Windows WMF vulerability affects Fx users?. What can we do?

User Help for Mozilla Firefox
Post Reply
Guest
Guest

Post by Guest »

fyi, i went to a site that packaged a trojan in a .WMF and my antivirus (antivir guard) immediately caught it. as long as you antivirus & firewall, you should be ok.
VanillaMozilla
Posts: 13808
Joined: November 7th, 2005, 11:26 am

Post by VanillaMozilla »

No, Guest, you are not necessarily OK. Your AV caught one particular exploit on one occasion, but this problem has produced many, many exploits, and AV programs do not necessarily catch many of them at all.
monkeyman
Posts: 1183
Joined: April 2nd, 2003, 11:07 pm

Post by monkeyman »

Alice wrote:In other words, If you can open a .wmf file, you're vulnerable.


No doubt about that. I remember back in the day when meta files were all the rage and you could do some pretty crazy things with them. I'm sure this is just the tip of the iceberg and it's a pretty big one already. The only real "fix" I see is to disable parsing meta files at the kernel level, that's not going to be easy and it's really going to mess with MS Office and even Corel Office. Big ol' can of worms this is. Even Word Pad parses .wmf files for chris' sakes.
Guest
Guest

Post by Guest »

I'd like to clarify something. By default (even in win fx 1.5), the windows media plug-in allows certain formats to be displayed embedded. Now I say again this is by default. If a wmf file need not have the appropriate extension to do damage then it can simply have an extension like wmv. When firefox sees this, isn't it going to send it straight to the plug-in? And if so, isn't wmp going to look at the file header and then treat it as a wmf?
monkeyman
Posts: 1183
Joined: April 2nd, 2003, 11:07 pm

Post by monkeyman »

That's a scary thought. Yeah, you are right. Windows Media Player can show image files and Windows identifies .wmf files by their header and not by the extension. So, what you suggest is entirely plausible. However, if you have applied the patch and unregistered the .dll you should be immune to such trickery. Should be.
Guest
Guest

Post by Guest »

monkeyman wrote:That's a scary thought. Yeah, you are right. Windows Media Player can show image files and Windows identifies .wmf files by their header and not by the extension. So, what you suggest is entirely plausible. However, if you have applied the patch and unregistered the .dll you should be immune to such trickery. Should be.


I didn't apply the patch for reasons being, I'm concearned about how it might affect the official m$ patch (that hopefully comes out soon).

I was browsing the forums and was directed to this post by http://forums.mozillazine.org/viewtopic.php?t=362478

I don't think we should be telling people firefox is safe unless we are sure of it.
monkeyman
Posts: 1183
Joined: April 2nd, 2003, 11:07 pm

Post by monkeyman »

Anonymous wrote:
monkeyman wrote:That's a scary thought. Yeah, you are right. Windows Media Player can show image files and Windows identifies .wmf files by their header and not by the extension. So, what you suggest is entirely plausible. However, if you have applied the patch and unregistered the .dll you should be immune to such trickery. Should be.


I didn't apply the patch for reasons being, I'm concearned about how it might affect the official m$ patch (that hopefully comes out soon).

I was browsing the forums and was directed to this post by http://forums.mozillazine.org/viewtopic.php?t=362478

I don't think we should be telling people firefox is safe unless we are sure of it.


But, it's Windows Media Player and not Firefox. Every browser has to call up external programs at some point or other. WMF files are parsed by a huge number of programs so, unless you want to remove all of your plugins, there is going to be a certain risk no matter what browser you use, if you are unpatched.
Guest
Guest

Post by Guest »

monkeyman wrote:
Anonymous wrote:
monkeyman wrote:That's a scary thought. Yeah, you are right. Windows Media Player can show image files and Windows identifies .wmf files by their header and not by the extension. So, what you suggest is entirely plausible. However, if you have applied the patch and unregistered the .dll you should be immune to such trickery. Should be.


I didn't apply the patch for reasons being, I'm concearned about how it might affect the official m$ patch (that hopefully comes out soon).

I was browsing the forums and was directed to this post by http://forums.mozillazine.org/viewtopic.php?t=362478

I don't think we should be telling people firefox is safe unless we are sure of it.


But, it's Windows Media Player and not Firefox. Every browser has to call up external programs at some point or other. WMF files are parsed by a huge number of programs so, unless you want to remove all of your plugins, there is going to be a certain risk no matter what browser you use, if you are unpatched.


If u look at it that way, then Internet explorer is not to be blamed as well. Visit the link I posted, someone asked if firefox was safe. The response was yes. When clearly that is not true. The chances of triggering a hidden wmf file in firefox is equal to that of IE. If someone came here and asked if IE was safe, everyone would be saying no.
Guest
Guest

Post by Guest »

cont.

or for that matter if opera was safe. Most people here would say "unsure". So why is it out of the 3 most common browsers, only firefox gets a safe rating when clearly all 3 are prone to the wmf exploit simply because of the wmp plugin.
monkeyman
Posts: 1183
Joined: April 2nd, 2003, 11:07 pm

Post by monkeyman »

Anonymous wrote:
monkeyman wrote:
Anonymous wrote:
monkeyman wrote:That's a scary thought. Yeah, you are right. Windows Media Player can show image files and Windows identifies .wmf files by their header and not by the extension. So, what you suggest is entirely plausible. However, if you have applied the patch and unregistered the .dll you should be immune to such trickery. Should be.


I didn't apply the patch for reasons being, I'm concearned about how it might affect the official m$ patch (that hopefully comes out soon).

I was browsing the forums and was directed to this post by http://forums.mozillazine.org/viewtopic.php?t=362478

I don't think we should be telling people firefox is safe unless we are sure of it.


But, it's Windows Media Player and not Firefox. Every browser has to call up external programs at some point or other. WMF files are parsed by a huge number of programs so, unless you want to remove all of your plugins, there is going to be a certain risk no matter what browser you use, if you are unpatched.


If u look at it that way, then Internet explorer is not to be blamed as well. Visit the link I posted, someone asked if firefox was safe. The response was yes. When clearly that is not true. The chances of triggering a hidden wmf file in firefox is equal to that of IE. If someone came here and asked if IE was safe, everyone would be saying no.


Firefox itself doesn't parse .wmf files so, in that respect, Firefox is safer. However, "safer" is not "safe". So, yes, saying Firefox is safe is not entirely true. If you removed the plugins that call external programs then Firefox would be safe. It's a really nasty system wide vulnerability so I can't stress enough how important getting patched and dealing with the official patch later is. It's bad. Really, really bad. It may be the worst Windows vulnerability ever.
WDGC
Posts: 299
Joined: March 11th, 2004, 9:05 pm

Post by WDGC »

monkeyman wrote:I didn't apply the patch for reasons being, I'm concearned about how it might affect the official m$ patch (that hopefully comes out soon).


The patch can be uninstalled.

If for some reason the patch does not work for you, please uninstall it. It will be in the list of installed programs as "Windows WMF Metafile Vulnerability HotFix". I'd like to know what programs are crippled by the fix, please tell me.

I recommend you to uninstall this fix and use the official patch from Microsoft as soon as it is available.


http://www.hexblog.com/2005/12/wmf_vuln.html

.
monkeyman
Posts: 1183
Joined: April 2nd, 2003, 11:07 pm

Post by monkeyman »

I got some more info about the Windows Media Player question from F-Secure and it seems that WMP isn't a problem afterall:

"In our tests (under XP SP2) older versions of Firefox (1.0.4) defaulted to open WMF files with "Windows Picture and Fax Viewer", which is vulnerable. Newer versions (1.5) defaulted to open them with Windows Media Player, which is not vulnerable...but then again, Windows Media Player is not able to show WMF files at all so this might be a bug in Firefox. Opera 8.51 defaults to open WMF files with "Windows Picture and Fax Viewer" too. However, all versions of Firefox and Opera prompt the user first."

http://www.f-secure.com/weblog/archives ... l#00000752
Guest
Guest

Post by Guest »

monkeyman wrote:I got some more info about the Windows Media Player question from F-Secure and it seems that WMP isn't a problem afterall:

"In our tests (under XP SP2) older versions of Firefox (1.0.4) defaulted to open WMF files with "Windows Picture and Fax Viewer", which is vulnerable. Newer versions (1.5) defaulted to open them with Windows Media Player, which is not vulnerable...but then again, Windows Media Player is not able to show WMF files at all so this might be a bug in Firefox. Opera 8.51 defaults to open WMF files with "Windows Picture and Fax Viewer" too. However, all versions of Firefox and Opera prompt the user first."

http://www.f-secure.com/weblog/archives ... l#00000752


Same guest (from above)

cheers monkeyman. I can surf safely now :)
jw25
Guest

Post by jw25 »

http://www.grc.com/sn/notes-020.htm

There is a pre-packaged patch on this page. It can be easily un-installed when ms finally gets around to fixing it.
WDGC
Posts: 299
Joined: March 11th, 2004, 9:05 pm

Post by WDGC »

jw25 wrote:http://www.grc.com/sn/notes-020.htm
There is a pre-packaged patch on this page. It can be easily un-installed when ms finally gets around to fixing it.


That is Ilfak Guilfanov's Windows WMF Metafile Vulnerability HotFix referred to in earlier posts of this thread.

.
Post Reply