Timberway.com - UPDATED - Windows WMF Files Security Warning

Windows WMF Files- URGENT SECURITY WARNING - January 2006

Zero-Day Security Exploit Hits Windows for New Year 2006

***** UPDATE: 1/8/2006 *****

Because of the serious threat from this security exploit, Microsoft released their official security patch early.  Windows Update will automatically install the patch if you have automatic updates on.  If you do not have automatic updates turned on, we recommend you run Windows Update manually as soon as possible to install this security patch.

This security patch from Microsoft takes the place of the temporary unofficial patch and workaround we recommended originally.  If you already installed the unofficial patch and workaround, you can remove them as follows:

1.  From Control Panel, open "Add/Remove Programs," find the patch in the list and uninstall.

2.  Reboot your system prior to re-registering the DLL, in case malicious WMF images are in memory waiting to be displayed.

3.  To Re-register the DLL by going to your Start menu, selecting "Run" and typing "cmd" (without the quotes) to open a command prompt window.  In the command prompt window, type:

regsvr32 %windir%system32shimgvw.dll

Where "%windir%" is the path to the Windows directory.  (You may have to type the actual path, we did.)  That is the same command previously used to unregister the DLL, but without the -u part.  This will reactivate the Microsoft FAX and Picture viewer which were disabled by unregistering this DLL previously.

Thanks to Ilfak Guilfanov for providing the temporary unofficial patch and to SANS for backing it as a temporary security solution and providing the procedure to remove the unofficial patch and re-register the DLL!

P.S.  SANS is reporting that differences in the way Windows 98 and Windows ME handle WMF files mean that they are not vulnerable to current WMF file exploits.  The possibility remains, however, that they could be vulnerable to subsequent exploits, as they do have essentially the same security hole.

This is not a joke or a hoax.  It is one of the most serious Windows security warnings to date.  A zero-day (0-day) exploit is one where there is basically no warning and no patch before the exploit is in the wild.  In other words, it's out there and almost everyone is susceptible.

A major security flaw exists in Windows WMF files.  It appears that the files may not even appear to be WMF files.  The files can hide (actually, they can call...) almost any executable code including viruses, worms, trojan horses, and root kits.  Malicious WMF files can be received in emails, from Web pages, from instant messages, from file sharing, etc.  Just viewing an image executes the code.  You don't have to click on anything.  Even indexing a file with a tool such as Google Desktop Search executes the code.

References:

SANS Internet Storm Center:
http://isc.sans.org/

Security advisory from Microsoft:
http://www.microsoft.com/technet/security/advisory/912840.mspx

Security advisories from CERT:
http://www.kb.cert.org/vuls/id/181038
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4560

The first version of this exploit appeared on or about December 27, 2005, and there are now several versions in the wild.  But the most serious development is that a group apparently created an easy tool for turning any WMF file into a carrier for any malicious code - the sort of tool anyone can use.  And they released it over the New Years' holiday weekend.  And the latest one, in fact, has already been included in spam emails sent on New Years' Day, 2006.

This security warning applies to at least Windows 2000, Windows XP (SP1 and SP2), and Windows 2003, and the exploit has been proven to successfully attack fully patched systems.  It is believed to also affect Windows 3.x, Windows 95, Windows 98, and Windows ME as well, although that is not yet proven.  But it uses a "feature," not a bug, of the WMF file format.  WMF files were apparently designed to be able to call executable code.  And since this feature has been out there a long time, it is believed that older Windows versions are likely to be vulnerable.

Internet Explorer will trigger the exploit without warning when an image is viewed. Newer versions of Firefox will prompt you before opening the image.

There is no official patch from Microsoft.  Microsoft is not expected to have a patch available for Windows 2000 and Windows XP until at least January 9, 2006.

There is, however, a workaround that has been create by one of the leading experts on low-level Windows programming and some of the top security analysts in the world.

We strongly recommend that you visit the SANS Internet Storm Center and read more.  If you are not familiar with SANS, they are one of the leading security education and certification organizations.  The Internet Storm Center brings together security analysts from all over the world to monitor and track security exploits and malicious code.

Do yourself a favor - go to the SANS Internet Storm Center now and read the WMF FAQ.  Follow their instructions to install the unofficial patch made available by Ilfak Guilfanov.  SANS has reviewed the patch and tested it and believes it is the best solution until Microsoft releases an official patch.  Also follow their instructions to manually unregister a related DLL.

This is not foolproof, but it is the best protection available currently.

Get the instructions from the SANS Internet Storm Center:  http://isc.sans.org/

Technorati tags: Microsoft Windows Security