary stuff! This might mean that IE is actually more secure than Firefox (since IE doesn't bother downloading icons very often) - now that really would be ironic if true.

Kaled.

6:25 pm on Dec 30, 2005 (gmt 0)

Full Member

10+ Year Member

joined:Nov 18, 2003
posts:202
votes: 0


Firefox shouldn't be inherently vulnerable to this exploit. It uses its own cross-platform image rendering library, which does not support WMF files. Obviously, you can use Fx to download a corrupted file, which might infect your machine if you haven't taken appropriate precautions, but Firefox won't trigger the payload.

Of course, if you're running as an unprivileged user, this exploit would have a much harder time getting a foothold on your machine. Sadly that's not too common -- hands up all those who're logged in as an Administrator as you read this...

11:29 pm on Dec 30, 2005 (gmt 0)

Junior Member

10+ Year Member

joined:July 20, 2002
posts:118
votes: 0


You need to drill down and click Suggested Actions -> Workarounds -> Unregister etc etc and it's there.

Thanks Dynamoo - I'd clicked on just the plus by "suggested actions" previously but had missed the further plus by "workarounds". They don't make things easy to find do they.
6:01 pm on Jan 1, 2006 (gmt 0)

Junior Member

10+ Year Member

joined:Feb 27, 2004
posts:88
votes: 0


I would suggest re alerting yourself to the situation here.
Hot fixes and registry disabling...

[isc.sans.org...]

Happy and save computing

edited for the below info...

Three easy steps to the process to protect yourself.
1. Setup a restore point (XP users)...
Click "Start ---> "Programs" ----> "Accessories" -----> "System Tools" ---- "System Restore"
follow the instructions.
2. Click "Start" ----> "Run" then in the box cut and paste the following which will disable part one
of the ability of the virus to be exectued/spreading:

regsvr32 -u %windir%\system32\shimgvw.dll

This disables the file shimgvw.dll but if you read extensively the link above for SANS (Internet Storm Center) many programs and windows will re-enable the file, and the bad guys will for sure.

3. Download and run the patch from here:
http://handlers.sans.org/tliston/wmffix_hexblog11.exe
Windows WMF Metafile Vulnerablity HotFix1.1

[edited by: bill at 2:48 am (utc) on Jan. 2, 2006]
[edit reason] de-linked HotFix URL [/edit]

3:02 am on Jan 4, 2006 (gmt 0)

New User

10+ Year Member

joined:Jan 4, 2006
posts:10
votes: 0


Secunia has offered the name EXTREMELY CRITICAL and so this means that all browsers are affected as with all windows versions
On Firefox, it will ask you before choosing to show a .wmf file, Microsoft AntiSpyware Beta will help to prevent this but will by no means stop it, it must be fully up-to-date and I must remind you that all antivirus companies have tracked articles but none have done anything, there is an unofficial one (supposed to be great but the one below is great too). out from a guy but I dont know where to go for it.
Microsoft are just as worried about it as we are.
If you are running from a system with the word windows in it, be careful
Favicons or Icons in a web site are ONLY .Ico files and have not been confirmed to affect/infect your computer
I feel this my duty to inform you that if you have WINDOWS you are Affected but if you are stupid you are Infected.
I am new here but wise to the net, set your IE explorer to high security and take head of whatever Firefox says to you.
Microsoft are issuing a patch next week providing that tests go well and if they dont, thats our problem and I am sure that this patch will be installed on Vista (longhorn).
Some articles are just read ups and reports whilst others explain, but for you and me the last is the most important

Links

[news.com.com...]

[wired.com...]

[techdirt.com...]

[it.slashdot.org...]

[biz.yahoo.com...]

[gcn.com...]

[russianewswire.com...]

[allyourtech.com...]

THIS IS A MUST READ

P.S. Some are small, yet useless articles, the last is the most important as it is an unofficial workaround.
I never used code 'caus it never works for me so Copy&Paste into your browser and from what I experienced, none are infected :)

2:54 pm on Jan 4, 2006 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Dec 5, 2002
posts:1318
votes: 0


Linux and Mac users are laughing.
12:48 am on Jan 6, 2006 (gmt 0)

Senior Member

WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 31, 2002
posts:25430
votes: 0


MS has released their patches [microsoft.com] for this problem (select the proper version for your operating system).

Jim

1:08 am on Jan 6, 2006 (gmt 0)

Senior Member from FR 

WebmasterWorld Senior Member leosghost is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Feb 15, 2004
posts:6717
votes: 230


Not all versions of doze are vulnerable ..my XP had the file "shimgvw.dll" ( dealt with ) ..my 98II ( which is the only doze box allowed to talk to the outside doesn't have the affected .dll anyway ) ..the other 98II's didnt either

( interesting that although MS think they shipped the 98 series with this defect /hole ..they refuse to support their products in this series ..they weren't sold with "may contain unsafe and crappily done code" on the box )

again regmon and worm watchers will save you lots of grief ..as will running "out of date doze" to access the net.

the now two running ubuntu let me laugh with the others

9:26 am on Jan 6, 2006 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Dec 5, 2002
posts:1318
votes: 0


OK, I've installed the official patch from Microsoft this morning. Do I now have to uninstall the unofficial patch I downloaded from Steve Gibson's site (wmffix_hexblog14.exe), or is it OK to leave it as it is?
12:30 pm on Jan 6, 2006 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:July 16, 2002
posts:2133
votes: 1


>>Oh man, with the workaround in you can't even see thumbnails, ouch!

I'd like them back too.

I know this will reinstall the XP viewer dll: regsvr32 -i %windir%\system32\shimgvw.dll

...but does this compromise the system?

1:55 pm on Jan 6, 2006 (gmt 0)

Senior Member

WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 31, 2002
posts:25430
votes: 0


The proper sequence would seeem to be to remove the unofficial patch, then re-register shimgvw.dll, then install the official patch. In other words, reverse the installation order of the unofficial patch, and then add the official one.

You won't get your thumbnails back until shimgvw.dll is re-registered, and the unofficial patch had some confirmed negative effects on spooling to some printers on some systems.

Jim

3:17 pm on Jan 6, 2006 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Dec 5, 2002
posts:1318
votes: 0


I'm sure the website I saw said it was safe to keep the unofficial patch installed while I ran the official update.

I never lost use of thumbnails or the windows viewer. I assume that only happens with the manual registry edit, not the .exe file.

Well I'm glad MS have released the patch early anyway. It seems crazy having an official release day (Tuesdays) for updates when Mozilla etc release a patch as soon as they can. (Often within 24 hours.) Although I understand the need for much wider testing by MS.