WMF Vulnerability??Whats it about..

As the title sais,what is this about??

Nokia

 

The attached provides an overview.

Windows metafile hole requires unofficial patch

By Brian Livingston

A weakness in the way Windows renders images is being exploited on the Internet and affects any browser you may be using, not just Internet Explorer.

Microsoft has no patch for the problem at this writing. An official patch may appear at any time, or it may take days or weeks. I recommend that you immediately run a small, unofficial patch that was developed by white-hat security researchers to make your PCs immune to the problem.

Not just .wmf files are suspect

I don't ordinarily publish a news update for every new Windows security threat that appears. Instead, I urge my readers to install one piece of hardware and two pieces of software that I call the Security Baseline (see my Dec. 15, 2005, description). You then configure Windows and your security programs so they automatically download all critical updates.

That way, you're protected against most exploits — and you can safely enjoy personal computing instead of constantly tweaking your PC to defend against real or imagined threats.

The new "WMF Metafile" vulnerability is different:

• It can infect your PC if you merely view an image formatted as a Windows metafile on a Web page, in an e-mail attachment, or on your hard disk.

• Every browser is vulnerable — IE, Firefox, Opera, and others — because the image is not being rendered by the browser. It's rendered by Windows' own Picture and Fax Viewer (Shimgvw.dll, also known as the Shell Image View Control). New versions of Firefox do display an alert when a suspicious image is encountered on a Web page. But since viewing an image is usually harmless, most users will click OK, exposing themselves to infection.

• If your PC catches an infected metafile — perhaps through instant messaging or file-sharing software — the payload can run even if you don't consciously open or view the image. Google Desktop Search, for example, causes the payload to be executed when the metadata of the image is accessed. If the image is an icon, merely displaying a file directory in certain views of Windows Explorer can silently execute a Trojan.

New-year white hats to the rescue

When exploit code was discovered on Dec. 31, security researchers worked furiously over the New Year's Eve holiday to find a defense against the WMF Metafile threat. Fortunately, a small patch has become available until Microsoft releases its own fix. In my opinion, you're far better off to install the unofficial patch than to wait to see what Microsoft will come up with.

What NOT to do: I've seen advice on the Internet suggesting that network administrators should "block .wmf files at the border." That's pointless, because an infected file can bear any image-file extension. It could even be embedded in a Word document or any other kinds of file. The Windows viewer will dutifully execute the instructions in the metafile anyway.

What to do: First, read the FAQ on the problem at the Internet Storm Center, story I.D. 994. (For exhaustive details, see the ISC's link overview.)

Then, download the latest version of the patch developed by researcher Ilfak Guilfanov. This download is linked to from the FAQ. The experts at the ISC, a division of the SANS Institute, say they've examined and tested the patch and found it to be safe and effective. That's as good a testimonial as we can expect for any software.

You can also deregister Shimgvw.dll. This prevents the Windows Picture and Fax Viewer from starting, avoiding the problem. The DLL, however, can be re-registered by a Trojan, so this affords only limited security.

Microsoft provides details on how to deregister Shimgvw.dll in a security advisory released on Dec. 28. This document also describes DEP (Data Execution Prevention), which prevents certain software exploits when using Windows XP SP2 and hardware exploits when using 64-bit XP on certain 64-bit hardware. For more information, see security advisory 912840.

Installing the Guilfanov patch, deregistering the DLL, and enabling DEP are all steps that can be easily reversed, if necessary. The unofficial patch and the deregistration should be undone before installing Microsoft's own patch, whenever it may become available. We'll have more details in the next regular Windows Secrets Newsletter on Jan. 12.

 

Thanks guys..It seems to be a biggy,huh?

 

What else would you expect from Micro$$oft?

 

Despite what the article Marjorie attached says, Firefox is less vulnerable, or at least newer versions are less vulnerable. According to what I've read, Firefox versions since 1.0.4 try to open WMF files with Windows Media Player, which is incapable of viewing them (seemingly a fortunate bug in Firefox). I confirmed this myself for 1.5, on a test page. If I downloaded a test file, though, just clicking on it in Explorer triggered a shutdown sequence.

After this test I installed Guilfanov's fix, since the test page made it clear that the exploit could work even if it was disguised with a different file extension. Just avoiding downloads of .wmf files is not sufficient to protect you, even with Firefox.

 

Nod32 anti-virus has also released an unofficial patch that addresses the WMF vulnerability issue as per attached link.

http://www.nod32.ch/en/download/tools.php

 

I had the WMF Exploit,downloaded Ilfak's WMF Metafile Vulnerability Hotfix 1.4
and it seems to have worked fine.I also downloaded the test patch and used it first.But should i uninstall these first before downloading the new patch from Microsoft?Im a little unclear on this.

 

The patch you should.

The test utility doesn't install, so that's up to you.

It's worth keeping to check on how effective the Micro$$oft update will be.

 

Thanks Insomniac!

 

You're welcome.

 

when I clicked on Halo's vulnerability test link and tried to download, a window came up that said update\update.exe is not a valid Win32 application. What does that mean?

 

Try right-clicking and save target.

Disable any download managers if you have them?