In-Depth

WMF Flaw Provokes Headaches, Workarounds

Security managers race to stem a mass outbreak

• By Mathew Schwartz
• 01/10/2006

Companies are racing to patch a WMF vulnerability in all versions of Microsoft Windows XP and Windows Server 2003.

Information about the vulnerability became public in late December, and Microsoft released an out-of-cycle patch last week (see the security bulletin at http://www.microsoft.com/technet/security/bulletin/ms06-001.mspx). Explaining that decision, Mike Nash, the corporate vice president responsible for security at Microsoft, said in a statement that "while there is no imminent threat, a number of customers are seeing exploit traffic hitting their AV, IDS and IPS systems."

Vulnerability information provider Secunia has rated the threat as “extremely critical.” A successful WMF exploit allows an attacker to run arbitrary code on a user’s PC or install malware. Fake anti-malware applications seem especially popular.

The SANS Institute reports hundreds of Web sites now contain malicious WMF files to trigger the vulnerability on affected PCs. A WMF-exploiting worm is also circulating over instant messaging networks.

The Vulnerability and Its Targets

According to Secunia, “the vulnerability is caused due to an error in the handling of Windows Metafile files (WMF) containing specially crafted SETABORTPROC ‘Escape’ records. Such records allow arbitrary user-defined functions to be executed when the rendering of a WMF file fails.” The attack can be exploited if users open a malicious WMF file in Windows Picture and Fax Viewer.

The vulnerability can also be exploited automatically if Internet Explorer users visit a Web site containing a malicious WMF image. The vulnerability also affects Mozilla Firefox, though in newer versions of Firefox, user must first clicks “yes” when the browser asks a user if they want to display the WMF image file. Older versions of Firefox may handle themselves differently. According to F-Secure, “in our tests (under XP SP2) older versions of Firefox (1.0.4) defaulted to open WMF files with Windows Picture and Fax Viewer, which is vulnerable. Newer versions (1.5) defaulted to open them with Windows Media Player, which is not vulnerable.”

Programs affected by the flaw go beyond browsers and include Google Desktop. According to F-Secure, which tested the vulnerability on a PC running Google Desktop, “It seems that Google Desktop creates an index of the metadata of all images too, and it issues an API call to the vulnerable Windows component, Shimgvw.dll, to extract this info. This is enough to invoke the exploit and infect the machine.” Furthermore, since Google Desktop indexes in real time, the attack can execute almost immediately once a malicious image shows up on a PC.

Weighing Temporary Workarounds and Patches

When information about the vulnerability was made public, IT managers were initially stuck without a patch, and with only a handful of workarounds.

Though Microsoft released the patch early, it will still take time for IT organizations to test and roll it out. In the meantime, one workaround is to de-register the Windows Picture and Fax Viewer DLL (Shimgvw.dll) that enables WMF viewing, though that will also disable thumbnails in Internet Explorer. Microsoft itself had recommended taking that approach until its patch was available. (In an interesting twist, Microsoft accidentally released a version of its patch early, but asked security managers to disregard it.)

More daring security managers already had another option: a third-party patch released to fix the problem, which the SANS Institute recommended applying until Microsoft’s became available. As the SANS Institute’s Stephen Northcutt noted, “The path of wisdom is to download the unofficial patch, and test it on some non-production systems, and also to make sure you are ready to go when the worm breaks loose.”

Still, some caution against ever applying a non-official patch. As Gartner analyst John Pescatore noted in a SANS Institute newsletter, “Even with a trusted source of an unofficial patch, the odds of causing self-inflicted damage by doing so are very high for enterprise users. The workarounds—like unregistering the DLL and losing thumbnails—are likely to have fewer unintended consequences than an unsupported, unofficial patch.”

Related Articles:

Malware Clean-Up Swamps IT Managers

Case Study: Outsourcing Threat Detection