Recent 0-day Windows Exploit (WMF graphics rendering engine)

Standard Toaster · 30-12-2005 3:43pm #1

Surprized not to see this posted already. (Maybe it was?)
If your concerned for you security on the web please follow these steps until Microsoft releases a patch for it. This will unregister, or "disable" for want of a better word, the file that is causing this exploit.

1. Click on the Start button on the taskbar.
2. Click on Run...
3. Type "regsvr32 /u shimgvw.dll" to disable.
4. Click ok when the change dialog appears.

Click here

Machines infected

I have read this effects machines right back to Win95.
This is browser agnostic so the likes of Firefox or Opera won't help. Maybe Safari on a MAC would

iDefense notes that this workaround may interfere with certain thumbnail images loading correctly, though I have used the hack on my machine and haven't had any problems yet. The company notes that once Microsoft issues a patch, the WMF feature may be enabled again by entering the command "regsvr32 shimgvw.dll" in step three above.

Even visiting a web page, without actually clicking anything, you'll get infected. The amount of pages so far runs into the 1000's.
Email will also be effected as soon a virii are written to take advantage of this flaw.

Orion · 30-12-2005 5:18pm

That will disable the Windows Picture and Fax Viewer so if you want to view pics install another package like ACDSee.

DonkeyStyle \o/ · 30-12-2005 7:04pm

Nice one buddeh.

Capt'n Midnight · 30-12-2005 7:27pm

http://secunia.com/advisories/18255/

Solution:
Do not save, open or preview untrusted image files from email or other sources, or open untrusted folders and network shares in explorer.

Set security level to "High" in Microsoft Internet Explorer to prevent automatic exploitation.

The risks can be mitigated by unregistering "Shimgvw.dll". However, this will disable certain functionalities. Secunia do not recommend the use of this workaround on production systems until it has been thoroughly tested.

Karoma · 30-12-2005 7:30pm

Do not save, open or preview untrusted image files from email or other sources, or open untrusted folders and network shares in explorer.

If it hasn't already been done, DISABLE THAT DAMN PREVIEW PANE IN OUTLOOK(EXPRESS) - it might help.

Capt'n Midnight · 30-12-2005 7:53pm

Since it is part of the OS
F-Secure reports detecting 57 different malicious WMF files in the wild so far.
Even while using Firefox/Mozilla browsers, users should decline to open a WMF file when prompted.

Pacifico · 31-12-2005 6:43pm

Anyone having a problem connecting to Windows Update?

Standard Toaster · 02-01-2006 2:34pm

A temp fix can found here for Windows 2000 upwards.
You might want to re-register the shimgvw.dll before installing this fix.
Once MS supplies a patch, uninstall this and after reboot install MS patch.

[CM]
EDIT * DO NOT USE UNTRUSTED PATCHS FROM UNTRUSTED SOURCE ! *
I'M NOT DELETING THIS POST BECAUSE I'VE BEEN ABLE TO CONFIRM THE PATCH FROM TRUSTED SITES THAT I TYPED INTO THE ADDRESS BAR - SEE BELOW FOR MD5 CHECKSUMS ETC.
[/CM]

Capt'n Midnight · 02-01-2006 4:57pm

The above patch is also referred to by F-Secure and SANS

http://isc.sans.org/
MD5: 14d8c937d97572deb9cb07297a87e62a - wmffix_hexblog13.exe
http://handlers.sans.org/tliston/wmffix_hexblog13.exe - link to patch
www.slavasoft.com/fsum/ - link to MD5 utility

MORE INFO ON THE PROBLEM
http://www.kb.cert.org/vuls/id/181038

A file with any extension that is associated with Windows Picture and Fax Viewer can be used to exploit this vulnerability. By default, Windows Picture and Fax Viewer is associated with the following file extensions:
BMP DIB GIF EMF JFIF JPE JPEG JPG PNG TIF TIFF WMF

By blocking access to Windows Metafiles using HTTP proxies, mail gateways, and other network filter technologies, system administrators may also limit potential attack vectors.

Please be aware we have confirmed that filtering based just on the WMF file extensions or MIME type application/x-msMetafile will not block all known attack vectors for this vulnerability. Filter mechanisms should be looking for any file that Microsoft Windows recognizes as a Windows Metafile by virtue of its file header. Please check with your network vendor for updated signatures. WMF files can begin with various byte sequences such as:

01 00 09 00 ...
02 00 09 00 ...
D7 CD C6 9A ...

Disable downloads in Internet Explorer
Disabling downloads in the Internet Explorer Internet Zone (or any zone used by an attacker) appears to help prevent exploitation of this vulnerability. This can be achieved by changing the Internet Zone security setting to "High." ... While this change does not remove the vulnerability, it does help to prevent a common attack vector.

It has been reported that hardware-enforced DEP may help mitigate this vulnerability. Software-enforced DEP is not effective in mitigating this vulnerability.

Recomended block list - not sure for this.
InterCage Inc.: 69.50.160.0/19 (69.50.160.0 - 69.50.191.255)
Inhoster: 85.255.112.0/20 (85.255.112.0 - 85.255.127.255)

Standard Toaster · 02-01-2006 5:48pm

The_Edge wrote:

[CM]
EDIT * DO NOT USE UNTRUSTED PATCHS FROM UNTRUSTED SOURCE ! *
I'M NOT DELETING THIS POST BECAUSE I'VE BEEN ABLE TO CONFIRM THE PATCH FROM TRUSTED SITES THAT I TYPED INTO THE ADDRESS BAR - SEE BELOW FOR MD5 CHECKSUMS ETC.
[/CM]

That link provided was from Ilfak Guilfanov's webpage, the author of the patch.
You can't get more trusted then that

No worries. Also, just to add McAfee added this into the virus update on the 31/12/05, the only vendor to do so at the moment to my knowledge.
I wonder when MS will pull the finger out?

BopNiblets · 02-01-2006 10:41pm

So I did the unregistering thing, and the only thing I noticed is that Thumbnails view doesn't work in my folders anymore...

Will this patch just unreg the thing or is it a proper fix? Is it for normal XP users too, I'm not a network admin or anything, I just wanna safeguard my home machine here.
I miss my thumbnails!

Standard Toaster · 02-01-2006 10:47pm

Sure, just type "regsvr32 shimgvw.dll" in the run box and it will re-register the dll. Then run the unofficial patch and reboot.
It will restore the funtionallity to you system but you could still get infected if, say, you open a malformed wmf image in MSPaint.

timeout · 03-01-2006 1:33pm

Does this effect machines regardless of what updates they have installed?

Standard Toaster · 03-01-2006 1:38pm

Yeap. No offical patch from MS yet.

"The WMF vulnerability" probably affects more computers than any other security vulnerability, ever.

http://www.f-secure.com/weblog/archives/archive-012006.html#00000762

Pacifico · 03-01-2006 5:58pm

The Edge, is unregistering the shimgvw.dll file a suitable fix until there is an official patch available?

timeout · 03-01-2006 6:21pm

Now the thumbnail view is gone but the images can still be viewed in paint not the MS images and fax viewer, which I am happy enough with. Fingers crossed this and the not opening any images from email or websites keeps it at bay till MS decide to release a patch.

Capt'n Midnight · 03-01-2006 7:16pm

Pacifico wrote:

The Edge, is unregistering the shimgvw.dll file a suitable fix until there is an official patch available?

No it's not a full fix, just a quick and nasty hack.

http://isc.sans.org - MSI is there too if you want to push it

Internet Explorer will view the image and trigger the exploit without warning. New versions of Firefox will prompt you before opening the image. However, in most environments this offers little protection given that these are images and are thus considered 'safe'.

Will unregistering the DLL (without using the unofficial patch) protect me?

It might help. But it is not foolproof. We want to be very clear on this: we have some very stong indications that simply unregistering the shimgvw.dll isn't always successful. The .dll can be re-registered by malicious processes or other installations, and there may be issues where re-registering the .dll on a running system that has had an exploit run against it allowing the exploit to succeed. In addition it might be possible for there to be other avenues of attack against the Escape() function in gdi32.dll. Until there is a patch available from MS, we recommend using the unofficial patch in addition to un-registering shimgvw.dll.

If you use shavlik here is a way to push it http://forum.shavlik.com/viewtopic.php?t=2731

Dept of homeland security - http://www.kb.cert.org/vuls/id/181038#solution

Microsoft announced that there will be a patch on January 10th, the next regular "black Tuesday".

BopNiblets · 03-01-2006 10:15pm

I just thought of something, if you go into Explorers Tools->Folder Options->File Types and change what program WMF files open with (say Notepad or something) would the nasty code still be able to excecute?

Edit: Dammit! I just read Cap'n Midnights post and links.

Also, I thought deleting the WMF filetype from there would prevent it opening altogether (it would ask you what program and to search the internet thing) but you can't delete it.

Standard Toaster · 06-01-2006 1:00am

Microsoft Security Bulletin MS06-001

Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (912919)

Published: January 5, 2006
Version: 1.0

Summary

Who should read this document: Customers who use Microsoft Windows
Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating: Critical
Recommendation: Customers should apply the update immediately.
Security Update Replacement: None
Tested Software and Security Update Download Locations:
Affected Software:
•Microsoft Windows 2000 Service Pack 4 – Download the update
•Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2 – Download the update
•Microsoft Windows XP Professional x64 Edition – Download the update
•Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 – Download the update
•Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems – Download the update
•Microsoft Windows Server 2003 x64 Edition – Download the update
•Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) – Review the FAQ section of this bulletin for details about these operating systems.

Ensure you uninstall the un-offical patch and/or re-register shimgvw.dll before applying the MS patch.

Pacifico · 06-01-2006 8:10pm

Ah crap. I updated before i re-registered the shimgvw.dll file. I never installed the un-offical patch, is this going to be a problem?

Standard Toaster · 06-01-2006 8:26pm

Pacifico wrote:

Ah crap. I updated before i re-registered the shimgvw.dll file. I never installed the un-offical patch, is this going to be a problem?

No, you should be ok.
It's the file gdi32.dll being updated on XP SP2 machines and not shimgvw.dll

There's no harm re-registering it again.

"regsvr32 shimgvw.dll"

Karoma · 10-01-2006 9:24pm

Update. More, minor issues:

Numerous additional problems with Windows' handling of .wmf format files have been identified, according to reports.

Submissions to the bugtraq mailing list recently highlighted flaws in the handling of such files by Windows' Graphics Rendering Engine that could result in the application being used to view the files crashing. This would usually be Internet Explorer.

Such risks certainly put the new discoveries way down the list compared to the .wmf flaw for which Microsoft rushed out a patch,as it could be exploited to run code remotely.

Indeed Microsoft's security team questions whether these latest discoveries warrant the moniker 'flaw' in the first place. Microsoft's Lennart Wistrand points out in the Security Team blog that 'these crashes are not exploitable but are instead Windows performance issues that could cause some WMF applications to unexpectedly exit. These issues do not allow an attacker to run code or crash the operating system. They may cause the WMF application to crash, in which case the user may restart the application and resume activity. We had previously identified these issues as part of our ongoing code maintenance and are evaluating them for inclusion in the next service pack for the affected products.'

Wistrand adds that the MS06-001 patch issued by Microsoft for the high-risk .wmf flaw does not fix these two new issues.

Source:http://www.pcpro.co.uk

Capt'n Midnight · 11-01-2006 2:06pm

http://www.microsoft.com/technet/security/Bulletin/MS06-002.mspx
Microsoft Security Bulletin MS06-002
Vulnerability in Embedded Web Fonts Could Allow Remote Code Execution (908519)

So if you aren't patched to date then you have to turn off Images AND Text :rolleyes:

Recent 0-day Windows Exploit (WMF graphics rendering engine)

Comments