URGENT: New Windows WMF File Vulnerability Exploit

JDMurrayJDMurray Admin Posts: 13,101 Admin
On December 28, 2005, a new Windows zero-day exploit was released concerning a design feature in Windows which allows an external program to be executed in the event that a WMF file can't be successfully loaded. It is possible to install a Malware program on to a Windows machine and have Windows itself execute the program by having the user load a bad WMF file using email, a Web browser, IM, or viewing the file using the Thumbnail view in Windows Explorer. The WMF file can have any file extension and the exploit will still run. This exploit affect ALL VERSIONS OF WINDOWS starting with Window 95.

This is a very effective and easily exploitable vulnerability. Over fifty Malware programs have so far been identified as using it. More are certainly being created, and this problem will be in the news for weeks to come. This vulnerability makes the Sony BMG rootkit look like script kiddie stuff.

Although Microsoft has not yet issued a effective solution for this vulnerability, an independent programmer, Ilfak Guilfanov, has released a tool that permanently fixes the vulnerability for Windows NT, 2000, XP, Server 2003, and 64-bit XP. (There is no known fix for Windows 9x and ME.)

The security researcher Steve Gibson worked with Ilfak to to create this tool and fully endorses its effectiveness. You can download the fix from Gibson's Security Now web site at http://grc.com/sn/notes-020.htm, or directly from Ilfak's web site at http://www.hexblog.com/2005/12/wmf_vuln.html. The full source code to the tool is also on Ilfak's Web site.

If you do not think that your Web browsing, file downloading, and image file viewing habits put you at an immediate risk, then you may prefer to wait until an official patch is released by Microsoft. When such a patch will be available is not currently known.

Comments

  • rossonieri#1rossonieri#1 Member Posts: 799 ■■■□□□□□□□
    you are right, JD :D

    this is everybody problem - right now.
    we want to protect our network as safe as possible - but new exploits on Windows machine comes everyday, i guess.
    first we use anti virus, then firewall, then proxies to protect general internet access, limiting users/type access, but now *.PPS encapsulating pictures, *.DOC contains executable script etc...

    anybody has better idea to stop this?? icon_cry.gif
    the More I know, that is more and More I dont know.
  • TheShadowTheShadow Member Posts: 1,057 ■■■■■■□□□□
    Thanks for the link JD I did not know that someone had a fix yet. Every year now MS seems to get caught during the holidays.

    Every day is the dawn of a new error. icon_sad.gif
    Who knows what evil lurks in the heart of technology?... The Shadow DO
  • JDMurrayJDMurray Admin Posts: 13,101 Admin
    SANS just blessed Ilfak Guilfanov's unofficial patch for the Windows WMF flaw. That makes it as good as it can get.

    http://isc.sans.org/diary.php?storyid=1010
  • PlantwizPlantwiz Mod Posts: 5,057 Mod
    Nice to see MS is expected to have a patch around the 10th of Jan icon_rolleyes.gif
    Plantwiz
    _____
    "Grammar and spelling aren't everything, but this is a forum, not a chat room. You have plenty of time to spell out the word "you", and look just a little bit smarter." by Phaideaux

    ***I'll add you can Capitalize the word 'I' to show a little respect for yourself too.

    'i' before 'e' except after 'c'.... weird?
  • JDMurrayJDMurray Admin Posts: 13,101 Admin
    Yes, Microsoft reports that they will release their official WMF vulnerability patch on January 10th. I guess "quality" takes long time. icon_rolleyes.gif

    http://www.cnn.com/2006/TECH/internet/01/04/microsoft.patch.reut/index.html
  • PlantwizPlantwiz Mod Posts: 5,057 Mod
    Yes, that's it! Quality.

    :)
    Plantwiz
    _____
    "Grammar and spelling aren't everything, but this is a forum, not a chat room. You have plenty of time to spell out the word "you", and look just a little bit smarter." by Phaideaux

    ***I'll add you can Capitalize the word 'I' to show a little respect for yourself too.

    'i' before 'e' except after 'c'.... weird?
  • JDMurrayJDMurray Admin Posts: 13,101 Admin
    Plantwiz wrote:
    Yes, that's it! Quality.

    :)
    Oh no, I just realized that it isn't about quality! Microsoft always releases it's monthly patches on the 2nd Tuesday of each month. Well, the 10th is the 2nd Tuesday of Jan 2006. They won't disrupt their update release schedule even to patch a vulnerability this serious! Oh well, I just hope their patch doesn't break something else. The GDI subsystem being updated is critical for almost all graphical applications.

    Let's just hope that Windows Update will install the patch even if a Windows XP machine doesn't have SP1 installed, or Windows 9x is being used.
  • PlantwizPlantwiz Mod Posts: 5,057 Mod
    jdmurray wrote:
    Plantwiz wrote:
    Yes, that's it! Quality.

    :)
    Oh no, I just realized that it isn't about quality! Microsoft always releases it's monthly patches on the 2nd Tuesday of each month. Well, the 10th is the 2nd Tuesday of Jan 2006. ......

    You are correct. I had forgotten what day/date it was too. Good observation Master Sleuth.
    Let's just hope that Windows Update will install the patch even if a Windows XP machine doesn't have SP1 installed, or Windows 9x is being used.

    I would hope it will, since all version are at risk. Or does that fall into the 'they are obscelete?' Security issues were supposed to be maintained or so I thought.
    Plantwiz
    _____
    "Grammar and spelling aren't everything, but this is a forum, not a chat room. You have plenty of time to spell out the word "you", and look just a little bit smarter." by Phaideaux

    ***I'll add you can Capitalize the word 'I' to show a little respect for yourself too.

    'i' before 'e' except after 'c'.... weird?
  • PlantwizPlantwiz Mod Posts: 5,057 Mod
    Plantwiz
    _____
    "Grammar and spelling aren't everything, but this is a forum, not a chat room. You have plenty of time to spell out the word "you", and look just a little bit smarter." by Phaideaux

    ***I'll add you can Capitalize the word 'I' to show a little respect for yourself too.

    'i' before 'e' except after 'c'.... weird?
  • darkuserdarkuser Member Posts: 620 ■■■□□□□□□□
    microsoft caved ..... they are releasing the patch @ 5pm est today !!!!

    icon_twisted.gificon_twisted.gificon_twisted.gificon_twisted.gificon_twisted.gif

    see
    http://isc.sans.org
    they're been ranting for two weeks .......
    rm -rf /
  • JDMurrayJDMurray Admin Posts: 13,101 Admin
    darkuser wrote:
    microsoft caved ..... they are releasing the patch @ 5pm est today !!!!
    Yup, it just came out a few minutes ago:

    Security Update for Windows XP (KB912919)
    Typical download size: 196 KB , less than 1 minute
    A remote code execution security issue has been identified in the
    Graphics Rendering Engine that could allow an attacker to remotely
    compromise your Windows-based system and gain control over it.
    Yada, yada, yada, ...

    http://go.microsoft.com/fwlink/?LinkId=58471
  • mobri09mobri09 Users Awaiting Email Confirmation Posts: 723
    Thanks for keeping us all updated about the flaw JDMurray!
    I just downloaded the patch.
  • TheShadowTheShadow Member Posts: 1,057 ■■■■■■□□□□
    Microsoft is wasting no time with it. 4 of the 8 systems in my lab had it installed when I got home. So I will have to see if they destroy thereselves before I update the rest. Just started reading the dshield list for the day and saw a funny quote.

    "It is said that the Internet is a public utility. As such, it is best compared to a sewer. A big, fat pipe with a bunch of crap sloshing against your ports."

    crash.gif
    Who knows what evil lurks in the heart of technology?... The Shadow DO
  • JDMurrayJDMurray Admin Posts: 13,101 Admin
    Let's hear it for Windows users pounding on Microsoft!

    CNN.com - Windows users pushed Microsoft to release patch - Jan 6, 2006
    http://www.cnn.com/2006/TECH/internet/01/06/wmfflaw/index.html

    Also, the Security Now! podcast with Steve Gibson and Leo Laporte talk in depth and this vulnerability, and interview the creator of the first patch for it.
    http://thisweekintech.com/sn21
Sign In or Register to comment.