Malware, Vulnerability Management

WMF Vulnerability & Exploits: Just The Facts

Just getting back into the swing of things and reading all I can about the WMF vulnerability and exploits. I’ve summarized everything (I think) we know so far, if I’m missing anything please drop me a note (paul /at/
Update – 01/06/2006 – Added the official patch section, corrected the IDS statements, added the “other unofficial” patch info (use with extreme caution).
The Vulnerability

  • Systems running most versions of Windows are vulnerable (Windows 95/98/ME/XP, XP-64, 2000, 2003)
  • Researchers have been testing older versions of Windows, more information here
  • Any application that displays, renders, or indexes a WMF file can be an attack vector
  • Repeat, applications such as Google desktop that index files are a valid attack vector
  • WMF files are images, so any way that a graphics file can get on your system is a potential threat (email, web, P2P, IM, etc..)
  • Windows DEP (Data Execution Prevention) does nothing to stop the exploit from running on most systems, even when set to cover all programs
  • If you run Windows 95/98/ME you are vulnerable, no fixes, no patches, no workarounds
  • You can call Microsoft and try to get help at 1-866-PC-SAFETY

The Exploit

  • Metasploit has included exploits in the framework
  • People criticized them for this. Some people just don’t get it, releasing the exploit is important for us to understand how it works
  • FrSirt has published two exploits. You can find them here and here
  • A worm that uses MSN Messenger has been reported in the wild

The Remediation

  • Unregistering SHIMGVW.DLL does little to prevent exploitation, and can easily be re-registered by attackers
  • Unregistering the SHIMGVW.DLL also breaks thumbnails in explorer and other similar functionality
  • IDS/IPS signatures that rely on payload do little to detect the WMF vulnerability
  • Accurate Snort Sigs from Bleeding Snort that detect the WMFHEADER and Escape() function can be found here
  • The Snort sigs will not detect attacks that are gzipped and have some known false positives
  • Filtering by extension does not protect you because a Windows processes WMF files by embedded flags, not just by extension
  • Virus checkers offer some protection, but it is naive to assume that they will be able to keep up with all the different malware variants (74 known at last count)

The Unofficial Patch

  • The best place to download the patch is from ISC, located here, it contains a PGP signature, located here (Thank you Tom Liston)
  • There is also an MSI installer, available here, with a PGP Key
  • The patch was written by Ilfak Guilfanov, the author of IDA Pro Disassembler
  • You will need to uninstall this patch when Microsoft releases a patch
  • Microsoft is scheduled to release an official patch on Tuesday, January 10, 2006 (My birthday, and I even get a gift from Microsoft :-)
  • Here’s Microsoft’s Official Response
  • UPDATE: So what does the patch do (Like exactly)? Here is a Powerpoint presentation with some great details
  • But, but, bad things haven’t happened to me yet? Read This
  • Reports are coming in that the unofficial patch causes printer problems
  • CAUTION: One of our readers informed us of another unofficial patch. This one claims to work with Windows 9x/ME. I have not tested this patch, neither has SANS. USE AT YOUR OWN RISK. (Thank you to rossnixon)

The Official Patch



Paul Asadoorian

Paul Asadoorian is currently the Principal Security Evangelist for Eclypsium, focused on firmware and supply chain security awareness. Paul’s passion for firmware security extends back many years to the WRT54G hacking days and reverse engineering firmware on IoT devices for fun. Paul and his long-time podcast co-host Larry Pesce co-authored the book “WRTG54G Ultimate Hacking” in 2007, which fueled the firmware hacking fire even more. Paul has worked in technology and information security for over 20 years, holding various security and engineering roles in a lottery company, university, ISP, independent penetration tester, and security product companies such as Tenable. In 2005 Paul founded Security Weekly, a weekly podcast dedicated to hacking and information security. In 2020 Security Weekly was acquired by the Cyberrisk Alliance. Paul is still the host of one of the longest-running security podcasts, Paul’s Security Weekly, he enjoys coding in Python & telling everyone he uses Linux.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.