Handler's Diary December 28th 2005
previous -
Microsoft Advisory (NEW)
Published: 2005-12-28,
Last Updated: 2005-12-29 04:10:49 UTC by Chris Carboni (Version: 1)
Microsoft has issued a security advisory on the WMF vulnerability.
Details are available here
Bleeding Snort Sigs Available (NEW)
Published: 2005-12-28,
Last Updated: 2005-12-29 04:09:42 UTC by Chris Carboni (Version: 1)
Snort sigs to detect the WMF exploit are available at Bleeding-Edge
Snort
Thanks Matt, Frank and everyone else who has submitted signatures!
* Update on Windows WMF 0-day (NEW)
Published: 2005-12-28,
Last Updated: 2005-12-28 23:22:47 UTC by Daniel Wesemann (Version: 1)
Update 19:07 UTC: We are moving to Infocon Yellow for a bit. There has
been some debate among the handlers about this step, but considering
that a lot of people are on holidays and might otherwise miss the WMF
0-day problem, we have decided to raise the alert level.
The folks at Websense Labs have a nice movie on how it looks like if a
system gets exploited by this WMF 0-day, see
. Don't
go to any of the URLs visible in the movie unless you know what you are
doing (or feel like spending the next hours reinstalling your PC).
The orignal exploit site (unionseek.com) is no longer up. But the
exploit is being served from various sites all over by now, see the
F-Secure Blog on for an update on the
versions of the exploit found in the wild.
Working exploit code is widely available, and has also been published by
FRSIRT and the Metasploit Framework.
Regarding DEP (Data Execution Protection) of XPSP2, the default settings
of DEP will not prevent this exploit from working. Comments we have
received in the meantime suggest that if you enable DEP to cover all
programs (as documented on Microsoft Technet ), the WMF exploit attempt
will result in a warning and not run on its own. Don't feel too safe
though, we have also received comments stating that a fully enabled DEP
did not do anything good in their case.
While the original exploit only refered to the Microsoft Picture and Fax
Viewer, current information is that any application which automatically
displays or renders WMF files is vulnerable to the problem. This
includes Google Desktop, if the indexing function finds one of the
exploit WMFs on the local hard drive - see the F-Secure Weblog mentioned
above for details.
Update 23:00 UTC: The vulnerability seems to be within SHIMGVW.DLL.
Unregistering this DLL (type REGSVR32 /U SHIMGVW.DLL at the command
prompt or in the "Start->Run" Window, then reboot) will resolve most of
the vulnerability, but will also break your Windows "Picture and Fax
Viewer", as well as any ability of programs like "Paint" and "Explorer"
to display thumbnails of any picture and real (benign) WMF files.
Update 23:19 UTC: Not that we didn't have enough "good" news already,
but if you are relying on perimeter filters to block files with WMF
extension from reaching your browser, you might have a surprise waiting
for you. Windows XP will detect and process a WMF file based on its
content ("magic bytes") and not rely on the extension alone, which means
that a WMF sailing in disguise with a different extension might still be
able to get you.
