Windows WMF vulerability affects Fx users?. What can we do?

User Help for Mozilla Firefox
Post Reply
Him Hung Lo
Guest

Post by Him Hung Lo »

Anonymous wrote:Quit blaming Windows and get a clue!!!

Its not the gun, son!

Its the cowboy!

got it?


In this case the gun was designed with the barrel pointing towards the wielder.
Him Hung Lo
Guest

Post by Him Hung Lo »

As this flaw also affects Win OSes all the way back to Win98, it makes one wonder just how bad this really is.

Have the miscreants been exploiting this for 8 years now?

Anonymous Billy G. may know.
dead horse
Guest

Post by dead horse »

The problem happens only when .wmf files are opened by the Microsoft Fax and Image viewer, which has had overflow problems in the past. If you change your file associations so that some other utility opens your .wmf files, there shouldn't be any trouble. The alternate image viewer doesn't have the same flaw as the Fax and Image viewer, so when a malformed .wmf is opened there, nothing happens.

If you don't already have one, download a non-Microsoft image viewer and substitute it for the native one. Also remember that in Firefox, you can prevent the automatic download of the .wmf file in the first place!
User avatar
trolly
Moderator
Posts: 39851
Joined: August 22nd, 2005, 7:25 am

Post by trolly »

The problem is the file format itself. Beside the graphic data a WMF file can contains GDI commands. And basically all GDI commands are possible, so they have to find out which one are dangerous or which combinations are dangerous.
Think for yourself. Otherwise you have to believe what other people tell you.
A society based on individualism is an oxymoron. || Freedom is at first the freedom to starve.
Constitution says: One man, one vote. Supreme court says: One dollar, one vote.
bollix47
Folder@Home
Posts: 1195
Joined: November 1st, 2004, 2:43 pm
Location: Toronto, Canada

Post by bollix47 »

Yay!
Guest

Post by Yay! »

Well, at least my antivirus is one of the "good" ones. I forgot that Avast scans webpages, so feel a little less vulnerable now. It seems able to tag the badware, according to the article.

I don't know what is up with the "cowboy" poster. I know its people and not Windows creating the trouble, d'oh! That is why I have my dull plastic butter knife handy in my holster at all times. If I ever catch up to one of those mangy coyotes, off with the fingers! They would have to learn to type their rotten codes with their toes, lol.

Just seems a lousy way to start a New Year...Flash (I don't use it, but some of you may) has a vulnerability...update to version 8. MSN Messenger (I don't use any IM anymore because of the threats) has a major threat circulating. Now this.

Happy New Year to all of you, and especially to the Firefox developers. You have given me what I still consider one of the best weapons in my arsenal...Firefox 1.5. It is a kick butt browser. Thank you all!
User avatar
jscher2000
Posts: 11742
Joined: December 19th, 2004, 12:26 am
Location: Silicon Valley, CA USA
Contact:

Post by jscher2000 »

dead horse wrote:The problem happens only when .wmf files are opened by the Microsoft Fax and Image viewer, which has had overflow problems in the past.

No, many say the flaw is in GDI32.dll, shared by many Windows applications for graphics rendering. If true, you just cannot render these files safely on Windows without an independent rendering engine.
User avatar
Alice
Posts: 2628
Joined: April 23rd, 2003, 11:47 am

Post by Alice »

Here's what I posted in another thread:

I used the workaround given at http://www.microsoft.com/technet/securi ... 12840.mspx on my WinXP sp1 system since I'm the careful type and it was such a simple process (I can live without thumbnails). In case anyone is interested:

I first reassociated JPEG/JPG/JPE files to another image program (Irfanview) as I had them all set to open with Windows Picture and Fax Viewer. Then I used Start -> Run, and pasted in the following to the Open box:
regsvr32 -u %windir%\system32\shimgvw.dll
After clicking OK, a dialog box appeared to confirm that the un-registration process has succeeded.

I then checked by attempting to open a .jpg file by r-click, "open with" and selecting Windows Picture and Fax Viewer from the list. Nothing happened at all so the process worked.

I saved a note to myself that to re-register the dll I would need to use Start -> Run and type
regsvr32 %windir%\system32\shimgvw.dll

From http://www.f-secure.com/weblog/archives ... l#00000753
Friday, December 30, 2005
WMF, day 3 Posted by Stefan @ 12:29 GMT

The amount of trojans using the zero-day WMF exploit is increasing rapidly.

Many people have now used the REGSRV32 workaround to stop the immediate threat. Some users have come back to us after we quoted Microsoft on the workaround wondering if the workaround really works. The workaround will stop the exploit for Internet Explorer and Explorer even though WMF images are viewed as normal.

What the workaround does not stop against is if you open an exploited file in mspaint. And like always, renaming the file will not make a difference to mspaint. So our suggestion is to not open any pictures with mspaint whatsoever. Perhaps leaving image editors out completely for the rest of the year might be a good idea.
Wednesday, December 28, 2005
<snip>
Note that you can get infected if you visit a web site that has an image file containing the exploit. Internet Explorer users might automatically get infected. Firefox users can get infected if they decide to run or download the image file.

In our tests (under XP SP2) older versions of Firefox (1.0.4) defaulted to open WMF files with "Windows Picture and Fax Viewer", which is vulnerable. Newer versions (1.5) defaulted to open them with Windows Media Player, which is not vulnerable...but then again, Windows Media Player is not able to show WMF files at all so this might be a bug in Firefox. Opera 8.51 defaults to open WMF files with "Windows Picture and Fax Viewer" too. However, all versions of Firefox and Opera prompt the user first.
Alice Wyman
Guest
Guest

Post by Guest »

I read somewhere (sorry, I don't have the hyperlink) that only *older* versions of Firefox are affected.
User avatar
Alice
Posts: 2628
Joined: April 23rd, 2003, 11:47 am

Post by Alice »

Guest,
See the second quote above ^
It mentions older Firefox versions were vulnerable in so far as it will prompt you to open the .WMF file in the default application (tested in Firefox 1.0.4) .

WMF files on my WinXP system are associated with "Windows Picture and Fax Viewer" which, as I said, I've disabled using the shimgvw.dll Un-registration workaround. I have both Firefox 1.0.7 and 1.5 installed in separate folders. I found many .WMF files on my hard drive (C:\Program Files\Microsoft Office\media\ subfolders) so I tried opening one from the File > Open File menu in both Firefox 1.5 AND Firefox 1.0.7. Both Firefox versions automatically launched Windows Media Player with a dialog box on top with the message,
"The selected file has an extension that is not recognized by Windows Media Player. but the player may still be able to play it. Because the extension is unknown by the player, you should be sure that the file comes from a trustworthy source. Do you want the Player to try and play the file?
....If I say YES, I get an error message,
"Windows Media Player cannot play the file. The Player might not support the file type or might not support the codec that was used to compress the file."

Since plugins will open a file without prompting (I have no Download Action set up for .WMF files) I would say that, for some reason, the WMP plugin is being called for the .WMF file.... maybe it's a quirk in Firefox as the quoted article mentioned, I don't know.

{EDIT... test link posted HERE by trolly shows that Firefox 1.5 will also prompt you to open a .WMF file in your default application, i.e., Windows Picture and Fax Viewer, so all Firefox versions can expose you to the exploit.}

You can still encounter affected .WMF files as links which can be downloaded to your hard drive, or, you can encounter .WMF files as e-mail attachments.

I tested sending myself an atttached .wmf file in Thunderbird 1.0.7 and when I double-clicked the attachment I got an "opening xxxxxxxx.WMF" dialog asking what Thunderbird should do with the .wmf file and "Open with... wmf file (default)" was already selected.

Harry Waldron (GM here) has a blog with other suggestions, while waiting for Microsoft to issue a fix:
http://myitforum.com/blog/hwaldron/
Current recommendations for Malicious WMF Exploits in-the-wild

jscher2000 wrote:No, many say the flaw is in GDI32.dll, shared by many Windows applications for graphics rendering.

Yes, I saw that too, on the US-CERT page
http://www.kb.cert.org/vuls/id/181038
The public exploits currently use the Windows Picture and Fax Viewer (SHIMGVW.DLL) as an attack vector affecting users of any Windows-based application that can handle Windows Metafiles. However, disabling the Windows Picture and Fax Viewer will not eliminate this vulnerability as it is currently thought to exist in the Windows Graphical Device Interface library (GDI32.DLL).
Last edited by Alice on January 2nd, 2006, 6:19 pm, edited 1 time in total.
Alice Wyman
kygin
Posts: 79
Joined: November 16th, 2004, 5:59 pm

Post by kygin »

Does it help to uncheck the "Load images" option?
User avatar
trolly
Moderator
Posts: 39851
Joined: August 22nd, 2005, 7:25 am

Post by trolly »

No, i think because WMF is not a usual image file format. WMF means Windows Meta File and was originally intended to share images between applications using the clipboard (something like that). So it is not very popular outside windows and rarely seen in the wild.
That means WMF files are not handled as images but as objects which need a plugin or download to work.
Guest
Guest

Post by Guest »

See the WMF FAQ page here http://isc.sans.org/diary.php?storyid=994

FWIW, I've enabled hardware DEP and also applied the unofficial patch referenced in the page above. I'm running Windows XP Pro SP2. "Hopefully, I'm now safe", sez I, with fingers crossed.

I use Firefox 1.5 with NoScript, AdBlock Plus and Filterset G. Updater for browsing, and Pegasus Mail v4.31 as my email client to reduce another vector of exposure. Paranoia rules...
WDGC
Posts: 299
Joined: March 11th, 2004, 9:05 pm

Post by WDGC »

F-Secure
Sunday, January 1, 2006
Bad behaviour Posted by Mikko @ 00:49 GMT

We are aware that a new exploit for the WMF vulnerability has been published. This one is much more advanced than the old one, and much more dangerous.

It enables clueless newcomers to easily craft highly variable and hard-to-detect variations of image files. Images that take over computers when viewed. And do this on all common Windows platforms. With no vendor patch for the vulnerability available. Meaning that there are hundreds of millions of vulnerable computers in the net right now.

Making such tools publicly available when there's no vendor patch available is irresponsible. Plain and simply irresponsible. Everybody associated in making and publishing the exploit knows this. And they should know better. Moore, A.S, San and FrSIRT: you should know better.



http://www.f-secure.com/weblog/archives/archive-012006.html#00000758

.
Guest
Guest

Post by Guest »

Anonymous wrote:Quit blaming Windows and get a clue!!!

Its not the gun, son!

Its the cowboy!

got it?



no actually it is microsoft...

- it's not in the image format parser, it's in the freakin' WMF API!!! Believe it or not, WMF files are allowed to have callback functions (user or kernel mode unknown by me) in them - in other words a (picture) data file can contain executable code to "help" Windows display it!! <drools, whaps forehead> It gets better: change the file extension to "jgp" or "gif" or another image type, hell, probably any file type that has a custom icon/is previewable, and Windows will look at the file and go "oh - that's really a WMF file - I know what to do..." (I'm dyin' here). Even Windows Explorer (with thumbnails enabled) will execute the code if you look at a directory that contains one of these files.
Post Reply