Critical Impact: Windows Metafile Flaw a 'Zero-Day Exploit' How to Fix it NOW

New test for vulnerability and fix here Fix Developed by: lfak Guilfanov Everyone should check that their system is protected against this exploit. As a courtesy to our members we are hosting 2 files of which will identify if you are vulnerable and patch the system to protect yourself. Ilfak Guilfanov, well known in "reverse engineering" circles for his wildly popular IDA Disassembler, needed a temporary patch for his own system due to the seriousness of the WMF vulnerability . . . so he wrote one! This safely and "dynamically patches" the vulnerable function in Windows to neuter it and, after rebooting, renders any Windows 2000, XP, 64-bit XP and 2003 systems completely invulnerable to exploitation of the Windows Metafile vulnerability. Please Note: Unlike the "DLL unregister" recommendation offered by Microsoft and posted here earlier, Ilfak's patch completely eliminates the vulnerability. Therefore, until Microsoft is able to update and repair their vulnerable GDI32.DLL, this is what you should use. You do NOT need to unregister the DLL as described below. You SHOULD REMOVE THIS PATCH to restore full functionality to Windows Metafile processing once WIndows has been officially updated and repaired. To Remove: Simply open the Windows Control Panel "Add/Remove Programs", where you will find the "Windows WMF Metafile Vulnerability HotFix" listed. Remove it, then reboot. Microsoft have released a weak work around which does not fully protect you. Quote: Microsoft responded with an acknowledgement of the problem which included a very weak workaround (the shimgvw.dll unregistration) that provides very little protection. There's is not a cure, and it is not known how long the Windows user community will now be waiting for a true patch from Microsoft. 01/04 UPDATE FROM MICROSOFT Microsoft has completed development of a security update to fix the vulnerability. The security update is now being finalized through testing to ensure quality and application compatibility. Microsoft’s goal is to release the update on Tuesday, January 10, 2006, as part of its monthly release of security bulletins on the second Tuesday of the month. The update will be released worldwide simultaneously in 23 languages for all affected versions of Windows once it passes a series of rigorous testing procedures. It will be available through Microsoft Update and Windows Update, as well as Microsoft’s Download Center and through Windows Server Update Services for enterprise customers. Customers who use Windows’ Automatic Updates feature will be delivered the fix automatically. Based on strong customer feedback, all Microsoft’s security updates must pass a series of testing processes, including testing by third-parties, to assure customers that they can be deployed effectively in all languages and for all versions of the platform with minimum down time. Microsoft has been carefully monitoring the attempted exploitation of the WMF vulnerability since it became public last week, through its own forensic capabilities and through partnerships within the industry and law enforcement. Although the issue is serious and the attacks are being attempted, Microsoft’s intelligence sources indicate that the scope of the attacks is limited. In addition, attacks exploiting the WMF vulnerability are being effectively mitigated by anti-virus companies with up-to-date signatures. Customer Guidance Users should take care not to visit unfamiliar or untrusted Web sites that could potentially host the malicious code. Additionally, consumer customers should follow guidance on safe browsing. Enterprise customers should review Microsoft’s Security Advisory #912840 for up-to-date guidance on how to prevent attacks through exploitation of the WMF vulnerability. The intentional use of exploit code, in any form, to cause damage to computer users, is a criminal offense. Accordingly, Microsoft continues to assist law enforcement with its investigation of the attacks in this case. Customers who believe they have been attacked should contact their local FBI office or post their complaint on the Internet Fraud Complaint Center Web site. Customers outside the U.S. should contact the national law enforcement agency in their country. Customers who believe they may have been maliciously attacked by exploitation of the WMF issue can contact Microsoft’s Product Support Services for free assistance by calling the PC Safety line (1866-PCSAFETY) and international customers by using any method found at this location: http://support.microsoft.com/security. Microsoft also continues to encourage customers to follow our Protect Your PC guidance of enabling a firewall, getting software updates and installing anti-virus software. Customers can learn more about these steps at www.microsoft.com/protect. IN THE MEAN TIME, I'LL BE TESTING Ilfak Guilfanov's FIX AND POSTING RESULTS LATER TODAY. 01/03 UPDATE: A flaw in Microsoft's Windows Meta File has spawned dozens of attacks since its discovery last week, security experts warned Tuesday. The attacks so far have been wide-ranging, the experts said, citing everything from an MSN Messenger worm to spam that attempts to lure people to click on malicious Web sites. The vulnerability can be easily exploited in Windows XP with Service Pack 1 and 2, as well as Windows Server 2003, security experts said. Older versions of the operating system, including Windows 2000 and Windows ME, are also at risk, though in those cases the flaw is more difficult to exploit, said Mikko Hypponen, chief research officer at F-Secure. "Right now, the situation is bad, but it could be much worse. The potential for problems is bigger than we have ever seen," Hypponen said. "We estimate 99 percent of computers worldwide are vulnerable to this attack." The Windows Meta File flaw uses images to execute arbitrary code, according to a security advisory issued by the Internet Storm Center. It can be exploited just by the user viewing a malicious image. Microsoft plans to release a fix for the WMF vulnerability as part of its monthly security update cycle on Jan. 10, according to the company's security advisory. Source:Code for what Secunia is deeming an "extremely critical flaw" in Windows Metafile Format files is being exploited on fully patched systems. Researchers are currently tracking thousands of sites distributing the exploit code. Over the last 24 hours, we've seen three different WMF files carrying the zero-day WMF exploit. We currently detect them as W32/PFV-Exploit.A, .B and .C. Fellow researchers at Sunbelt have also blogged about this. They have discovered more sites that are carrying malicious WMF files. You might want to block these sites at your firewall while waiting for a Microsoft patch: Crackz [dot] ws unionseek [dot] com www.tfcco [dot] com Iframeurl [dot] biz beehappyy [dot] biz And funnily enough, according to WHOIS, domain beehappyy.biz is owned by a previous president of Soviet Union: Registrant Name: Mikhail Sergeevich Gorbachev Registrant Address1: Krasnaya ploshad, 1 Registrant City: Moscow Registrant Postal Code: 176098 Registrant Country: Russian Federation Registrant Country Code: RU "Krasnaya ploshad" is the Red Square in Moscow... Do note that it's really easy to get burned by this exploit if you're analysing it under Windows. All you need to do is to access an infected web site with IE or view a folder with infected files with the Windows Explorer. You can get burned even while working in a DOS box! This happened on one of our test machines where we simply used the WGET command-line tool to download a malicious WMF file. That's it, it was enough to download the file. So how on earth did it have a chance to execute? The test machine had Google Desktop installed. It seems that Google Desktop creates an index of the metadata of all images too, and it issues an API call to the vulnerable Windows component SHIMGVW.DLL to extract this info. This is enough to invoke the exploit and infect the machine. This all happens in realtime as Google Desktop contains a file system filter and will index new files in realtime. So, be careful out there. And disable indexing of media files (or get rid of Google Desktop) if you're handling infected files under Windows. HERE IS THE SIMPlE FIX, DO IT NOW ! Un-register the Windows Picture and Fax Viewer (Shimgvw.dll) 1. Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK. 2. A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box. Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer. To undo this change, re-register Shimgvw.dll by following the above steps. Replace the text in Step 1 with “regsvr32 %windir%\system32\shimgvw.dll” (without the quotation marks). This workaround is better than just trying to filter files with a WMF extension. There are methods where files with other image extensions (such as BMP, GIF, PNG, JPG, JPEG, JPE, JFIF, DIB, RLE, EMF, TIF, TIFF or ICO) could be used to exploit a vulnerable machine.