Wednesday, January 04, 2006

Windows WMF exploit

This is a nasty bug. Details of it was out at secunia.com on dec-28 itself. It was due to the age old WMF format. During those days of Win 3.11, people thought it was easier to add executable code inside WMF file so that in case the WMF didnt render the file properly, the code is executed that takes remedial measure. This ability to add executable code to WMF still persists, as a part of WMF standard, in the age, when VIRUSES comes free with Windows ;) . The worst part of the exploit is that when you download an image from a site, its extension doesnt matter(as in UNIX there was nothign called extensions). It is based on the file headers and the magic value in it. So even fi the file linked to is a .jpg file, it just needs to have WMF's magic value and the virus/adware payload. In other words, you simply have to goto to xyz.com and see the site. The <img> link in the page will load exploit.jpg, which has the WMF file in its contents, with the adware/virus payload in it. Once the page is rendered in IE, IE calls Windows Picture and Fax Viewer's dll file (shimgvw.dll) to render the WMF file.

When the DLL fails to understand the WMF file, it issues a callback command and executes the executable payload in the WMF file and voila, your system is infected. What does this mean? your internet browsing itself is not secure! you simply have to visit sites to get infected. While this is the case with IE users, Firefox and Opera people dont have a breather either. For firefox and opera, the only thing that favours them is that, since WMF is an external component, firefox will ask you if u want to open it with Windows ... and Fax Viewer, if u say yes, you will get infected. Perfect way to get infected and u can curse yourself for clicking YES.

What is the quick but dirty remedy? Unregister the shimgvw.dll file. It will cause u not to load any WMF file (or rather view them or their thumbnail). Its like since you have dirt in your nails, you should cut off your fingers, so that there is no more nails to have dirt. :)
The command is:
regsvr32 -u %windir%\system32\shimgvw.dll

If you want to re-enable the WMF viewing for legitimate purpose other than infecting your system ;), you might want to re-enable it by issuing the following command:
regsvr32 %windir%\system32\shimgvw.dll

Microsoft, as it has to support helluva lot of versions of IE, obviously needs time, and it is taking its own time while the exploit is wild. :-( . I also read that an individual has made a patch for it and it seems to work!. Thats certainly not good news for Microsoft. I installed that exploit from here:
http://www.hexblog.com/index.html
although i have not tested with a vulnerable site and i dont want to do!.

I have summarized in my own words what this exploit means for us here. I read them from the following URLs:
http://sunbeltblog.blogspot.com/2005/12/new-exploit-blows-by-fully-patched.html
http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=385
http://blogs.washingtonpost.com/securityfix/2005/12/exploit_release.html


Linux and Mac users are not vulnearable. Please post your comments too in this blog...

1 comment:

Anonymous said...

thnx for the info
-venks

Search this site

Google