New IM Worm Exploiting WMF Vulnerability

An anonymous reader writes "After less than a four days after original mailing list posting there are reports about a new Instant Messaging worm exploiting unpatched Windows Metafile vulnerability. This worm is using MSN to spread, reports Viruslist.com."

temporary fixes

[Phil246]

There is information available on temporary fixes from the following sites
http://isc.sans.org/diary.php?rss&storyid=996 [sans.org]
http://www.f-secure.com/weblog/#00000760 [f-secure.com]
http://www.grc.com/sn/notes-020.htm [grc.com]

be aware the runnable patch is completely unofficial, the only action microsoft suggest is unregistering a vulnerable dll which only mitigates the most common method of exploitation while not fixing the underlying problem.
NFI how long it will take microsoft to have an official patch out, but from the sans site, it doesnt look promising that it will appear soon.

Re:How do I avoid it? Fixes?

[ergo98]

How do I avoid it? Fixes?

Follow the suggested action in the Microsoft advisory linked right up there above.

Re:How do I avoid it? Fixes?

[Maroulis]

Microsoft suggests to unregister the problem dll.
start->run
regsvr32 -u %windir%\system32\shimgvw.dll

http://www.microsoft.com/technet/security/advisory /912840.mspx [microsoft.com]

Re:MSN?

[sucker_muts]

You MUST mean MSN Messenger.

Netherlands being the place where it first appeared, and being from Belgium myself, I can say that everybody here simply says 'MSN' when they mean 'MSN Messenger'.
It's more common in europe anyway to use MSN instead of other popular IM networks used thoughout the USA and other countries. IM was never popular with non-geek computer users here and when broadband internet (with a fixed price/month) arrived most teenagers (the primary group of users in europe) all started using MSN Messenger.

Re:How do I avoid it? Fixes?

[Anonymous Coward]

See discussion list at
http://www.aota.net/forums/showthread.php?p=143053 [aota.net]
also check out FSecure's blog:
http://www.f-secure.com/weblog/ [f-secure.com]

Most importantly: THERE IS A FIX

[FhnuZoag]

It's unofficial, but it works.

http://www.hexblog.com/2005/12/wmf_vuln.html [hexblog.com]

Re:Developers, stop using ...

[Anonymous Coward]

Block popups on the internet security zone and allow them in the trusted zone then add your credit union to the list of sites you trust and refresh the page for the settings to take effect. Basically you need to create a white list of trusted sites while blocking all the riff raff. It doesn't matter what version of IE you use install the IE5.5 power toys which will add two settings to the tools menu called add to restricted zone and add to trusted zone. It ain't rocket science.

Re:How do I avoid it? Fixes?

[FhnuZoag]

That works for some things, but not everything, because shimgvw is NOT the problem dll. The real problem is in gdi32.dll, which IIRC is too important to be removed.

Re:How do I avoid it? Fixes?

[R3NZ]

There seems to be a first fix.

There is now a "Windows WMF Metafile Vulnerability HotFix" available from Ilfak Guilfanov. Have a look here http://www.hexblog.com/2005/12/wmf_vuln.html [hexblog.com]

The problem - and the fix - has been discussed also at GRC.com's Security Now podcast. Check out this link http://www.grc.com/sn/notes-020.htm [grc.com]

Re:Great..

[Anonymous Coward]

The problem is not with gdi32.dll. The problem is with the way the WMF handler uses the SetEscape() API.

Pointing the finger at gdi32.dll is like running a malicious script that executes "rm -fr /" and blaming the rm executable when your files disappear.

Re:It's worse than that

[borderpatrol]

I work for a major electronics retailer in the Service department. Most of our duties are simple PC repair, data backup, and virus/spyware removal.

I have seen in the past week our work increase 5 fold because of this exploit. What is normally a very slow time of the year for us has become very busy for us and it's making me nervous myself.

We had a few customer that bought brand new computers and laptop and are bringing them back the same day with this exploit. A quick check reveals that their Norton was up-to-date, yet this stuff still slipped in. Other customers are getting this thing left and right. Unfortunately I have not much to tell them except to keep updating all your security products daily as it's only going to get worse before it gets better. Hand them a copy of Norton and Sunbelt Counterspy and tell them good luck.

I do believe there is a bit a social engineering planned into this. Customers with year-end financials, tax season starting up, holiday credit card payments and statements coming through. Very ripe time to plucking financial and personal data. And with this being an extended holiday weekend, this exploit has a bit of time to fester and refine itself before the big trojan/virus with a major payload slips past the AV and Adware detections and onto millions of computers. What happens when someone combines with exploit with a backgood into a major ad server network? Imagine the damage then.

I'm doing the best I can at my house against this thing, but looking at the 7+ Windows boxes I'm now worrying about updating, installing, patching and unregistering, and the 1 Apple laptop I haven't had to restart in 6 months, and I wonder if this is going to be the big one that really gives Microsoft the black eye it can't recover from.

Do. This. Now.

[Bozdune]

Get a patch here: http://www.hexblog.com/2005/12/wmf_vuln.html [hexblog.com]

All the necessary information and explanation (plus q/a) is here. This is the only hope at present. Good luck to everyone on Jan 2 when this thing takes over the world.

Re:Is this the exploit reported back in November?

[Heembo]

This is the same basic exploit - but the seriousness and criticality is dramatically harder. A malicious file can contain any file extension of any random size and still be a WMF file on the "inside" and still have a "arbitrary code" payload. Most security groups are way freaked out now since IDS/IPS and AV patches are not patching this complete yet. Check out http://isc.sans.org/diary.php?rss&storyid=994 [sans.org] more a more indepth answer.

VBS in WMF? WTF?!

[void*p]

Why in the world would a WMF file need to be able to execute a script? And aren't most of Microsoft's vulnerabilities related to the wanton running of scripts without a user being aware that it's happening?

Re:Most importantly: THERE IS A FIX

[W2k]

Parent is a troll who obviously didn't even RTFA. This patch is legit, it comes with complete source code, and it's been verified good by at least one third party [grc.com], Steve Gibson of GRC.com. It immunizes against the vulnerability and has no known ill effects. It's as good a counter-measure as there can be before an official fix is released.

Re:so...

[borderpatrol]

...Because it's a simple image. Who would think that an image can deliver such a nasty payload? It doesn't need any user interaction. This blows right through fully patched copies of windows, and IE opens and executes it automatically (video here - http://www.websensesecuritylabs.com/images/alerts/ wmf-movie.wmv [websensesecuritylabs.com])

Does your website have an image on it? It can be exploited that way. Does your email render html, even with scripting turned off? It can be exploited that way. A few trusted sites have been compromised with this exploit. Some seedier as networks (with hundreds or thousands of affiliates) are using this to generate cash. There is no patch for Windows ME, 98, or 95 and there will never be as these OSes are unsupported. These systems will ALWAYS have this vulnerability.

Imaginine if someone uploaded this to MySpace (http://www.alexa.com/data/details/traffic_details ?q=&url=www.myspace.com/ [alexa.com]), as they allow full html formatting, embed, iframes and all kinds of crazy crap. One exploit on a popular blog will cause A LOT of damage.

I'm doing the best I can...

[symbolset]

I'm doing the best I can at my house against this thing, but looking at the 7+ Windows boxes I'm now worrying about updating, installing, patching and unregistering, and the 1 Apple laptop I haven't had to restart in 6 months, and I wonder if this is going to be the big one that really gives Microsoft the black eye it can't recover from.

If you're an IT pro and you're running Windows at home, you should have your boxes imaged so you can just unhook from the net, image, apply the fix, take a new image and hook back up to the net. Seven boxen shouldn't take you more than a couple hours -- less if you use a standard image.

If you're setting this up for the first time, don't forget to redirect "My Documents" to a different partition, or better yet a server with a backup regime. Oh, yeah, and choose the "Activate Windows over the phone" option before you make your first image so you don't have to re-activate each time.

If you're an IT pro and you're not using Windows at home, take the extra hours and spend some holiday time with your friends and family. Life is short.

Re:Fearmongering

[Anonymous Coward]

It's already happening dude - there are still a bunch of sites at major shared hosting providers (*cough* iPowerWeb *cough*) which are being exploited and code added via an old cPanel vulnerability. There are dozens if not hundreds of compromised web servers out there right now spreading this thing.

There is a real possibility that the shit is going to hit the fan big time with this one.

Re:How do I avoid it? Fixes?

[Sinus0idal]

Haha analysed by Steve Gibson, well NOW I feel safe. I think I'll take my advice from a proper security authority [sans.org]

Re:There needs to be...

[HairyCanary]

With the exception of games (and I don't play PC games anyway), my Mac does everything Windows can do, plus some. I've been a die-hard PC guy, anti-Mac for a long time. Until I decided that I was done with Windows, and looked for alternatives. Linux just isn't quite there yet as a good, usable, stable day-to-day desktop operating system. But MacOS X is. And I've even grown to appreciate some of the ways in which it is superior to both Windows and Linux from a usability standpoint, even ignoring the well known security advantages.

Re:How do I avoid it? Fixes?

[jZnat]

Funny as that might be, we're already talking about how the current mandatory support for MSN custom smilies is both an annoyance and a security hazard (either 2.0.0beta1 or CVS, I forget which version). If the infected WMFs are even cached anywhere and a program like Picasa sniffs it out and uses the win32 GDI library, you still get fucked. Lovely!

Best WMF Mitigation Strategy

[Heembo]

From http://isc.sans.org/diary.php?rss&storyid=994 [sans.org] :

1. Microsoft has not yet released a patch. An unofficial patch was made available by Ilfak Guilfanov. http://handlers.sans.org/tliston/wmffix_hexblog13. exe [sans.org] Our own Tom Liston reviewed the patch and we tested it. The reviewed and tested version is available here (now at v1.3, MD5: 14d8c937d97572deb9cb07297a87e62a). THANKS to Ilfak Guilfanov for providing the patch!!
2. You can unregister the related DLL.
3. Virus checkers provide some protection.


To unregister the DLL:


* Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK.
* A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

Re:There needs to be...

[HairyCanary]

I have a pair of Linux PC's in addition to the Mac Mini I use for daily activity. One of the Linux boxes runs Fedora Core 4 (it usually does duty as my MythTV box, though, not a regular desktop), and the other box runs OpenSUSE 10. I'm not sure either of these distributions really qualifies as junk.

Having used both, I stand by my comment that they're rough around the edges. Not hard to use, perhaps, but they have a number of odd behaviors that are not intuitive to anybody who isn't familiar with them. And Linux lacks the one big thing MacOS has -- easy support for the most comment media types, including Windows Media, and Quicktime. Trying to get Linux to support both of these is an exercise in futility. Sure it can be done, but not by Joe Schmoe. It's all in the little details, and these are just two little details among many.

Disclaimer: I am a professional Unix Systems Administrator with almost a decade of experience (and I've been playing with Linux since before it had Ethernet support ;-)). If I can see the potholes in the user experience, what do you think it's like for someone who doesn't have the background to understand why it is the way it is?

Re:Developers, stop using ...

[CodeBuster]

You can allow a popup to be shown in IE on a per instance basis, whether the site is trusted or not, by holding down the CTRL button while clicking the link that launches the popup window. If the site uses javascript to automatically launch popups and you absolutely must use it then you can also add the site to your list of trusted sites under Tools->Internet Options->Security Tab. It makes sense add your online banking portal to the list of trusted sites anyway.

Re:There needs to be...

[HermanAB]

Well, by switching to Linux, you basically trade one head-ache for another, but I can assure you that the Linux head-ache is much smaller and infrequent. Most people who complain about Linux do so because they tried some 5 year old version or tried to use last year's Red Hat or Fedora. If you would install a current Mandriva or Suse however, then you won't look back. Anyhoo, my notebook PC is dual booting XP/Mandriva. I only use XP for deliberately infecting and trying out virus fixes before I go and fix a client's machine...

Re:Seen this on porn sites

[Mixel]

Dude, you don't have to click 'open'. On Bugtraq it has been reported that this thing runs itself quite happily in an IFRAME.

Re:VBS in WMF? WTF?!

[Anonymous Coward]

WMF IS a script. now with root exploit goodness. :)

Re:How do I avoid it? Fixes?

[Heembo]

This patch is a good start - but I would take a more defense-in-depth approach:

1. unregister the ms pic and fax viewer dll
2. make WMF file extension default to an erroneous app like notepad
3. turn DEP up a notch
4. turn off downloads in IE if you must use it (set default security settings to HIGH)
5. load unofficial patch at http://handlers.sans.org/tliston/wmffix_hexblog13. exe [sans.org] - make sure you check against the md5 hash!!
6. antivirus up to date, please check several times a day
7. block all WMF files at the perimiter

Re:How do I avoid it? Fixes?

[nacturation]

Haha analysed by Steve Gibson, well NOW I feel safe.

Security researcher he isn't (really), but I do respect his ability to code. At any rate, for those who don't know why that's potentially laughable, see the GRC sucks [grcsucks.com] website.
 

Re:How do I avoid it? Fixes?

[ThinkFr33ly]

There is absolutely no reason to believe that market share is the cause of low security.

It's certainly not the cause of "low security", but it definitely makes Windows a target. This argument has been rehashed here and everywhere else a thousand times. The popularity of Windows makes it a target for more hackers. This says nothing about Microsoft's code quality, nor does it say anything about the quality of other OS's code bases. I'm just saying that it makes sense that the most used operating system would also be the most attacked. More attacks yield more results.

Shitty programmers with little or no Q/A, and a huge festering code base which is continually patched together with duck tape to keep it going

Why isn't this drivel modded as flamebait? Microsoft's coders are really any shittier than anybody else's coders, or at least I've seen no evidence of this. No Q/A? You have to be kidding me. If you have even a shallow knowledge of Microsoft's engineering practices you would know that their Q/A is probably the most intensive that any software company has on the planet, and it's getting more intensive every day.

Want an example? The ASP.NET team had 505,000 test scenarios [asp.net] for ASP.NET 2.0 that it had to pass 100% before they would lock it down as RTM.

along with a refusal to force 3rd party vendors to release software which runs properly (IE doesn't require local admin to run) causes security holes

Indeed, 3rd party software, and even Microsoft's own software (try developing an ASP.NET application with VS.NET 2k3 without admin privs), often fails to run correctly as non-admin. Microsoft has made a lot of changes to improve this, but 3rd party support is still lagging. Why? Because Windows is used by basically everybody, and if a patch or new version of Windows suddenly broke 75% of the applications out there nobody would upgrade.

This problem is an extremely difficult one to solve, and a lot of it has to do with Microsoft's failure to produce specs and guidelines from the start that let ISVs know what they needed to do to make sure software ran as non-admin. Microsoft's solutions in Vista [helpwithwindows.com] are a huge step in the right direction.

Windows doesn't have *bad* security, Windows has no security.

Baloney. The Windows security model is a solid one. Aside from the applications that don't like installing or running as non-admin (mostly ASP.NET development, really), I run Windows as non-admin 100% of the time. The security model in Windows is actually more extensive than the security model in most flavors of Unix, including Linux. (At least out of the box.) Regardless, Windows gets a bad rap for security not because of design of Windows is bad, but because there have been lots of high profile, highly damaging exploits for Windows over the years. With a few glaring exceptions, such as the WMF exploit, Microsoft has always had patches available for weeks if not months before the bastards out there released their worms or viruses.

Transparency between versions? How does that cause poor security?

As I explained earlier, Microsoft can't just break everybody's applications, even if they're insecure. That's not the way it works when you have 90% of the computer using world running your software.

Re:How do I avoid it? Fixes?

[Anonymous Coward]

Ha! You're right. Until I order my Mac (after macworld next week) I'm still using XP sometimes on my machine that dual boots with Linux. I checked into setting up a 'user' (non-administrator) account on XP. According to this page [microsoft.com]:

Note - Some programs might not work properly for users with limited accounts. If so, change the user's account type to computer administrator, either temporarily or permanently.

That right there is Microsoft's solution. Absolutely breathtaking....

Re:Questions re: vulnerabilty

[Anonymous Coward]

Okay, I've tried it myself now.

Using IE, you're fucked. You can write <img src="evil.wmf"> into an html file, and it'll display it clear as day. (And this means, that the exploit can be used.)

Firefox (without any WMF support) won't show up the picture inline.

I suggest that you try it yourself. Personally, I think this is an enormous unseen benefit to firefox. Even though you can be infected if you download and let explorer (or google desktop) see the file, this is still a big step from merely viewing it in a website!

Re:Questions re: vulnerabilty

[m50d]

If i rename a malicious .WMF as a .JPG, and display it as an on a website, will IE execute the WMF, or will the JPG just not work?

Without actually knowing I'm pretty sure it'll work. The exploit can work through an image displayed on a webpage and work through a renamed image, so I don't see any reason it wouldn't work with both.

JPG, PNG, GIF etc. all have headers that should surely be checked before displaying the picture. Do IE not do this?

The mimetypethe webserver gave (which will presumably be application/x-wmf) should take priority over the extension anyway, and I believe IE's approach is "It claims to be an image of some sort, so call the image rendering library".

In short, do i have to actively click a "Open this file" dialog on the browser?

No.