Just getting back into the swing of things and reading all I can about the WMF vulnerability and exploits. I’ve summarized everything (I think) we know so far, if I’m missing anything please drop me a note (paul /at/ securityweekly.com):
Update – 01/06/2006 – Added the official patch section, corrected the IDS statements, added the “other unofficial” patch info (use with extreme caution).
The Vulnerability
- Systems running most versions of Windows are vulnerable (Windows 95/98/ME/XP, XP-64, 2000, 2003)
- Researchers have been testing older versions of Windows, more information here
- Any application that displays, renders, or indexes a WMF file can be an attack vector
- Repeat, applications such as Google desktop that index files are a valid attack vector
- WMF files are images, so any way that a graphics file can get on your system is a potential threat (email, web, P2P, IM, etc..)
- Windows DEP (Data Execution Prevention) does nothing to stop the exploit from running on most systems, even when set to cover all programs
- If you run Windows 95/98/ME you are vulnerable, no fixes, no patches, no workarounds
- You can call Microsoft and try to get help at 1-866-PC-SAFETY
The Exploit
- Metasploit has included exploits in the framework
- People criticized them for this. Some people just don’t get it, releasing the exploit is important for us to understand how it works
- FrSirt has published two exploits. You can find them here and here
- A worm that uses MSN Messenger has been reported in the wild
The Remediation
- Unregistering SHIMGVW.DLL does little to prevent exploitation, and can easily be re-registered by attackers
- Unregistering the SHIMGVW.DLL also breaks thumbnails in explorer and other similar functionality
- IDS/IPS signatures that rely on payload do little to detect the WMF vulnerability
- Accurate Snort Sigs from Bleeding Snort that detect the WMFHEADER and Escape() function can be found here
- The Snort sigs will not detect attacks that are gzipped and have some known false positives
- Filtering by extension does not protect you because a Windows processes WMF files by embedded flags, not just by extension
- Virus checkers offer some protection, but it is naive to assume that they will be able to keep up with all the different malware variants (74 known at last count)
The Unofficial Patch
- The best place to download the patch is from ISC, located here, it contains a PGP signature, located here (Thank you Tom Liston)
- There is also an MSI installer, available here, with a PGP Key
- The patch was written by Ilfak Guilfanov, the author of IDA Pro Disassembler
- You will need to uninstall this patch when Microsoft releases a patch
- Microsoft is scheduled to release an official patch on Tuesday, January 10, 2006 (My birthday, and I even get a gift from Microsoft :-)
- Here’s Microsoft’s Official Response
- UPDATE: So what does the patch do (Like exactly)? Here is a Powerpoint presentation with some great details
- But, but, bad things haven’t happened to me yet? Read This
- Reports are coming in that the unofficial patch causes printer problems
- CAUTION: One of our readers informed us of another unofficial patch. This one claims to work with Windows 9x/ME. I have not tested this patch, neither has SANS. USE AT YOUR OWN RISK. (Thank you to rossnixon)
The Official Patch
- http://www.microsoft.com/technet/security/bulletin/ms06-001.mspx
- To avoid infection and make the patch work you must 1) install the new patch, 2) uninstall the unofficial patch in that order
- I have not yet heard any reports of this patch impacting printing. If you know anything, please drop me a note.
Resources
- http://isc.sans.org/diary.php?rss&storyid=993 – ISC posting that contains all links to WMF ISC postings
- http://www.kb.cert.org/vuls/id/181038 – CERT page
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4560 – CVE Entry
- http://www.websensesecuritylabs.com/blog/ – The Websense Security Blog, has really good WMF information, including the “WMF Movie”
- http://www.f-secure.com/weblog/ – F-Secure also maintains a good Blog with WMF information being posted recently
http://www.grc.com/SecurityNow.htm#20 – Security Now! 11 minute podcast dedicated to the WMF vulnerability
.com