Maybe things aren't so bad for users of older - before Win.XP - systems.
Larry Seltzer from eWeek has been doing additional testing against older versions of Windows and the WMF flaw.
...in a practical sense, only Windows XP and Windows Server 2003 (in all their service pack levels) are vulnerable to the WMF flaw. ...all versions of Windows back to 3.0 have the vulnerability in GDI32. Except for Windows XP and Windows Server 2003, no Windows versions, in their default configuration, have a default association for WMF files, and none of their Paint programs or any other standard programs installed with them can read WMF files...
Saying that earlier versions of Windows aren't vulnerable simply because .wmf files aren't associated by default is nuts. Write can parse .wmf files as can MS Office, Corel Office, Ventura, MS Works 3.0 and later and a ton of third party graphics programs. Any of these programs will associate .wmf files during install. So, older versions of Windows aren't vulnerable as long as you don't do anything useful with them.
monkeyman wrote:Saying that earlier versions of Windows aren't vulnerable simply because .wmf files aren't associated by default is nuts. Write can parse .wmf files as can MS Office, Corel Office, Ventura, MS Works 3.0 and later and a ton of third party graphics programs. Any of these programs will associate .wmf files during install.
Not to mention Google Desktop.
Last edited by VanillaMozilla on January 3rd, 2006, 3:13 pm, edited 1 time in total.
Ok, besides upgrading to v1.5 of FF... - I am currently using FF 1.0.5, I copied a JPG file to WMF and clicked on it (browsed local folder in FF) in FF and it opens "Media Player" (win 98se, only OS I can use on this machine due to my sound card - don't laugh). I renamed wmplayer.exe and even mplayer.exe and it STILL runs media player. How do I tell FF to not do this AND how do I remove this Media Player - I don't know what program it really is. Any ideas? I looked through "Add/Remove" programs and I don't see it listed.
Also, any "simple" tutorials out there on how to switch to Linux? Even the Idiots Guide is a bit much for me right now
Actually, calling mplayer.exe (Windows Media Player 6.4) is a good thing. WMP can't parse .wmf files. No point in changing it, really. A malicious .wmf would be dead in the water and seeing mplayer.exe come up would warn you.
Edit: Don't dump mplayer.exe, it's needed for the VFW (Video for Windows) subsystem
Browsing to a local .wmf file opens Windows Media Player for me, too in Firefox 1.5, as I wrote earlier in this thread but that may not happen in the real world, as I found out when I tried the Test link trolly provided
Clicking the Testimage link will invite you to open the browsercheck.wmf file in your default viewer and clicking OK will attempt to open the .wmf file. When I tested it in Firefox 1.5 my antivirus caught it, plus I've disabled the default viewer (Windows Picture and Fax Viewer) by unregistering shimgvw.dll but an unprotected Firefox 1.5 user would be out of luck if the test page was for real.
Microsoft Security Advisory (912840)
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution.
Published: December 28, 2005 | Updated: January 3, 2006
Microsoft has completed development of the security update for the vulnerability. The security update is now being localized and tested to ensure quality and application compatibility. Microsoft’s goal is to release the update on Tuesday, January 10, 2006, as part of its monthly release of security bulletins. This release is predicated on successful completion of quality testing.
The update will be released worldwide simultaneously in 23 languages for all affected versions of Windows once it passes a series of rigorous testing procedures. It will be available on Microsoft’s Download Center, as well as through Microsoft Update and Windows Update. Customers who use Windows’ Automatic Updates feature will be delivered the fix automatically.
Based on strong customer feedback, all Microsoft’s security updates must pass a series of quality tests, including testing by third parties, to assure customers that they can be deployed effectively in all languages and for all versions of the Windows platform with minimum down time.
Microsoft has been carefully monitoring the attempted exploitation of the WMF vulnerability since it became public last week, through its own forensic capabilities and through partnerships within the industry and law enforcement. Although the issue is serious and malicious attacks are being attempted, Microsoft’s intelligence sources indicate that the scope of the attacks are not widespread.
In addition, anti-virus companies indicate that attacks based on exploiting the WMF vulnerability are being effectively mitigated through up-to-date signatures.
Customers are encouraged to keep their anti-virus software up-to-date. The Microsoft Windows AntiSpyware (Beta) can also help protect your system from spyware and other potentially unwanted software. Customers can also visit Windows Live Safety Center and are encouraged to use the Complete Scan option to check for and remove malicious software that takes advantage of this vulnerability. We will continue to investigate these public reports.
If you are a Windows OneCare user and your current status is green, you are already protected from known malware that uses this vulnerability to attempt to attack systems.
Customers who follow safe browsing best practices are not likely to be compromised by any exploitation of the WMF vulnerability. Users should take care not to visit unfamiliar or un-trusted Web sites that could potentially host the malicious code.
Microsoft encourages users to exercise caution when they open e-mail and links in e-mail from untrusted sources. While we have not encountered any situation in which simply opening an email can result in attack, clicking on a link in an email could result in navigation to a malicious site. For more information about Safe Browsing, visit the Trustworthy Computing Web site.
And if the Microsoft tests are not ready by January 10, 2006 I suppose we will have to wait for the second Tuesday in February?
By which time there will be who-knows-how-many infected spambot zombie machines cranking out spam with malicious links and images and who-knows-how-many infected websites...ugh! Geometric progressions are like wildfires....fast and furious!
I have noticed something interesting with Firefox, though...if you have Flashgot and a download manager set up to handle all downloads, the download manager will pop up asking whether you want to download a file, even when directed to an "automatic" download location. This might add another layer of "protection"...at least it lets you know something is happening. For that reason I left my download manager in place even when I moved on to a high speed connection.
I have unregistered the shimgvw.dll, applied the unofficial patch for now (bless the person who posted that link) and will keep flying by the seat of my pants for now.
Thanks to all here; I have learned many new things about this exploit. Good luck to all.
Alice wrote:Browsing to a local .wmf file opens Windows Media Player for me, too in Firefox 1.5, as I wrote earlier in this thread but that may not happen in the real world, as I found out when I tried the Test link trolly provided
Alice - went to that link and my AVAST! went off, so it caught it as well. Thanks for that. Anyone clicking on that link might get a heck of a fright, however (inluding me, when the siren rang!) - better to know, though. Thank you.
Tools > FolderOptions > File Types . . . I have ".wmf" > IrfanView. Would it help at all to simply delete that file association? Would that cause a prompting of "what do you want to open this with?"
PentiumIII/W2K, Toshiba AMD laptop/Vista. FX 3 on both.
paulfox wrote:Tools > FolderOptions > File Types . . . I have ".wmf" > IrfanView. Would it help at all to simply delete that file association? Would that cause a prompting of "what do you want to open this with?"
No, keep that association in File Types, but untick the wmf file association within IrfanView itself.
Great. I'll do that now. Amazing what we can all accomplish & learn when the adults post. I've also applied that Russian Fix and run test from same author. Thank you all!
PentiumIII/W2K, Toshiba AMD laptop/Vista. FX 3 on both.
paulfox, when you untick the wmf file association within IrfanView, .wmf will be reverted back to Windows Picture and Fax viewer, both of them are vulnerable so it is pointless.
it will be better if you create a zero byte txt file, then name it wmf.exe and associate .wmf with it. this will block the exploit in IE from autorun.
Damn. Wasn't logged in. That was me. . . . . repeat . . .
Goddess.
(Actually, Windows Picture and Fax viewer is "outta here," so I checked file associations again and .wmf is gone after unticking it in IrfanView).
I have still taken your recommended action, which is BRILLIANT, by the way. DONE. How clever is that??!!
Thank you wong888.
PentiumIII/W2K, Toshiba AMD laptop/Vista. FX 3 on both.
paulfox wrote:Tools > FolderOptions > File Types . . . I have ".wmf" > IrfanView. Would it help at all to simply delete that file association? Would that cause a prompting of "what do you want to open this with?"
No, keep that association in File Types, but untick the wmf file association within IrfanView itself.
wong888 wrote:paulfox, when you untick the wmf file association within IrfanView, .wmf will be reverted back to Windows Picture and Fax viewer, both of them are vulnerable so it is pointless.
it will be better if you create a zero byte txt file, then name it wmf.exe and associate .wmf with it. this will block the exploit in IE from autorun.
Which sounds great in theory until you do it in practise, reboot and realize that .wmf is STILL associated in File Types with Irfanview. Sure enough, double click a .wmf, where does it try to open? that's right, Irfanview, except Irfanview now cannot open it.
Unregistering the shimgvw.dll is also a good idea.
mozillaZine is an independent Mozilla community and advocacy site. We're not affiliated or endorsed by the Mozilla Corporation but we love them just the same.
