Home News Reviews Forums Shop


Windows WMF Security Flaw

General discussion. Come introduce yourself. Talk about whataver you want!

Windows WMF Security Flaw

Postby cfitz on Sat Dec 31, 2005 2:07 pm

Another big, gaping hole in Microsoft's rather rusty armor:

http://www.microsoft.com/technet/securi ... 12840.mspx

This one is particularly bad for several reasons:

1. It affects just about every Microsoft OS back through Windows 98
2. It is what is called a "Zero Day" flaw, meaning that the bad guys had already deployed exploits to take advantage of this flaw before the good guys even knew it existed.
3. You can be infected by simply viewing an image on a web site or in an email.

There is no fix yet, but there are several things you can do to help protect yourself:

1. Make sure your antivirus software is up-to-date and is configured to scan web content (http) and email (pop) in real time. Scanning files alone won't protect you.
2. Run the following in a command prompt to disable one of the main known vectors of attack (this will provide some protection at the expense of some loss of function - e.g. no more image previews in Explorer):

Code: Select all
regsvr32 -u %windir%\system32\shimgvw.dll


3. Don't read email from unkown senders or follow links to unkown web sites.
4. Configure your email client to display email in plain text only.
5. Switch to Apple, Linux, etc. (sigh)

For what it is worth, using non-Microsoft browsers (Firefox, Opera) and mail readers (Thunderbird, Eudora) will not protect you. The problem lies in a lower level Window's component that third-party browsers and mail readers also utilize.

Also, for any of you who have been partially following this issue and who have implemented the registry fix, that "fix" has since been proven to be ineffective. As of now the only work-around known to provide at least some protection is the regsvr32 command in step 2 above (and as listed in Microsoft's security bulletin).

cfitz
cfitz
CD-RW Curmudgeon
 
Posts: 4572
Joined: Sat Jul 27, 2002 10:44 am

Postby dodecahedron on Sat Dec 31, 2005 2:23 pm

hi cfitz, nice to see you here again.

thanks for the heads up.

sigh, another reason to hate stupid M$ and Bill Gates and his cursed products. :evil:
One Ring to rule them all, One Ring to find them,
One Ring to bring them all and in the darkness bind them
In the land of Mordor, where the Shadows lie
-- JRRT
M.C. Escher - Reptilien
User avatar
dodecahedron
DVD Polygon
 
Posts: 6865
Joined: Sat Mar 09, 2002 12:04 am
Location: Israel

Postby cfitz on Sat Dec 31, 2005 2:25 pm

You're welcome.

cfitz
cfitz
CD-RW Curmudgeon
 
Posts: 4572
Joined: Sat Jul 27, 2002 10:44 am

Postby MediumRare on Mon Jan 02, 2006 8:53 am

Wish you'd post more often and with better news, cfitz- Happy New Year! :D

Although Microsoft has not yet released a patch, there seems to be a private "temporary fixup" to avoid this problem (information from heise- seems to be legitimate: you have to be careful with this sort of thing!)

The patch by Ilfak Guilfanov has bee vetted by ISC and should work for Windows 2000 and newer.

G
User avatar
MediumRare
CD-RW Translator
 
Posts: 1768
Joined: Sun Jan 19, 2003 3:08 pm
Location: ffm

Postby VEFF on Mon Jan 02, 2006 1:05 pm

Thanks a lot for the warning cfitz!

Hopefully they'll release a patch soon.

The other patch seems tempting in the meantime, as a temporary fix.
Thanks MediumRare.
Burners only:
Pioneer DVR-115D
Pioneer DVR-111D
Plextor PX-716A TLA0304
Plextor PX-716A same TLA

LiteOn 52246S 52X CD-RW
LiteOn 52246S (another)
LiteOn 52327S 52X CD-RW
TDK 40X USB 2.0 CD-RW
TEAC CD-W540E 40X CD-RW
User avatar
VEFF
CD-RW Player
 
Posts: 2025
Joined: Tue Jan 15, 2002 9:36 pm

Postby cfitz on Tue Jan 03, 2006 12:32 am

MediumRare wrote:Wish you'd post more often and with better news, cfitz- Happy New Year! :D

Happy New Year to you too, MediumRare! Sorry to be bearing bad news, though... :cry:

MediumRare wrote:Although Microsoft has not yet released a patch, there seems to be a private "temporary fixup" to avoid this problem (information from heise- seems to be legitimate: you have to be careful with this sort of thing!)

Yes, you do have to be careful. But I trust that source. As you say, it has been vetted by various reputable organizations such as ISC/SANS/GRC. I installed the patch earlier today on an XP machine and later today on a 2000 machine. Both seem to be fine.

Mr. Guilfanov has also released a tool to check your Windows 2000 or higher machines for the vulnerability. Since all Windows machines from 98 on up do have the vulnerability, there isn't any sense in just running the tool to see if your particular machine is vulnerable. Instead, run it after you have installed Mr. Guilfanov's patch (and subsequently rebooted your machine) to ensure that the patch was installed successfully.

This is just a temporary patch, and may not protect against all possible attack vectors. However, I am of the opinion that it is better than nothing. And it is easily installed and later, once Microsoft releases an official patch, uninstalled (it has an uninstall entry in Control Panel->Add/Remove Programs).

Those of you who trust in Steve Gibson of GRC may wish to follow along for developments at his site:

http://www.grc.com/sn/notes-020.htm

Stay safe out there!

cfitz
cfitz
CD-RW Curmudgeon
 
Posts: 4572
Joined: Sat Jul 27, 2002 10:44 am

Postby cfitz on Tue Jan 03, 2006 12:53 pm

Microsoft have updated their official security bulletin to indicate that they will release an official patch on January 10 as part of their normal patch release schedule. They said they don't want to release it earlier because they want to ensure that it is well tested.

Researchers have continued to explore the flaw, and the latest findings indicate that although this flaw affects all versions of Windows, it is most likely to affect XP and 2003. The reason is that only XP and 2003 have default handlers for the .WMF file type. Microsoft "upgraded" their Fax and Picture viewer in XP to add support for this obsolete file format and in the process provided a built-in exploit path for the vulnerability.

Older versions of Windows do not have the new viewer, so they appear to require installation of some third-party software that does add default handling for .WMF files (e.g. Lotus Notes) in order to be as vulnerable as XP and 2003.

Since this is a developing story, the above information is subject to change.

cfitz
cfitz
CD-RW Curmudgeon
 
Posts: 4572
Joined: Sat Jul 27, 2002 10:44 am

Postby cfitz on Tue Jan 03, 2006 11:21 pm

Mr. Guilfanov's personal web-site has been shut down to due to excessive bandwidth usage by the huge number of people trying to access it. If you still wish to download the patch, you should be able to get it directly from SANS:

http://handlers.sans.org/tliston/wmffix_hexblog14.exe

Or, you can get the patch and the checker from GRC.com:

http://www.grc.com/miscfiles/wmffix_hexblog14.exe
http://www.grc.com/miscfiles/wmf_checker_hexblog.exe

cfitz
cfitz
CD-RW Curmudgeon
 
Posts: 4572
Joined: Sat Jul 27, 2002 10:44 am

Postby cfitz on Thu Jan 05, 2006 6:30 pm

Microsoft decided not to wait until the normal monthly patch release data after all. They released the official patch today. If you don't have automatic updates configured, then go to Windows Update and get the patch manually:

http://update.microsoft.com

You can also uninstall Mr. Guilfanov's patch (Control Panel -> Add/Remove Programs) if you installed it earlier, and you can re-register shimgvw.dll if you un-registerd it earlier:

Code: Select all
regsvr32 %windir%\system32\shimgvw.dll


cfitz
cfitz
CD-RW Curmudgeon
 
Posts: 4572
Joined: Sat Jul 27, 2002 10:44 am

Postby Ian on Thu Jan 05, 2006 8:26 pm

cfitz wrote:Microsoft decided not to wait until the normal monthly patch release data after all. They released the official patch today.


Let's hope to hell that they tested it.
"Blu-ray is just a bag of hurt." - Steve Jobs
User avatar
Ian
Grand Poobah
 
Posts: 14882
Joined: Sun Apr 08, 2001 2:34 pm
Location: Madison, WI

Postby cfitz on Thu Jan 05, 2006 10:46 pm

Ian wrote:
cfitz wrote:Microsoft decided not to wait until the normal monthly patch release data after all. They released the official patch today.


Let's hope to hell that they tested it.

From what I read it has been well tested by both Microsoft and independent security experts who got hold of an early release version. For what it is worth, I ran Ilfak Guilfanov's vulnerability tester after applying Microsoft's official patch, and it indicated that my machine is protected.

cfitz
cfitz
CD-RW Curmudgeon
 
Posts: 4572
Joined: Sat Jul 27, 2002 10:44 am

Postby algrinch on Wed Jan 18, 2006 3:56 pm

Here is the lastest podcast from Security Now.

Scroll down to:
The Windows MetaFile Backdoor?
http://www.grc.com/securitynow.htm


Steve Gibson is making the accusation that this is a backdoor, built into Windows on purpose by Microsoft. He makes some interesting points.
"All Bibles are man made" - Thomas Edison
User avatar
algrinch
CD-RW Player
 
Posts: 133
Joined: Fri Sep 05, 2003 2:15 pm
Location: London, ON Canada

Postby LoneWolf on Thu Jan 19, 2006 1:15 pm

Gibson's a rather flaky source, though (If you mean Steve Gibson of Gibson Research fame). Tends to have that tinfoil hat on reeeally tight. When you look into how WMF is handled in context with the security flaw, and you consider that this flaw is in every version of Windows since Win95, I think he's just being overly paranoid (and I have a tendency towards paranoia myself). I think Microsoft just designed this at a time when security wasn't the big deal it was today. Heck, NOBODY had broadband internet when Windows 95 was popular, and tons of people didn't even have dialup internet access or e-mail, and the flaw just carried over from version to version up to a point where security, now a major issue, has caused people to go over code a lot more carefully, and analysis revealed a flaw.
Intel Q9450 @3.2GHz, Gigabyte GA EP45-UD3P, 4 x 2GB G.Skill @4-4-4-12
Antec P160SW case (modded), Xigmatek 750w PSU
3x 500GB (RAID-5), , OptiArc 7200S, ASUS E818A3T
Creative X-Fi XtremeGamer, Hauppauge HVR-1800, Radeon 4890
Dell 2407WFP
User avatar
LoneWolf
CD-RW Player
 
Posts: 937
Joined: Thu Feb 06, 2003 4:41 pm
Location: Meecheegan

Postby algrinch on Thu Jan 19, 2006 4:41 pm

Its quicker to read than it is to listen too. This is the HTML transcript.
http://www.grc.com/sn/SN-022.htm

It is hard to summarize, but the function used to exploit the file shouldn't have been there in the first place. Add to that, there is a very specific way to trigger the exploit. Or to put it another way, the windows function you are calling on shouldn't have been there in the first place, its like the function was added in with this special tigger. Because of this, he believes it wouldn't fall into the category of an error, but, something that was intentionally added. He gives his opinion as his first impression based on what he has learned so far. He goes on to say he may prove himself wrong after further investigation.

I find the technical aspect of this, beyond my understanding, yet still interesting to read. I am generally interested to hear the conspiracy theorys.



Here is a quote of Steve Gibson from the podcast
But, for example, if Microsoft was worried that for some reason in the future they might have cause to get visitors to their website to execute code, even if ActiveX is turned off, even if security is up full, even if firewalls are on, basically if Microsoft wanted a short circuit, a means to get code run in a Windows machine by visiting their website, they have had that ability, and this code gave it to them.


What I find interesting, is how this exploit would benefit Microsoft. With this expoit in place a visit to a Microsoft webpage would allow them to gather information about you, or manipulate your computer without your knowledge.



LoneWolf wrote: Gibson's a rather flaky source, though (If you mean Steve Gibson of Gibson Research fame). Tends to have that tinfoil hat on reeeally tight.


I don't have the knowledge to dispute the above statement. Although, I have been seen sporting a tinfoil hat myself, from time to time.
"All Bibles are man made" - Thomas Edison
User avatar
algrinch
CD-RW Player
 
Posts: 133
Joined: Fri Sep 05, 2003 2:15 pm
Location: London, ON Canada

Postby algrinch on Sat Jan 21, 2006 9:27 pm

I guess I can put away my Tinfoil hat.....

You can listen to Steve Gibson backpeddle here...

http://www.grc.com/securitynow.htm

or read it here:
http://www.grc.com/sn/SN-023.htm

Good call LoneWolf...

Al
"All Bibles are man made" - Thomas Edison
User avatar
algrinch
CD-RW Player
 
Posts: 133
Joined: Fri Sep 05, 2003 2:15 pm
Location: London, ON Canada

Postby cfitz on Sun Jan 22, 2006 2:14 pm

Steve Gibson has always had a tendency towards, shall we say, over excitability. You can tell by the breathless tone in which he writes his website. Thus, it is best to turn down the volume a notch when reading his work. Despite this characteristic, though, he still puts out good information and useful tools.

cfitz
cfitz
CD-RW Curmudgeon
 
Posts: 4572
Joined: Sat Jul 27, 2002 10:44 am


Return to The Beer Garden

Who is online

Users browsing this forum: No registered users and 0 guests

All Content is Copyright (c) 2001-2017 CDRLabs Inc.