Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Recent 0-day Windows Exploit (WMF graphics rendering engine)

  • 30-12-2005 2:43pm
    #1
    Registered Users, Registered Users 2 Posts: 10,288 ✭✭✭✭


    Surprized not to see this posted already. (Maybe it was?)
    If your concerned for you security on the web please follow these steps until Microsoft releases a patch for it. This will unregister, or "disable" for want of a better word, the file that is causing this exploit.

    1. Click on the Start button on the taskbar.
    2. Click on Run...
    3. Type "regsvr32 /u shimgvw.dll" to disable.
    4. Click ok when the change dialog appears.

    Click here

    Machines infected

    I have read this effects machines right back to Win95.
    This is browser agnostic so the likes of Firefox or Opera won't help. Maybe Safari on a MAC would :)
    iDefense notes that this workaround may interfere with certain thumbnail images loading correctly, though I have used the hack on my machine and haven't had any problems yet. The company notes that once Microsoft issues a patch, the WMF feature may be enabled again by entering the command "regsvr32 shimgvw.dll" in step three above.

    Even visiting a web page, without actually clicking anything, you'll get infected. The amount of pages so far runs into the 1000's.
    Email will also be effected as soon a virii are written to take advantage of this flaw.


Comments

  • Closed Accounts Posts: 12,807 ✭✭✭✭Orion


    That will disable the Windows Picture and Fax Viewer so if you want to view pics install another package like ACDSee.


  • Closed Accounts Posts: 7,145 ✭✭✭DonkeyStyle \o/


    Nice one buddeh.


  • Moderators, Recreation & Hobbies Moderators, Science, Health & Environment Moderators, Technology & Internet Moderators Posts: 93,567 Mod ✭✭✭✭Capt'n Midnight


    http://secunia.com/advisories/18255/
    Solution:
    Do not save, open or preview untrusted image files from email or other sources, or open untrusted folders and network shares in explorer.

    Set security level to "High" in Microsoft Internet Explorer to prevent automatic exploitation.

    The risks can be mitigated by unregistering "Shimgvw.dll". However, this will disable certain functionalities. Secunia do not recommend the use of this workaround on production systems until it has been thoroughly tested.


  • Registered Users, Registered Users 2 Posts: 19,396 ✭✭✭✭Karoma


    Do not save, open or preview untrusted image files from email or other sources, or open untrusted folders and network shares in explorer.

    If it hasn't already been done, DISABLE THAT DAMN PREVIEW PANE IN OUTLOOK(EXPRESS) - it might help.


  • Moderators, Recreation & Hobbies Moderators, Science, Health & Environment Moderators, Technology & Internet Moderators Posts: 93,567 Mod ✭✭✭✭Capt'n Midnight


    Since it is part of the OS
    F-Secure reports detecting 57 different malicious WMF files in the wild so far.
    Even while using Firefox/Mozilla browsers, users should decline to open a WMF file when prompted.


  • Advertisement
  • Closed Accounts Posts: 5,115 ✭✭✭Pacifico


    Anyone having a problem connecting to Windows Update?


  • Registered Users, Registered Users 2 Posts: 10,288 ✭✭✭✭Standard Toaster


    A temp fix can found here for Windows 2000 upwards.
    You might want to re-register the shimgvw.dll before installing this fix.
    Once MS supplies a patch, uninstall this and after reboot install MS patch.

    [CM]
    EDIT * DO NOT USE UNTRUSTED PATCHS FROM UNTRUSTED SOURCE ! *
    I'M NOT DELETING THIS POST BECAUSE I'VE BEEN ABLE TO CONFIRM THE PATCH FROM TRUSTED SITES THAT I TYPED INTO THE ADDRESS BAR - SEE BELOW FOR MD5 CHECKSUMS ETC.
    [/CM]


  • Moderators, Recreation & Hobbies Moderators, Science, Health & Environment Moderators, Technology & Internet Moderators Posts: 93,567 Mod ✭✭✭✭Capt'n Midnight


    The above patch is also referred to by F-Secure and SANS

    http://isc.sans.org/
    MD5: 14d8c937d97572deb9cb07297a87e62a - wmffix_hexblog13.exe
    http://handlers.sans.org/tliston/wmffix_hexblog13.exe - link to patch
    www.slavasoft.com/fsum/ - link to MD5 utility





    MORE INFO ON THE PROBLEM
    http://www.kb.cert.org/vuls/id/181038
    A file with any extension that is associated with Windows Picture and Fax Viewer can be used to exploit this vulnerability. By default, Windows Picture and Fax Viewer is associated with the following file extensions:
    BMP DIB GIF EMF JFIF JPE JPEG JPG PNG TIF TIFF WMF

    By blocking access to Windows Metafiles using HTTP proxies, mail gateways, and other network filter technologies, system administrators may also limit potential attack vectors.

    Please be aware we have confirmed that filtering based just on the WMF file extensions or MIME type application/x-msMetafile will not block all known attack vectors for this vulnerability. Filter mechanisms should be looking for any file that Microsoft Windows recognizes as a Windows Metafile by virtue of its file header. Please check with your network vendor for updated signatures. WMF files can begin with various byte sequences such as:

    01 00 09 00 ...
    02 00 09 00 ...
    D7 CD C6 9A ...

    Disable downloads in Internet Explorer
    Disabling downloads in the Internet Explorer Internet Zone (or any zone used by an attacker) appears to help prevent exploitation of this vulnerability. This can be achieved by changing the Internet Zone security setting to "High." ... While this change does not remove the vulnerability, it does help to prevent a common attack vector.

    It has been reported that hardware-enforced DEP may help mitigate this vulnerability. Software-enforced DEP is not effective in mitigating this vulnerability.

    Recomended block list - not sure for this.
    InterCage Inc.: 69.50.160.0/19 (69.50.160.0 - 69.50.191.255)
    Inhoster: 85.255.112.0/20 (85.255.112.0 - 85.255.127.255)


  • Registered Users, Registered Users 2 Posts: 10,288 ✭✭✭✭Standard Toaster


    The_Edge wrote:
    [CM]
    EDIT * DO NOT USE UNTRUSTED PATCHS FROM UNTRUSTED SOURCE ! *
    I'M NOT DELETING THIS POST BECAUSE I'VE BEEN ABLE TO CONFIRM THE PATCH FROM TRUSTED SITES THAT I TYPED INTO THE ADDRESS BAR - SEE BELOW FOR MD5 CHECKSUMS ETC.
    [/CM]

    That link provided was from Ilfak Guilfanov's webpage, the author of the patch.
    You can't get more trusted then that :)
    No worries. Also, just to add McAfee added this into the virus update on the 31/12/05, the only vendor to do so at the moment to my knowledge.
    I wonder when MS will pull the finger out?


  • Registered Users, Registered Users 2 Posts: 3,579 ✭✭✭BopNiblets


    So I did the unregistering thing, and the only thing I noticed is that Thumbnails view doesn't work in my folders anymore...

    Will this patch just unreg the thing or is it a proper fix? Is it for normal XP users too, I'm not a network admin or anything, I just wanna safeguard my home machine here.
    I miss my thumbnails! :p


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 10,288 ✭✭✭✭Standard Toaster


    Sure, just type "regsvr32 shimgvw.dll" in the run box and it will re-register the dll. Then run the unofficial patch and reboot.
    It will restore the funtionallity to you system but you could still get infected if, say, you open a malformed wmf image in MSPaint.


  • Registered Users, Registered Users 2 Posts: 919 ✭✭✭timeout


    Does this effect machines regardless of what updates they have installed?


  • Registered Users, Registered Users 2 Posts: 10,288 ✭✭✭✭Standard Toaster


    Yeap. No offical patch from MS yet.

    "The WMF vulnerability" probably affects more computers than any other security vulnerability, ever.

    http://www.f-secure.com/weblog/archives/archive-012006.html#00000762


  • Closed Accounts Posts: 5,115 ✭✭✭Pacifico


    The Edge, is unregistering the shimgvw.dll file a suitable fix until there is an official patch available?


  • Registered Users, Registered Users 2 Posts: 919 ✭✭✭timeout


    Now the thumbnail view is gone but the images can still be viewed in paint not the MS images and fax viewer, which I am happy enough with. Fingers crossed this and the not opening any images from email or websites keeps it at bay till MS decide to release a patch.


  • Moderators, Recreation & Hobbies Moderators, Science, Health & Environment Moderators, Technology & Internet Moderators Posts: 93,567 Mod ✭✭✭✭Capt'n Midnight


    Pacifico wrote:
    The Edge, is unregistering the shimgvw.dll file a suitable fix until there is an official patch available?
    No it's not a full fix, just a quick and nasty hack.

    http://isc.sans.org - MSI is there too if you want to push it
    Internet Explorer will view the image and trigger the exploit without warning. New versions of Firefox will prompt you before opening the image. However, in most environments this offers little protection given that these are images and are thus considered 'safe'.

    Will unregistering the DLL (without using the unofficial patch) protect me?

    It might help. But it is not foolproof. We want to be very clear on this: we have some very stong indications that simply unregistering the shimgvw.dll isn't always successful. The .dll can be re-registered by malicious processes or other installations, and there may be issues where re-registering the .dll on a running system that has had an exploit run against it allowing the exploit to succeed. In addition it might be possible for there to be other avenues of attack against the Escape() function in gdi32.dll. Until there is a patch available from MS, we recommend using the unofficial patch in addition to un-registering shimgvw.dll.

    If you use shavlik here is a way to push it http://forum.shavlik.com/viewtopic.php?t=2731

    Dept of homeland security - http://www.kb.cert.org/vuls/id/181038#solution


    Microsoft announced that there will be a patch on January 10th, the next regular "black Tuesday".


  • Registered Users, Registered Users 2 Posts: 3,579 ✭✭✭BopNiblets


    I just thought of something, if you go into Explorers Tools->Folder Options->File Types and change what program WMF files open with (say Notepad or something) would the nasty code still be able to excecute?

    Edit: Dammit! I just read Cap'n Midnights post and links. :p

    Also, I thought deleting the WMF filetype from there would prevent it opening altogether (it would ask you what program and to search the internet thing) but you can't delete it. :(


  • Registered Users, Registered Users 2 Posts: 10,288 ✭✭✭✭Standard Toaster


    Microsoft Security Bulletin MS06-001


    Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (912919)

    Published: January 5, 2006
    Version: 1.0

    Summary

    Who should read this document: Customers who use Microsoft Windows
    Impact of Vulnerability: Remote Code Execution
    Maximum Severity Rating: Critical
    Recommendation: Customers should apply the update immediately.
    Security Update Replacement: None
    Tested Software and Security Update Download Locations:
    Affected Software:
    •Microsoft Windows 2000 Service Pack 4 – Download the update
    •Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2 – Download the update
    •Microsoft Windows XP Professional x64 Edition – Download the update
    •Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 – Download the update
    •Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems – Download the update
    •Microsoft Windows Server 2003 x64 Edition – Download the update
    •Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) – Review the FAQ section of this bulletin for details about these operating systems.


    Ensure you uninstall the un-offical patch and/or re-register
    shimgvw.dll before applying the MS patch.


  • Closed Accounts Posts: 5,115 ✭✭✭Pacifico


    Ah crap. I updated before i re-registered the shimgvw.dll file. I never installed the un-offical patch, is this going to be a problem?


  • Registered Users, Registered Users 2 Posts: 10,288 ✭✭✭✭Standard Toaster


    Pacifico wrote:
    Ah crap. I updated before i re-registered the shimgvw.dll file. I never installed the un-offical patch, is this going to be a problem?

    No, you should be ok.
    It's the file gdi32.dll being updated on XP SP2 machines and not shimgvw.dll

    There's no harm re-registering it again. :)
    "regsvr32 shimgvw.dll"


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 19,396 ✭✭✭✭Karoma


    Update. More, minor issues:

    Numerous additional problems with Windows' handling of .wmf format files have been identified, according to reports.

    Submissions to the bugtraq mailing list recently highlighted flaws in the handling of such files by Windows' Graphics Rendering Engine that could result in the application being used to view the files crashing. This would usually be Internet Explorer.

    Such risks certainly put the new discoveries way down the list compared to the .wmf flaw for which Microsoft rushed out a patch,as it could be exploited to run code remotely.

    Indeed Microsoft's security team questions whether these latest discoveries warrant the moniker 'flaw' in the first place. Microsoft's Lennart Wistrand points out in the Security Team blog that 'these crashes are not exploitable but are instead Windows performance issues that could cause some WMF applications to unexpectedly exit. These issues do not allow an attacker to run code or crash the operating system. They may cause the WMF application to crash, in which case the user may restart the application and resume activity. We had previously identified these issues as part of our ongoing code maintenance and are evaluating them for inclusion in the next service pack for the affected products.'

    Wistrand adds that the MS06-001 patch issued by Microsoft for the high-risk .wmf flaw does not fix these two new issues.

    Source:http://www.pcpro.co.uk


  • Moderators, Recreation & Hobbies Moderators, Science, Health & Environment Moderators, Technology & Internet Moderators Posts: 93,567 Mod ✭✭✭✭Capt'n Midnight


    http://www.microsoft.com/technet/security/Bulletin/MS06-002.mspx
    Microsoft Security Bulletin MS06-002
    Vulnerability in Embedded Web Fonts Could Allow Remote Code Execution (908519)

    So if you aren't patched to date then you have to turn off Images AND Text :rolleyes:


Advertisement