Jump to content

[Question] - Windows WMF 0-day exploit in the wild.


Recommended Posts

There seems to be considerable concern about the recently discovered "Windows WMF 0-day exploit" as apparently "fully patched Windows XP SP2 machines machines are vulnerable, with no known patch."


At an Ars Technica forum I came across these 2 suggested solutions until an MS patch is avaiable:

1. Might be a good idea to go into Windows Explorer and disable all handling of WMF files.

2. Another solution until a patch comes out:

regsvr32 /u \windows\system32\shimgvw.dll

This will remove Windows Explorer's capability to display images (thumbnails of gif, jpg, and such, including WMF). Windows Picture and Fax Viewer won't work either, and some other stuff will break, like previewing desktop images in Display Properties... after a patch comes out, do this:

regsvr32 \windows\system32\shimgvw.dll

And things will be back to normal.

Ars Technica

Would either of these suggestions be effective and are they really necessary?


Title Edited - Please follow new posting rules from now on.


Link to comment
Share on other sites


Thursday, December 29, 2005

WMF, day 2


And finally, you might want to start to filter these domains at your corporate firewalls too. Do not visit them.












So far, we've only seen this exploit being used to install spyware or fake antispyware / antivirus software on the affected machines. I'm afraid we'll see real viruses using this soon.




Link to comment
Share on other sites

Appaently not.


Microsoft Security Advisory (912840)

Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution.

Published: December 28, 2005

Suggested Actions


Microsoft has tested the following workaround. While this workaround will not correct the underlying vulnerability, it will help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.

Un-register the Windows Picture and Fax Viewer (Shimgvw.dll) on Windows XP Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and Windows Server 2003 Service Pack 1

To un-register Shimgvw.dll, follow these steps:

1.Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK.

2.A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.

To undo this change, re-register Shimgvw.dll by following the above steps. Replace the text in Step 1 with “regsvr32 %windir%\system32\shimgvw.dll” (without the quotation marks).



Link to comment
Share on other sites

Firstly, most virus software will already protect you. This flaw was discovered on Nov 8th and I see that Symantec added this on Nov 11th. Chances are every virus app has this protection by now, it has been like 6 weeks.

Second, you should always use %windir% not \Windows\ because not everybody's Windows installation is located there. The proper way to protect yourself is..

regsvr32 -u %windir%\system32\shimgvw.dll

PLEASE NOTE: doing so will break your Microsoft Picture Viewer, but you can always undo it by typing:

regsvr32 %windir%\system32\shimgvw.dll

As stated above you should filter these sites, you can do so locally by editing your %windir%\System32\Drivers\Etc\Hosts file and adding this to the end of your list:

!! DO NOT VISIT THESE SITES !! toolbarbiz.biz toolbarsite.biz toolbartraff.biz toolbarurl.biz buytoolbar.biz buytraff.biz iframebiz.biz iframecash.biz iframesite.biz iframetraff.biz iframeurl.biz

Edited by travisowens
Link to comment
Share on other sites

Firstly, most virus software will already protect you. This flaw was discovered on Nov 8th and I see that Symantec added this on Nov 11th. Chances are every virus app has this protection by now, it has been like 6 weeks.

The flaw might have been discovered then, but I understand it's only since 27-28th Dec. that there has been "Windows WMF 0-day exploit in the wild".

I think this article makes interesting and possibly helpful reading:

Days after the revelation of a flaw in Windows' handling of WMF graphics files, dozens of exploits are being spread from thousands of adware sites. But good protection is available.

At the same time, further testing confirms that a workaround issued by third parties and endorsed by Microsoft Corp. is effective in most regards, and in the most important circumstances, but not in all. Also, the workaround has side effects that could prove troublesome.

AV-Test, which tests anti-malware products, has been tracking the situation closely and has, so far, analyzed 73 variants of malicious WMF files. Products from the following companies have identified all 73:

* Alwil Software (Avast)

* Softwin (BitDefender)

* ClamAV

* F-Secure Inc.

* Fortinet Inc.

* McAfee Inc.

* ESET (Nod32)

* Panda Software

* Sophos Plc

* Symantec Corp.

* Trend Micro Inc.

* VirusBuster

These products detected fewer variants:

* 62 — eTrust-VET

* 62 — QuickHeal

* 61 — AntiVir

* 61 — Dr Web

* 61 — Kaspersky

* 60 — AVG

* 19 — Command

* 19 — F-Prot

* 11 — Ewido

* 7 — eSafe

* 7 — eTrust-INO

* 6 — Ikarus

* 6 — VBA32

* 0 — Norman

The difference for the more effective products is likely to be heuristic detection, tracking the threat by identifying the basic techniques of the exploit, rather than looking for specific patterns for specific exploits.

The latter technique leaves users vulnerable to threats that the vendor has not yet identified and protected against. Mikko Hypponen of F-Secure, when asked about the matter, said, "Heuristic detection rocks."

After some concern was expressed about the efficacy of the workaround proposed by third parties and endorsed by Microsoft, it appears that it is basically effective at preventing exploitation in the most common circumstances, but not in all.

Anti-Virus Protection for WMF Flaw Still Inconsistent


Link to comment
Share on other sites


Well, not really. As you can see on the Thread I wrote, the WMF Exploit was added to all the Exploit Lists of security sites on December, 27th.

However, the previous .WMF exploit, was problably found on the dates you described, but not this one.

Take care! :)

Link to comment
Share on other sites

F-Secure weblog Saturday, December 31, 2005:

First worm using the new WMF vulnerability has been found. This is what we were afraid of. Thankfully it doesn't seem to be too bad.

We only have second hand reports of this case so far. It' a MSN Messenger worm sending links to an image file (link ending with "xmas-2006 FUNNY.jpg"). The link actually contains a web page with a malicious WMF file. F-Secure Anti-Virus does detect´ the WMF file in question with our generic detection.

Here's an alternative way to fix the WMF vulnerability.

Ilfak Guilfanov has published a temporary fix which does not remove any functionality from the system (all pictures and thumbnails continue to work normally).

The fix works by injecting itself to all processes loading USER32.DLL. It patches the Escape() function in GDI32.DLL, revoking WMF's SETABORT escape sequence that is the root of the problem.



Link to comment
Share on other sites


Sunday, January 1, 2006

Bad behaviour Posted by Mikko @ 00:49 GMT

We are aware that a new exploit for the WMF vulnerability has been published. This one is much more advanced than the old one, and much more dangerous.

It enables clueless newcomers to easily craft highly variable and hard-to-detect variations of image files. Images that take over computers when viewed. And do this on all common Windows platforms. With no vendor patch for the vulnerability available. Meaning that there are hundreds of millions of vulnerable computers in the net right now.

Making such tools publicly available when there's no vendor patch available is irresponsible. Plain and simply irresponsible. Everybody associated in making and publishing the exploit knows this. And they should know better. Moore, A.S, San and FrSIRT: you should know better.



Link to comment
Share on other sites

MS security advisory updated 3/1:


Some of the updated text:

Microsoft has completed development of the security update for the vulnerability. The security update is now being localized and tested to ensure quality and application compatibility. Microsoft’s goal is to release the update on Tuesday, January 10, 2006, as part of its monthly release of security bulletins. This release is predicated on successful completion of quality testing.

The update will be released worldwide simultaneously in 23 languages for all affected versions of Windows once it passes a series of rigorous testing procedures. It will be available on Microsoft’s Download Center, as well as through Microsoft Update and Windows Update. Customers who use Windows’ Automatic Updates feature will be delivered the fix automatically.

Based on strong customer feedback, all Microsoft’s security updates must pass a series of quality tests, including testing by third parties, to assure customers that they can be deployed effectively in all languages and for all versions of the Windows platform with minimum down time.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...