URGENT: New Windows WMF File Vulnerability Exploit

JDMurray

On December 28, 2005, a new Windows zero-day exploit was released concerning a design feature in Windows which allows an external program to be executed in the event that a WMF file can't be successfully loaded. It is possible to install a Malware program on to a Windows machine and have Windows itself execute the program by having the user load a bad WMF file using email, a Web browser, IM, or viewing the file using the Thumbnail view in Windows Explorer. The WMF file can have any file extension and the exploit will still run. This exploit affect ALL VERSIONS OF WINDOWS starting with Window 95.

This is a very effective and easily exploitable vulnerability. Over fifty Malware programs have so far been identified as using it. More are certainly being created, and this problem will be in the news for weeks to come. This vulnerability makes the Sony BMG rootkit look like script kiddie stuff.

Although Microsoft has not yet issued a effective solution for this vulnerability, an independent programmer, Ilfak Guilfanov, has released a tool that permanently fixes the vulnerability for Windows NT, 2000, XP, Server 2003, and 64-bit XP. (There is no known fix for Windows 9x and ME.)

The security researcher Steve Gibson worked with Ilfak to to create this tool and fully endorses its effectiveness. You can download the fix from Gibson's Security Now web site at http://grc.com/sn/notes-020.htm, or directly from Ilfak's web site at http://www.hexblog.com/2005/12/wmf_vuln.html. The full source code to the tool is also on Ilfak's Web site.

If you do not think that your Web browsing, file downloading, and image file viewing habits put you at an immediate risk, then you may prefer to wait until an official patch is released by Microsoft. When such a patch will be available is not currently known.

rossonieri#1

you are right, JD

this is everybody problem - right now.
we want to protect our network as safe as possible - but new exploits on Windows machine comes everyday, i guess.
first we use anti virus, then firewall, then proxies to protect general internet access, limiting users/type access, but now *.PPS encapsulating pictures, *.DOC contains executable script etc...

anybody has better idea to stop this??

TheShadow

Thanks for the link JD I did not know that someone had a fix yet. Every year now MS seems to get caught during the holidays.

Every day is the dawn of a new error.

JDMurray

SANS just blessed Ilfak Guilfanov's unofficial patch for the Windows WMF flaw. That makes it as good as it can get.

http://isc.sans.org/diary.php?storyid=1010

Plantwiz

Nice to see MS is expected to have a patch around the 10th of Jan

JDMurray

Yes, Microsoft reports that they will release their official WMF vulnerability patch on January 10th. I guess "quality" takes long time.

http://www.cnn.com/2006/TECH/internet/01/04/microsoft.patch.reut/index.html

Plantwiz

Yes, that's it! Quality.

JDMurray

Plantwiz wrote:

Yes, that's it! Quality.

Oh no, I just realized that it isn't about quality! Microsoft always releases it's monthly patches on the 2nd Tuesday of each month. Well, the 10th is the 2nd Tuesday of Jan 2006. They won't disrupt their update release schedule even to patch a vulnerability this serious! Oh well, I just hope their patch doesn't break something else. The GDI subsystem being updated is critical for almost all graphical applications.

Let's just hope that Windows Update will install the patch even if a Windows XP machine doesn't have SP1 installed, or Windows 9x is being used.

Plantwiz

jdmurray wrote:

Plantwiz wrote:

Yes, that's it! Quality.

Oh no, I just realized that it isn't about quality! Microsoft always releases it's monthly patches on the 2nd Tuesday of each month. Well, the 10th is the 2nd Tuesday of Jan 2006. ......

You are correct. I had forgotten what day/date it was too. Good observation Master Sleuth.

Let's just hope that Windows Update will install the patch even if a Windows XP machine doesn't have SP1 installed, or Windows 9x is being used.

I would hope it will, since all version are at risk. Or does that fall into the 'they are obscelete?' Security issues were supposed to be maintained or so I thought.

Plantwiz

Received this today:

http://www.microsoft.com/technet/security/advisory/912840.mspx

darkuser

microsoft caved ..... they are releasing the patch @ 5pm est today !!!!



see
http://isc.sans.org
they're been ranting for two weeks .......

JDMurray

darkuser wrote:

microsoft caved ..... they are releasing the patch @ 5pm est today !!!!

Yup, it just came out a few minutes ago:

Security Update for Windows XP (KB912919)
Typical download size: 196 KB , less than 1 minute
A remote code execution security issue has been identified in the
Graphics Rendering Engine that could allow an attacker to remotely
compromise your Windows-based system and gain control over it.
Yada, yada, yada, ...

http://go.microsoft.com/fwlink/?LinkId=58471

mobri09

Thanks for keeping us all updated about the flaw JDMurray!
I just downloaded the patch.

TheShadow

Microsoft is wasting no time with it. 4 of the 8 systems in my lab had it installed when I got home. So I will have to see if they destroy thereselves before I update the rest. Just started reading the dshield list for the day and saw a funny quote.

"It is said that the Internet is a public utility. As such, it is best compared to a sewer. A big, fat pipe with a bunch of crap sloshing against your ports."

JDMurray

Let's hear it for Windows users pounding on Microsoft!

CNN.com - Windows users pushed Microsoft to release patch - Jan 6, 2006
http://www.cnn.com/2006/TECH/internet/01/06/wmfflaw/index.html

Also, the Security Now! podcast with Steve Gibson and Leo Laporte talk in depth and this vulnerability, and interview the creator of the first patch for it.
http://thisweekintech.com/sn21