Kuhn Consulting

 Windows Emergency Advisory 1/01/06

The U.S. Department of Energy, Computer Incident Advisory Capability, http://www.ciac.org/ciac/bulletins/q-085.shtml, has this comment about this Windows vulnerability:

We are currently unaware of a practical solution to this problem.
Do not access WMF files from untrusted sources
 

Sent: Monday, January 02, 2006 8:20 AM
Subject: FW: [MDK-12] Emergency: extremely dangerous Windows vulnerability

This is not a joke or a crank email.

Got this from an extremely reliable source.  Read below carefully and take the appropriate, recommended action. 
Be on the lookout for a patch from Microsoft that will correct this condition.  Get the patch installed ASAP.

If you do not feel comfortable performing the recommended patch procedures, wait for the Microsoft patch and do not open any email that has a reference
to "Happy New Year"

-----------------------------------------------------------------------------------------------------------------
Subject: FWD: [MDK-12] Emergency: extremely dangerous Windows vulnerability

This is extremely important for Windows users and network admins.

EMERGENCY

In the wee hours of the New Year, our University of Maryland security czar
sent out the enclosed message, about an EXTREMELY serious Windows
vulnerability that has just surfaced in the past few days.  Exploit code for
it has been widely published, and there's already a SPAM email message that
will take over your machine simply by being opened.

IMPORTANT: Our security czar ends his message by saying that if you only
read this on Monday or Tuesday, you should check the websites he provides at
the end of his letter for up to date information.  What I am presenting in
my part of this message is what I've been able to gather from his letter and
looking at those websites -- at around noon on New Year's Day.

WHAT THIS IS, AND WHY SO IMMEDIATELY SERIOUS

Basically, it is a problem with the Windows routine that opens "Windows
Metafiles".  These graphic files usually have a ".WMF" extension, but don't
have to -- it's what's in the first few binary bytes ("header") of a graphic
file that triggers the use of that routine.  So it appears any properly
"malfored" graphic file can do the job.  What makes the situation so
dangerous is that the routine will run whenever

    * the file is opened
    * the folder containing the file is opened (apparently because
      Windows Explorer (the program that shows you the contents of
      your folders) will try to show a thumbnail of the graphic
    * the file is indexed (e.g. by Google Desktop)

The file can be in an email, on a website, or in a folder on your machine.
If the file is in a user's folder on a network file server, the whole server
can be compromised.

In the case of the SPAM email exploit, opening the message (which contains
an alleged Christmas jpeg picture) causes a backdoor program to be
downloaded from an Internet site, which gives whomever started the spam as
much control over your machine as you have.

EMERGENCY WORKAROUND

Microsoft has given no indication of when it will release a patch for this
problem.  In the meantime, in the diary website of the SANS Internet Storm
Center group of volunteer emergency responders (http://isc.sans.org/ --
referred to in the message below) you can see the following comment,
recommending two steps:

   "This is a bad situation that will only get worse.  The very best
   response that our collective wisdom can create is contained in
   this advice - [1] unregister shimgvw.dll and [2] use the unofficial
   patch...You cannot wait for the official MS patch, you cannot
   block this one at the border, and you cannot leave your systems
   unprotected."

STEP 1: The official Homeland Security CERT site gives the following
instructions (at http://www.kb.cert.org/vuls/id/181038#solution)
for unregistering the problematic SHIMGVW.DLL:

   Microsoft has tested the following workaround. While this workaround
   will not correct the underlying vulnerability, it will help block
   known attack vectors. When a workaround reduces functionality, it
   is identified in the following section.

     * Un-register the Windows Picture and Fax Viewer (Shimgvw.dll) on
       Windows XP Service Pack 1; Windows XP Service Pack 2; Windows
       Server 2003 and Windows Server 2003 Service Pack 1

       [Dick note: I haven't been able to determine for what other
        versions of Windows this is appropriate, but the DLL file
        is definitely present on my Windows 2000 machine]

   To un-register Shimgvw.dll, follow these steps:

    1. Click Start, click Run, type
         regsvr32 -u %windir%\system32\shimgvw.dll
       and then click OK.
    2. A dialog box appears to confirm that the un-registration
       process has succeeded. Click OK to close the dialog box.

   Impact of Workaround: The Windows Picture and Fax Viewer will no
   longer be started when users click on a link to an image type that
   is associated with the Windows Picture and Fax Viewer.

   To undo this change, re-register Shimgvw.dll by following the
   above steps. Replace the text in Step 1 with

         regsvr32 %windir%\system32\shimgvw.dll

STEP 2: The unofficial patch the SANS ISCers refer to, which they have very
carefully checked out, is at

      http://handlers.sans.org/tliston/wmffix_hexblog13.exe

Dick

-------- Original Message --------
Subject: Windows WMF Vulnerability
Date: Sun, 1 Jan 2006 01:58:46 -0500

My apologies to those who have seen this message on other lists...

We may be in for a rough time when the University reopens this week.  A
vulnerability has been discovered in Microsoft's image rendering engine and
its handling of files in Windows Meta File Format.  The mere presence of a
tainted WMF file on a Windows system may be sufficient to trigger an
infection (opening a folder containing a tainted image or if the system
happens to index such a file).  The file does not need to have a .WMF
extension in order to be a threat.

Windows based file server operators need to be aware that current
information suggests that an infected file stored in a user folder could
trigger a system compromise if a system process encounters the file (file
backup, file system indexing, etc).

Infected files are popping up on websites (including a few legit sites that
had been silently compromised) and there are already instant messenger based
worms and spam bots sending messages directing the unwary to tainted images.

Microsoft has posted a bulletin on their TechNet website. At this moment in
time, they have not released a Windows Update to address this issue.

McAfee was reporting earlier that VirusScan Enterprise 8.0i (the version
issued by OIT Help Desk) would block the buffer overflow attempt, however I
have not seen confirmation of that from non McAfee sources. McAfee DAT file
4664 was released moments ago with additional detection tailored to the
exploit code upon which many of the new viruses/worms are based. ...

*** With many computers on campus turned off for the break, it is imperative
that these systems update their virus signatures as soon as possible on
Tuesday.

It appears that many security professionals skipped the parties tonight and
updated information is still coming in.  Rather than present you with
additional details that may be obsolete by the time you read mail on Monday
or Tuesday, please check the following links which should have the latest
news:

Microsoft Advisory:
http://www.microsoft.com/technet/security/advisory/912840.mspx

Dept of Homeland Security US-CERT:
http://www.us-cert.gov/cas/techalerts/TA05-362A.html

McAfee Exploit-WMF information:
http://vil.nai.com/vil/content/v_137760.htm

SANS Institute, Internet Storm Center (in particular, the handlers diary for
the past few days):
http://isc.sans.org/

Top of page  |  Index of Computer Notes
 

web site design  |  computer-notes |  photography-notes
Copyright © 2011 Bob Kuhn. All rights reserved.