WMF FAQ: What you need to know

Here's how the flaw works, what systems are affected and what you can do about it

IT staffers this week have been working to fend off attacks related to the recently disclosed Windows Metafile (WMF) vulnerability. Although third-party patches are available, Microsoft Corp. doesn't plan to release its official fix for the flaw until next Tuesday (Editor's note: After this article was posted, Microsoft moved up the release date. See Update: Microsoft releasing WMF patch today.) Computerworld Security channel editor Angela Gunn has put together an extensive FAQ on the vulnerability, how it works, what systems are affected and what you can do about it.

The Problem

What's the fuss about? A major security hole involving WMF files. Exploits targeting the hole can use WMF files to run malicious code on a target machine -- infecting it with spyware, stealing data or recruiting it into a zombie network. The problem has existed for years, but its discovery was publicly announced in late December 2005.

Which versions of Windows are vulnerable? Microsoft stated that the vulnerability applies to all versions of Windows from 98 onward, though, practically speaking, only XP and Server 2003 installations are likely to have problems. Secunia confirmed the following systems to be at risk: Microsoft XP Pro, Microsoft XP Home, Microsoft Windows Server 2003 Datacenter Edition, Microsoft Windows Server 2003 Enterprise Edition and Microsoft Windows Server 2003 Standard Edition.

Are Mac, Linux or Unix systems vulnerable? Very funny. Next: The Situation

The Situation

Is any real-world malware targeting this hole? Like rust, exploit writers never sleep, or even slow down enough to be counted. As of yesterday, 73 known exploits had been noted on the CastleCops.com discussion board, and antivirus firm Sophos reported over 200 attack methods thus far.

How are the exploits traveling? Infection vectors will be familiar to anyone who follows the malware scene: graphics or executables opened from within e-mail or instant messages, malicious or compromised sites, fake e-cards, fake system messages and the like. Antivirus firms have discovered instances of a stand-alone utility called WMFMaker that quickly constructs a malicious WMF. That program is believed to have been used in the first wave of exploits.

What's the launch sequence? When a user clicks on a WMF file, the application calls the shimgvw.dll library, which in turn can call the Escape() function in the gdi32.dll library. Escape() has a subfunction called SETABORTPROC, which lets users cancel a print job during spooling from within various applications. The exploit targets SETABORTPROC. It causes a buffer overflow and thus allows the targeted computer to run malicious code in the WMF file, whatever it may be.

What do those DLLs and functions do?

  • Shimgvw is used by Windows Picture and Fax Viewer, which is Windows' default program, for a variety of file formats. Other applications, including Mozilla, rely on this DLL as well.
  • As described by Microsoft, the GDI (Windows Graphic Display Interface) "enables applications to use graphics and formatted text on both the video display and the printer. Microsoft Windows-based applications do not access the graphics hardware directly; instead, GDI interacts with device drivers on behalf of applications. GDI can be used in all Windows-based applications."
  • The Escape() function translates certain calls from the GDI library to the driver for a particular device -- for instance, a scanner or a printer.
  • SETABORTPROC provides compatibility between newer versions of Windows and the older 16-bit versions, making this a so-called backward-compatible or "regression" bug.

What's the payload? It can be any kind of executable file, but payloads so far appear to be mainly of the adware and spyware type. Some versions attempt to "recruit" machines into zombie armies, presumably to be deployed for nefarious purposes at a later date. Symantec reports that one exploit, dubbed PWSteal.Bankash.G, carried a password-stealing Trojan horse that also attempted to open a proxy server on a random TCP port.

Did I hear something about this back in November? No, that was a different problem, affecting both WMF and EMF (Extended Metafile) formats. For those keeping track, the earlier vulnerabilities were profiled in Microsoft Security Bulletin MS05-053; the newer problem is covered in Microsoft Security Advisory 912840. The patch issued for the earlier vulnerability doesn't correct the newer problem. Next: The Solution (so far)

The Solution (so far)
What do the patches do?
According to Ilfak Guilfanov, the patch writer, the unofficial Hexblog patch blocks access to the Escape() function in gdi32.dll, making the vulnerable SETABORTPROC subfunction unreachable. After running the patch, a user should also deregister the shimgvw.dll library. Hexblog's fix works on Win2000, XP, XP64 and Win2003 systems.
Microsoft is, of course, working on a patch. A prerelease version was briefly posted on a developers' discussion board, probably in error (see "Pre-release Microsoft patch for WMF flaw leaked"). Microsoft says the release version will not be available until Jan. 10. The company recommends that users deregister the shimgvw.dll library until the official patch is installed.
Is a non-Microsoft patch safe? Microsoft and some analysts such as Gartner Inc. are suggesting that sysadmins not install the Hexblog patch, noting that most major antivirus packages have issued up-to-date signatures that handle the problem. Other reputable sources, such as SANS Institute's Internet Storm Center, recommend Hexblog installation. The U.S. Computer Emergency Readiness Team (US-CERT) is noncommittal but does link to the Hexblog patch.
What if I just block the WMF extension? Nope. Other graphics files, with extensions such as .bmp, .gif and .jpg, might also be problematic, since the rendering engine examines file headers (not extensions) when determining file type.
What about just deregistering the shimgvw.dll library? Microsoft says that'll do for now, but outside security experts note that shimgvw.dll is only an intermediate step, merely making the call to the function in gdi32.dll. An exploit could be written to call gdi32.dll directly and thus compromise the machine. Besides, Windows Picture and Fax Viewer, which uses the shimgvw.dll library, is merely the default program for WMF and graphics files in XP and Server 2003. Desktop search software such as Google Search could also trigger the vulnerability if such a program happened across an infected file, as detailed in F-Secure Corp.'s testing blog. Additionally, IBM has issued a bulletin advising Lotus Notes users that the company is investigating whether Notes' file viewer will execute problematic code; Symantec Corp. seems confident that Notes is definitely at risk.
If I install the unofficial patch, what do I do with the official patch? Guilfanov claims there will be no conflict between the two but advises users to uninstall his fix after they've installed Microsoft's. It will be listed in the Add/Remove programs window. Users should also remember to reregister shimgvw.dll at that time.
The Human Factor
Who's this Guilfanov guy?
Ilfak Guilfanov wrote IDA Pro, a popular disassembler program used to investigate malware of this sort at the binary level. Currently, he's employed by Belgium's Datarescue, which released a preview of the next version of IDA Pro on December 28 -- the day after the WMF problem was revealed (see "Malicious hackers exploit zero-day Windows flaw").
How am I going to explain this to my nontechnical bosses? Or the users? Good heavens, the users! Even if you've managed to teach your users smart surfing behaviors (be careful what you click in e-mail, stay away from dodgy sites, etc.), they're still vulnerable, at least in theory -- and with malware writers racing against that Jan. 10 patch release, you should encourage users to be particularly wary for the next week or so. All users should exercise caution when clicking on attachments even from known e-mail addresses or IM pals. Switching from HTML e-mail to text-only e-mail is also a good idea. Those using the Internet Explorer browser should temporarily disable downloads by changing their browser's Internet Zone security to "high." Firefox and Opera users are prompted before WMF files are opened; these users should be encouraged not to open the files. And for those opting to use the unofficial patch but still needing to explain that choice to others in the organization, SANS has put together a brief explanation in PDF and PowerPoint formats.
For more on the WMF vulnerability, see:

Copyright © 2006 IDG Communications, Inc.

Bing’s AI chatbot came to work for me. I had to fire it.
Shop Tech Products at Amazon