WMF Metafile Vulnerability

[bristols]

Gibson says:

All versions of Windows from Windows 98 through ME, NT, 2000, XP, and 2003 are known to be vulnerable

and:

No patch is available for Windows 95, 98, ME or NT, and none is expected to be forthcoming

but also:

Windows 98/SE/ME users: Microsoft's original advice to "unregister the shimgvw.dll" (shell image viewer) was never correct or useful on those platforms. The good news is that all current WMF exploits appear to be non-functional on the older Win9x vintage platforms . . . so you will likely be okay until Microsoft has updated your system with the next security patches. There is no short-term workaround for Windows 9x/SE/ME users.

Although the latter might be more up-to-date info, this is not clear on the above page (to me at least). Whether 9x systems are vulnerable or not (there seem to be contradictory statements about this; is 9x vulnerable at least in principle?), it still remains to be seen whether they will be patched in the next MS update. I thought critical security flaws were to continue to be patched until June 2006. Not so, according to The Register:

PCs running old operating systems like Windows 98 will be left out in the New Year cold entirely, as they now exceed Microsoft's support cycle.

I wonder why unregistering the shell image viewer .dll "was never correct on these platforms"?

Elsewhere, I guess this won't be the first time in the coming months that this sort of advice will appear:

Note: If you're still running on Win98/ME, this is a watershed moment: we believe (untested) that your system is vulnerable and there will be no patch from MS. Your mitigation options are very limited. You really need to upgrade.

Edit: according to Mikko Hypponen, chief research officer at F-Secure (reported by ZDNet)

Older versions of the operating system, including Windows 2000 and Windows ME, are also at risk, though in those cases the flaw is more difficult to exploit

Edited January 4, 2006 by bristols

[Molecule]

Can someone define exactly what is a WMF metafile? Is it a "[dot]wmf"? or is it a series of mime types, like, .jpg, .gif, .png, etc., or, .mpg, .mp3, .mov, etc.?

(from the Gibson site) Note that this WILL temporarily disable the "Thumbnail" view in Windows Explorer and Window's Image and FAX viewer. This is by design, since these viewers are no longer safe to use until a non-vulnerable file has been produced by Microsoft and installed.

I don't use MS explorer, and I don't use preview icons. Also, the offending file "shimgvw.dll" on w2k and xp systems, does not appear to be on my 98se system. (however, gdi32.dll is -- but M$ reports that rather than disable that, buy an xp, and etc.)

(clueless: after this kind of "virus-happening," does Windows really expect me to upgrade from 98 to another Windows system, with more holes, more meta-philosophy, and less "owner" ownership of the kernel? >> a rant, not a part of the above question.)

Edited January 4, 2006 by Molecule

[LLXX]

I was also wondering whether or not WMF vulnerability affects 9x systems... maybe I'll assemble a "sacrificial" machine for testing purposes.

However, I don't think it would be too difficult to make an "unofficial" patch for it, depending on the exact details of how the vulnerability is exploited.

edit: Interesting test to see if you're affected: http://www.msfn.org/board/index.php?showtopic=64332

I wasn't affected at all

Edited January 4, 2006 by LLXX

[eidenk]

It seems there is an unofficial patch in circulation already :

http://isc.sans.org/diary.php?storyid=999

http://isc.sans.org/diary.php?storyid=1010

Can someone define exactly what is a WMF metafile? Is it a "[dot]wmf"? or is it a series of mime types, like, .jpg, .gif, .png, etc., or, .mpg, .mp3, .mov, etc.?

Windows Metafiles or .wmf are vector graphic images. It's not a mime type on my PC but it could be on another one I believe.

PS : It's not registered as mime type but IE still displays WMF files on my system. You can get plenty here for example : http://www.kamsart.com/

PS2 : It is registered on my system as mime type (image/x-wmf), just only the content type flag does not exist for some reason on the .wmf CLASSES key, and it is handled by MSHTML.DLL apparently through the

{607fd4e8-0a03-11d1-ab1d-00c04fc9b304} CLSID key (CoICOFilter Class) refered to by CLASSES\MIME\Database\Content Type\image/x-wmf.

Edited January 4, 2006 by eidenk

[Molecule]

!see edit below!

BREAKING NEWS!

Microsoft's OFFICIAL SECURITY UPDATE leaked onto the Internet early (and it works great!)

It would seem that we can be pretty certain that Microsoft will have this WMF vulnerability mess cleaned up shortly. Microsoft's cryptographically signed and authentic (though perhaps not final), security update addressing this vulnerability has prematurely leaked onto the Internet.

As expected, Ilfak's WMF vulnerability suppression patch, and his WMF vulnerability testing utility, both interact smoothly and seamlessly with Microsoft's forthcoming official security update. Ilfak's code can be left running while installing Microsoft's security update, then safely removed forever once the system has rebooted from the update.

Also, Ilfak's vulnerability tester properly recognizes the system's true WMF vulnerability condition under every combination of patch installations (either Ilfak's, Microsoft's, both, or neither). So, you may use Ilfak's solutions with confidence while Microsoft completes their extensive compatibility and regression testing for this forthcoming security update. Once the update is ready, install Microsoft's update, then safely remove Ilfak's patcher.

Note: The updated GDI32.DLL file contained in this patch, was built in the evening of December 28th, LAST WEDNESDAY. It is clear that Microsoft jumped on this problem — and had it resolved — almost immediately. But the nature of the installed base of Windows systems, and Microsoft's understandable need to be absolutely certain they don't break anything else with this new replacement GDI32.DLL, requires that they take the time to thoroughly test anything they change. (quotation from Gibson site, at top of first post)

Does anyone have the so-called ms patch "which is circulating on the internet?"

Also, as ms may be intentionally abondoning their side of our 98 eula agreements, I was contemplating hacking my gdi32.dll, but the website that gave information on how to do so has been pulled ... it was a fairly detailed description of what the attack is based on and what Ilfak Guilfanov's unofficial patch does to block it (trap a call to ???-need name here-??? to stop an abandoned printer process). Knowing the name of that call, it should not be that hard to hex edit the gdi32.dll in a 98 system, by just changing the name of the called service, from "abcde" to "xbcde" or whatever it is.

---edit---

With no patch applied, I ran the little 4K vulnerability tester ("wmf_checker_hexblog.exe"), and it came up ... negative vulnerability on my system!!! (as to that test anyway).

NB. when I installed my w98, I did not install the "Paint" program, and apparently this virus uses program calls which are linked with that utterly useless program.

(So, now I'm starting to wonder whether or not this whole thing is just another Osama bin Laden propaganda schmozzle (Blah Blah Blah, a bearded mickey mouse is hiding all day crawling in his cave, and "vast watershed moments," and now FBI going 911-code-Red over "Homeland Computer Security" and unfixable 98 vulneratilities, and etc.) is just a smoke screen to shut down all 98 systems ... as they afford their owners too much "ownership" over the dos kernels of their own computers.)

Edited January 4, 2006 by Molecule

[I_Broke_My_MHZ]

(So, now I'm starting to wonder whether or not this whole thing is just another Osama bin Laden propaganda schmozzle (Blah Blah Blah, a bearded mickey mouse is hiding all day crawling in his cave, and "vast watershed moments," and now FBI going 911-code-Red over "Homeland Computer Security" and unfixable 98 vulneratilities, and etc.) is just a smoke screen to shut down all 98 systems ... as they afford their owners too much "ownership" over the dos kernels of their own computers.)

That's just...dumb.

[LLXX]

With no patch applied, I ran the little 4K vulnerability tester ("wmf_checker_hexblog.exe"), and it came up ... negative vulnerability on my system!!! (as to that test anyway).

NB. when I installed my w98, I did not install the "Paint" program, and apparently this virus uses program calls which are linked with that utterly useless program.

I tried it too, and it also reports No Vulnerability. This is with a stock gdi32.dll, v4.10.1998, 155648 bytes. I do have the "Paint" program installed. Edited January 5, 2006 by LLXX

[somewan]

With no patch applied, I ran the little 4K vulnerability tester ("wmf_checker_hexblog.exe"), and it came up ... negative vulnerability on my system!!! (as to that test anyway).

NB. when I installed my w98, I did not install the "Paint" program, and apparently this virus uses program calls which are linked with that utterly useless program.

I tried it too, and it also reports No Vulnerability. This is with a stock gdi32.dll, v4.10.1998, 155648 bytes. I do have the "Paint" program installed.

When I try to open the German CT magazine's test WMF with

Paint, it says invalid bitmap or unsupported format.

[miko]

http://grc.com/sn/notes-020.htm

Microsoft has "reclassified" the WMF vulnerability in Windows 95, 98, and ME as non-critical. This means that it will probably NOT be updated and patched for the WMF handling vulnerability that those older versions of Windows apparently have.

So, if Microsoft does not produce an update to repair those older versions of Windows, GRC will make one available.

nice

[kartel]

So what do i do to 98se to eliminate the threat ?

Aparantly nobody knows the full extent of the vulnerability

Edited January 5, 2006 by kartel

[somewan]

(So, now I'm starting to wonder whether or not this whole thing is just another Osama bin Laden propaganda schmozzle (Blah Blah Blah, a bearded mickey mouse is hiding all day crawling in his cave, and "vast watershed moments," and now FBI going 911-code-Red over "Homeland Computer Security" and unfixable 98 vulneratilities, and etc.) is just a smoke screen to shut down all 98 systems ... as they afford their owners too much "ownership" over the dos kernels of their own computers.)

I'm not sure what you mean by "ownership", but it's true that

the DOS kernel is a distinguishing feature of Win9x as compared

to NT/2K/XP.

That"

[MDGx]

Unofficial WMF GDI patches have been created for Windows 98 SE + Windows ME:

WinME GDI32.DLL + GDI.EXE 4.90.3002 fix:

http://www.mdgx.com/web.htm#MEU

Win98 SE GDI32.DLL + GDI.EXE 4.10.2226 fix:

http://www.mdgx.com/web.htm#9SU

More info about these patches:

http://www.msfn.org/board/?showtopic=46581&st=193

Official MS info:

http://www.microsoft.com/technet/security/...n/ms06-001.mspx

Hope this helps.

[LLXX]

I wouldn't use those... since

No. Although Windows 98, Windows 98 Second Edition, and Windows Millennium Edition do contain the affected component, the vulnerability is not critical because an exploitable attack vector has not been identified that would yield a Critical severity rating for these versions.

...and more importantly...

Ironically, these files cause a severe, but temporary GDI resource leak (a few % each time the screen is redrawn!) when used with MS Office applications under Win9x (_not_ related to META_ESCAPE records).

I'm not shutting down a system that has had over 3 months of uptime so far just to replace a few files for protection against a supposedly "critical" vulnerability, but also cause resource leaks in the process.

[MDGx]

I wouldn't use those... since

No. Although Windows 98, Windows 98 Second Edition, and Windows Millennium Edition do contain the affected component, the vulnerability is not critical because an exploitable attack vector has not been identified that would yield a Critical severity rating for these versions.

...and more importantly...

Ironically, these files cause a severe, but temporary GDI resource leak (a few % each time the screen is redrawn!) when used with MS Office applications under Win9x (_not_ related to META_ESCAPE records).

I'm not shutting down a system that has had over 3 months of uptime so far just to replace a few files for protection against a supposedly "critical" vulnerability, but also cause resource leaks in the process.

Here is the answer from the author of the GDI + WMF patch:

My comment clearly referred to leaks caused under any GDI.EXE version, for

example, 4.10.2222 - 4.10.2226 & 4.90.3000 - 4.90.3002, by WMF files from some RF test equipment running Windows XP Embedded.

Why would I create a patch of GDI.EXE & GDI32.DLL that causes new resource leaks and then use such patched files on my own dual-boot PCs? It is beyond me.

From now on please post any comments/feedback regarding Windows 98 SE/ME patches in this forum:

http://www.msfn.org/board/index.php?showtopic=46581

This way I can read all posts and answer accordingly.

Thanks for your time.

Hope this helps.

Edited January 11, 2006 by MDGx