New Windows Vulnerability

[FONT=Verdana, Arial, Helvetica, sans-serif][SIZE=-1]

[/SIZE][/FONT]

http://www.internetnews.com/security/article.php/3574291

 

Update SUMMARY (I'll try to summarize stuff posted here and elsewhere)

0. This is a huge risk. Several exploits (or proof of concept files) exist already: browse to a page, read a html based e-mail message, click on a link in IM software, download a file and run, view a video, etc.

1. Payload for this exploit can be inside almost any file type (you cannot just filter by WMF extension)

2. Payload is getting altered/mutated/randomized (i.e. may not be catchable by AV-software / Proxomitron / other anti-trojan software)

3. Unregistering the WMF handling DLL is the solution that currently offers least risk ( http://www.f-secure.com/weblog/archives/archive-122005.html#00000754 )

4. WMFfix patch ( http://isc.sans.org/diary.php?storyid=999 ) does not patch ALL functions within the DLL (additional holes, if existing, remain unpatched). Regardless, it is HIGHLY recommended by almost all security authorities (I'd say mandatory if you ask my personal opinion).

5. ?? I'm not 100% sure, but it's possible that even with the unreg / WMFfix patches applied, MSPaint remains vulnerable. It certainly does if you haven't patched the DLL with WMFfix. So as a precautionary measure: do NOT open any files in Microsoft's Paint application.

6. For additional personal measure (standard safe hex) you can try NOT to: view html e-mails as html (but plain text), use IE for anything, open/save files from Internet click on links that you have not verfiried for their safety. Also, disable automatic opening/starting for downloaded files within your browser, if you haven't already.

 

Alternative solution: Dump Microsoft Windows and buy a Macintosh, get some other OS!
All this exploits stuff affects Windows only.

 

[offtopic]
I agree. For most of my friends I recommend a Mac, if the work they do is doable on a Mac. I've already converted half a dozen PC/Win users to MacOSX users, just by telling them about the multitude of Windows security problems and how up-to-date they need to stay, in order to secure themselves and their files.
[/offtopic]

 

for those who may not have seen it

fix and checker and advice

www.hexblog.com/2005/12/wmf_vuln.html

 

Be VERY careful of the unofficial patch if you have XP Pro SP1. That patch, specifically for W2000, XP and XP SP1, broke Windows when I installed it on my host machine. I could not boot into Windows normally. I finally had to boot into Safe Mode and use System Restore. Ironically, on my VMWare guest virtual machine that also runs XP Pro SP1, I was able to install the patch with no problems. That machine doesn't really need it as I can just revert to a snap shot if it got infected.

I think my host machine is protected even though it doesn't have the patch and I have not unregistered the dll. Both my machines pass all of Kyeu's tests. I set wmf and emf file types in Explorer, on the host machine, to use Script Sentry to open. So what happens is that Script Sentry pops up and gives an error saying it can't handle that type of file. That is all I need to know I have a nasty. I sure won't execute that file some other way!

Of course, I am avoiding IE like the plague and have set it to not allow file downloads. I'm using my virtual machine for any sites except a very few.

I'm getting a new computer this week. What bad timing. Although it will have a CPU that should have hardware DEP and that is protective.

 

v1.12 of Source Code is now out.

Even more randomized and has room for 1564 bytes of payload.

Inserts random objects, headers, records, and paths.

Packing section looks relatively the same. Same constants (Escape function and parameter, and part of the WMF Header).

 

The link given on Steve Gibson's site is updated and correct. version 1.3 to date.
http://www.grc.com/sn/notes-020.htm

 

Correction
http://isc.sans.org/diary.php?compare=1&storyid=999

 

The WMF issue continues to spin

"We released a new version of the metasploit framework module for the WMF flaw, this one uses some header padding tricks and gzip encoding to bypass all known IDS signatures. Consider this "irresponsible" if you like, but it clearly demonstrates that a run-of-the-mill signature-based IDS (or A/V) is not going to work for this flaw."

isc.sans.org diary



________________
~~Be ALERT!!! ~~

 

This isn't limited to IE, it has affected various browser platforms, email, IM...

 

why microsoft didnt anticipated this ? i think they should know the API of WMF and this big big potential hole and now real pain in the ass ( WMF SetAbortProc function http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gdi/prntspol_0d6b.asp ) so WHY WHY WHY ??

 

My question is why is M$ waiting till the 2nd tuesday of this month to release the patch? WTF are they doing? If they really are going to wait this long as everybody is saying to release the patch, I'll be seriously considering going to a different OS entirely. Fuc* M$!!!! I'm so sick and tired of their BS!

 

I'll tell you what I think about why Microsoft hasn't addressed this.

Because it's a much larger (way beyond SetAbortProc) and Microsoft is scrambling to patch all of the exploits involving WMF. Shame - they knew. IMO.

On edit: Why wouldn't they fix it if they knew? Because any complete fix will interfere with proper operation of some heavily-used Microsoft software. They waited until publication of exploits and now they're scrambling. This really is shameful.

 

If I install Ilfak Guilfanov's Temporary WMF Patch 1.3, should I additionally unregister shimgvw.dll, or is that unnecessary to do both?

Thank you in advance.

 

BOTH! But, be advised that Windows Picture and Fax viewer will no longer work.

 

Re: *NEW* New Windows Vulnerability

In another thread, where I focussed on the downloader code that the current .wmf exploit employs, TNT pointed out that "an exploit could be constructed to overwrite system files instead of downloading a file." He also noted that I advocated having some type of virtual environment from which you could restore in case of such.

Well, a test.wmf file has been constructed showing how such shell code can be embedded:

http://isc.sans.org/diary.php?storyid=1006



________________
~~Be ALERT!!! ~~

 

I've tried Maxathon Browser and added *.wmf to the Content Filter blacklist to stop displaying the WMF exploit. [I hope].

I used KyeU's test location http://kyeu.info/WMF/readtext.txt to test various Browsers.

In FF, you should just see the plain text.

In IE I got the "If you can see this you are vulnerable" tag, BUT KAV alerted me to an .wmf exploit.

TAS

 

Using Maxathon's Content Filter adding .wmf is like adding a Ad blocking and as such, under the options of what to display instead of the wmf, I added some text and get this instead of the wmf "Ad" I blocked.

edit: I still got the "If you see this...etc...." but after clicking OK I get the text displayed in pic... BUT KAV DOES NOT alert, so it's really blocking as far as I can see.

TAS

 

the same test, in IE alone, as stated earlier, KAV alerted me.

Now, I don't know if Maxathon with the wmf added in the Content Filter is completely safe or not, maybe someone can say for sure. KyeU?

TAS

pic of KAV alert after IE test.

 

Re: *NEW* New Windows Vulnerability

If you don't block the .wmf file, here is what results from the Kevin Gennuso site mentioned in the link I posted.


________________
~~Be ALERT!!! ~~

 

Blocking .wmf files just gives you a false sense of security. The exploit has already been expanded to other file types.

 

Back to the drawing board then... guess it's down to applying the Patch which I am reluctant to do, or to implicitly trust KAV to detect.
TAS

 

Can the patch at GRC be applied to windows xp media center?

 

The real test is to see how your system reacts when a file attempts to download using iframe.

Since the sans.org article says we can download the test file for our own testing, I've created such a test with this code:

iframe src="test.wmf" style="display:none"> iframe>

If the test file runs, you will see what I put in the screenshot in my post above.

wmftest
​