Windows Metafile vulnerability
Encyclopedia
The Windows Metafile vulnerability is a security vulnerability in Microsoft Windows NT-based operating system
s which has been used in a variety of exploit
s since late December 2005. The vulnerability was first discussed in the computer security
community around 26 and December 27, 2005, with the first reports of affected computers subsequently announced within 24 hours. A high-priority update to eliminate this vulnerability was made available via Windows Update
on January 5, 2006 (see announcement). No patches are needed for Windows 95
, Windows 98
or Windows Millennium Edition, as they are not NT-based.
The vulnerability, located in gdi32.dll
, arises from the way in which Windows operating system
s handle Windows Metafile
(WMF) vector images
, and permits arbitrary code
to be executed on affected computers without the knowledge or permission of their users. The vulnerability therefore facilitates the propagation of various types of malware
, typically through drive-by download
s.
operating system. All versions from Windows 3.0
to the latest Windows Server 2003 R2
contain this security flaw. However, versions from Windows XP
onwards are more severely affected than earlier versions, since they have a handler and reader for the WMF file in their default installation.
According to Steve Gibson's M.I.C.E. analysis, Windows NT 4 may be affected by known exploits if it has an Image Preview Feature enabled. Computers not susceptible to known exploits of the flaw (but potentially susceptible to future versions or as-yet undiscovered exploits) include those running other versions of Windows, without Image Previewing enabled, or those with hardware-based Data Execution Prevention
(DEP) effective for all applications.
Machines running non-Windows operating systems (e.g. Mac OS
, Linux
, etc.) are not directly affected. A scenario in which such computers might become vulnerable would be where a third-party program or library, designed to view WMF files on a non-Windows system, used the native Windows GDI
DLL
, or a clone which copied the design flaw leading to this bug, e.g. through a Windows emulator
or compatibility layer
.
Steve Gibson stated that the vulnerability could be exploited in Wine
, and has provided a tool called MouseTrap to detect this on all Windows and Windows emulator systems.
, the vulnerability is an inherent defect in the design of WMF files, because the underlying architecture
of such files is from a previous era
, and includes features which allow actual code to be executed whenever a WMF file opens. The original purpose of this was mainly to handle the cancellation of print jobs
during spooling
.
According to Secunia
, “The vulnerability is caused due to an error in the handling of Windows Metafile files (‘.wmf’) containing specially crafted SETABORTPROC ‘Escape’ records. Such records allow arbitrary user-defined function to be executed when the rendering of a WMF file fails.” According to the Windows 3.1 SDK docs, the SETABORTPROC escape was obsoleted and replaced by the function of the same name in Windows 3.1, long before the WMF vulnerability was discovered. However the obsoleted escape code was retained for compatibility with 16 bit programs written for (or at least backwards compatible with) Windows 3.0. This change happened at approximately the same time as Microsoft was creating the 32 bit reimplementation of GDI for Windows NT, and it is likely that the vulnerability occurred during this effort.
The 'Escape' mechanism in question allows applications (not metafiles) to access output device features not yet abstracted by GDI, such as hardware accelerated Bézier curves, encapsulated postscript support etc. This is done by passing an opcode, a size and a pointer to some data to the call, which will usually just pass it on to the driver. Because most Escape calls produce actual graphics, the general escape mechanism is allowed in metafiles with little thought originally given to the possibility of using it for things like SETABORTPROC, modern non-vulnerable metafile interpreters now checks the opcode against a blacklist or whitelist, while keeping the full set of opcodes available to regular code that calls the GDI escape functions directly (because such code is already running in the same way as the code it could make GDI call, there is no security risk in that case).
It is worth noting that 16 bit Windows (except the rarely used Real mode of Windows 3.0) was immune to the vulnerability because the pointer specified in the metafile can only point to data within the metafile, and 16 bit Windows always had a full no-execute-data enforcement mandated by Intel's design of the 80286 protected mode architecture. Windows NT for CPU architectures other than 32 bit x86 (such as MIPS, PowerPC, Alpha, Itanium and x86_64) had similar immunity because those architectures had the no-execute functionality missing from older x86 processors.
The vulnerability is CVE-2005-4560 in the Common Vulnerabilities and Exposures
database, US-CERT reference VU#181038 and Microsoft Knowledge Base Article 912840.
s which carry the hacked WMF file as an attachment
. Infection may also result from:
Other methods may also be used to propagate infection. Because the problem is within the operating system, using non-Microsoft browsers such as Firefox or Opera
does not provide complete protection. Users are typically prompted to download and view a malicious file, infecting the computer. Infected files may be downloaded automatically
, which opens the possibility for infection by disk indexing or accidental previewing.
According to assessments from the McAfee
antivirus company, the vulnerability has been used to propagate the Bifrost backdoor trojan horse
. Other forms of malware
have also exploited the vulnerability to deliver various malicious payload
s.
McAfee claims that the first generation of such exploits had been encountered by more than 6% of their customer base by 31 December 2005.
released an official patch
(available here) to address the problem on 5 January 2006. This patch may be applied in lieu of other corrective measures.
The official patch is available for Windows 2000
, Windows XP
and Microsoft Windows Server 2003. Windows NT 4 and other older operating systems will not receive a patch as they are no longer supported by Microsoft. Steve Gibson stated here, in his Security Now! podcast
#20, that his company Gibson Research Corporation would make a patch available for Windows 9x systems if Microsoft did not. After further research, Steve Gibson stated here, in the more recent Security Now! podcast
#23, that Windows 9x and ME are not vulnerable and do not need patching. Windows 9x/ME users can run his Mouse Trap utility to see this for themselves.
A free downloadable patch for Windows NT has been provided by Paolo Monti from Future Time, the Italian distributor of Eset
's NOD32
anti-virus system. The patch works on older operating systems, but it is supplied without warranty.
There have been reports of the official patch being automatically installed even when Windows Automatic Update is configured to ask before installing automatically downloaded updates. This causes an automatic reboot
, which can cause loss of data if the user has a program open with unsaved changes.
before a patch was available, on 28 December 2005 Microsoft advised Windows users to unregister the dynamic-link library
file shimgvw.dll (which can be done by executing the command
patch was released by Ilfak Guilfanov
on 31 December 2005 to temporarily disable the vulnerable function call in gdi32.dll. This unofficial patch received much publicity
due to the unavailability of an official one from Microsoft, receiving the recommendation of SANS Institute
Internet Storm Center
and F-Secure. Because of the large amount of publicity, including being indirectly slashdotted
, Guilfanov's website received more visitors than it could cope with, and was suspended on 3 January 2006; the patch was still available for download from a number of mirrors
including the Internet Storm Center website
Guilfanov's website went back online on 4 January in a much-reduced state. No longer providing the patch on-site due to bandwidth
issues, the homepage provided a list of mirrors where a user could download the patch and the associated vulnerability-checker, and the MD5
checksum
for the file, so that it could be checked that a downloaded file was probably genuine.
After Microsoft released its patch, Guilfanov withdrew his.
approach is recommended, to mitigate the risk of infection. Various sources have recommended mitigation efforts that include:
According to this SANS Institute Internet Storm Center article, using a web browser other than Internet Explorer may offer additional protection against this vulnerability. Depending on settings, these browsers may ask the user before opening an image with the .wmf extension, but this only reduces the chance of opening the maliciously crafted Windows Metafile, and does not protect against the vulnerability being exploited as these browsers still open the metafile if it is masquerading as another format. It is better to entirely disable image loading in any browser used.
. He still maintains that the backdoor was intentional, though not necessarily intended by Microsoft (e.g. an employee may have put it in without Microsoft's knowledge).
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
s which has been used in a variety of exploit
Exploit (computer security)
An exploit is a piece of software, a chunk of data, or sequence of commands that takes advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic...
s since late December 2005. The vulnerability was first discussed in the computer security
Computer security
Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
community around 26 and December 27, 2005, with the first reports of affected computers subsequently announced within 24 hours. A high-priority update to eliminate this vulnerability was made available via Windows Update
Windows Update
Windows Update is a service provided by Microsoft that provides updates for the Microsoft Windows operating system and its installed components, including Internet Explorer...
on January 5, 2006 (see announcement). No patches are needed for Windows 95
Windows 95
Windows 95 is a consumer-oriented graphical user interface-based operating system. It was released on August 24, 1995 by Microsoft, and was a significant progression from the company's previous Windows products...
, Windows 98
Windows 98
Windows 98 is a graphical operating system by Microsoft. It is the second major release in the Windows 9x line of operating systems. It was released to manufacturing on 15 May 1998 and to retail on 25 June 1998. Windows 98 is the successor to Windows 95. Like its predecessor, it is a hybrid...
or Windows Millennium Edition, as they are not NT-based.
The vulnerability, located in gdi32.dll
Graphics Device Interface
The Graphics Device Interface is a Microsoft Windows application programming interface and core operating system component responsible for representing graphical objects and transmitting them to output devices such as monitors and printers....
, arises from the way in which Windows operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
s handle Windows Metafile
Windows Metafile
Windows Metafile is a graphics file format on Microsoft Windows systems, originally designed in the 1990s. Windows Metafiles are intended to be portable between applications and may contain both vector graphics and bitmap components....
(WMF) vector images
Vector graphics
Vector graphics is the use of geometrical primitives such as points, lines, curves, and shapes or polygon, which are all based on mathematical expressions, to represent images in computer graphics...
, and permits arbitrary code
Arbitrary code
In computer security, arbitrary code execution is used to describe an attacker's ability to execute any commands of the attacker's choice on a target machine or in a target process. It is commonly used in arbitrary code execution vulnerability to describe a software bug that gives an attacker a way...
to be executed on affected computers without the knowledge or permission of their users. The vulnerability therefore facilitates the propagation of various types of malware
Malware
Malware, short for malicious software, consists of programming that is designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, or gain unauthorized access to system resources, or that otherwise exhibits abusive behavior...
, typically through drive-by download
Drive-by download
Drive-by download means three things, each concerning the unintended download of computer software from the Internet:# Downloads which a person authorized but without understanding the consequences Drive-by download means three things, each concerning the unintended download of computer software...
s.
Affected systems
Windows Metafiles are extensively supported by all versions of the Microsoft WindowsMicrosoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
operating system. All versions from Windows 3.0
Windows 3.0
Windows 3.0, a graphical environment, is the third major release of Microsoft Windows, and was released on 22 May 1990. It became the first widely successful version of Windows and a rival to Apple Macintosh and the Commodore Amiga on the GUI front...
to the latest Windows Server 2003 R2
Windows Server 2003
Windows Server 2003 is a server operating system produced by Microsoft, introduced on 24 April 2003. An updated version, Windows Server 2003 R2, was released to manufacturing on 6 December 2005...
contain this security flaw. However, versions from Windows XP
Windows XP
Windows XP is an operating system produced by Microsoft for use on personal computers, including home and business desktops, laptops and media centers. First released to computer manufacturers on August 24, 2001, it is the second most popular version of Windows, based on installed user base...
onwards are more severely affected than earlier versions, since they have a handler and reader for the WMF file in their default installation.
According to Steve Gibson's M.I.C.E. analysis, Windows NT 4 may be affected by known exploits if it has an Image Preview Feature enabled. Computers not susceptible to known exploits of the flaw (but potentially susceptible to future versions or as-yet undiscovered exploits) include those running other versions of Windows, without Image Previewing enabled, or those with hardware-based Data Execution Prevention
Data Execution Prevention
Data Execution Prevention is a security feature included in modern operating systems.It is known to be available in Linux, Mac OS X, and Microsoft Windows operating systems and is intended to prevent an application or service from executing code from a non-executable memory region. This helps...
(DEP) effective for all applications.
Machines running non-Windows operating systems (e.g. Mac OS
Mac OS
Mac OS is a series of graphical user interface-based operating systems developed by Apple Inc. for their Macintosh line of computer systems. The Macintosh user experience is credited with popularizing the graphical user interface...
, Linux
Linux
Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
, etc.) are not directly affected. A scenario in which such computers might become vulnerable would be where a third-party program or library, designed to view WMF files on a non-Windows system, used the native Windows GDI
Graphics Device Interface
The Graphics Device Interface is a Microsoft Windows application programming interface and core operating system component responsible for representing graphical objects and transmitting them to output devices such as monitors and printers....
DLL
Dynamic-link library
Dynamic-link library , or DLL, is Microsoft's implementation of the shared library concept in the Microsoft Windows and OS/2 operating systems...
, or a clone which copied the design flaw leading to this bug, e.g. through a Windows emulator
Emulator
In computing, an emulator is hardware or software or both that duplicates the functions of a first computer system in a different second computer system, so that the behavior of the second system closely resembles the behavior of the first system...
or compatibility layer
Compatibility layer
A compatibility layer is a term that refers to components that allow for non-native support of components.In software engineering, a compatibility layer allows binaries for a legacy or foreign system to run on a host system. This translates system calls for the foreign system into native system...
.
Steve Gibson stated that the vulnerability could be exploited in Wine
Wine (software)
Wine is a free software application that aims to allow computer programs written for Microsoft Windows to run on Unix-like operating systems. Wine also provides a software library, known as Winelib, against which developers can compile Windows applications to help port them to Unix-like...
, and has provided a tool called MouseTrap to detect this on all Windows and Windows emulator systems.
The vulnerability
According to assessments by F-SecureF-Secure
F-Secure Corporation is an anti-virus and computer security software company based in Helsinki, Finland. The company has 18 country offices and a presence in more than 100 countries, with Security Lab operations in Helsinki, Finland and in Kuala Lumpur, Malaysia...
, the vulnerability is an inherent defect in the design of WMF files, because the underlying architecture
Software architecture
The software architecture of a system is the set of structures needed to reason about the system, which comprise software elements, relations among them, and properties of both...
of such files is from a previous era
Legacy system
A legacy system is an old method, technology, computer system, or application program that continues to be used, typically because it still functions for the users' needs, even though newer technology or more efficient methods of performing a task are now available...
, and includes features which allow actual code to be executed whenever a WMF file opens. The original purpose of this was mainly to handle the cancellation of print jobs
Printing
Printing is a process for reproducing text and image, typically with ink on paper using a printing press. It is often carried out as a large-scale industrial process, and is an essential part of publishing and transaction printing....
during spooling
Spooling
In computer science, spool refers to the process of placing data in a temporary working area for another program to process. The most common use is in writing files on a magnetic tape or disk and entering them in the work queue for another process. Spooling is useful because devices access data at...
.
According to Secunia
Secunia
Secunia is a Danish computer security service provider best known for tracking vulnerabilities in a large variety of software and operating systems.Numbers of "unpatched" vulnerabilities in popular applications are frequently quoted in software comparisons....
, “The vulnerability is caused due to an error in the handling of Windows Metafile files (‘.wmf’) containing specially crafted SETABORTPROC ‘Escape’ records. Such records allow arbitrary user-defined function to be executed when the rendering of a WMF file fails.” According to the Windows 3.1 SDK docs, the SETABORTPROC escape was obsoleted and replaced by the function of the same name in Windows 3.1, long before the WMF vulnerability was discovered. However the obsoleted escape code was retained for compatibility with 16 bit programs written for (or at least backwards compatible with) Windows 3.0. This change happened at approximately the same time as Microsoft was creating the 32 bit reimplementation of GDI for Windows NT, and it is likely that the vulnerability occurred during this effort.
The 'Escape' mechanism in question allows applications (not metafiles) to access output device features not yet abstracted by GDI, such as hardware accelerated Bézier curves, encapsulated postscript support etc. This is done by passing an opcode, a size and a pointer to some data to the call, which will usually just pass it on to the driver. Because most Escape calls produce actual graphics, the general escape mechanism is allowed in metafiles with little thought originally given to the possibility of using it for things like SETABORTPROC, modern non-vulnerable metafile interpreters now checks the opcode against a blacklist or whitelist, while keeping the full set of opcodes available to regular code that calls the GDI escape functions directly (because such code is already running in the same way as the code it could make GDI call, there is no security risk in that case).
It is worth noting that 16 bit Windows (except the rarely used Real mode of Windows 3.0) was immune to the vulnerability because the pointer specified in the metafile can only point to data within the metafile, and 16 bit Windows always had a full no-execute-data enforcement mandated by Intel's design of the 80286 protected mode architecture. Windows NT for CPU architectures other than 32 bit x86 (such as MIPS, PowerPC, Alpha, Itanium and x86_64) had similar immunity because those architectures had the no-execute functionality missing from older x86 processors.
The vulnerability is CVE-2005-4560 in the Common Vulnerabilities and Exposures
Common Vulnerabilities and Exposures
The Common Vulnerabilities and Exposures or CVE system provides a reference-method for publicly-known information-security vulnerabilities and exposures. MITRE Corporation maintains the system, with funding from the National Cyber Security Division of the United States Department of Homeland...
database, US-CERT reference VU#181038 and Microsoft Knowledge Base Article 912840.
Propagation and infection
Computers can be affected via the spread of infected e-mailE-mail
Electronic mail, commonly known as email or e-mail, is a method of exchanging digital messages from an author to one or more recipients. Modern email operates across the Internet or other computer networks. Some early email systems required that the author and the recipient both be online at the...
s which carry the hacked WMF file as an attachment
E-mail attachment
An email attachment is a computer file sent along with an email message. One or more files can be attached to any email message, and be sent along with it to the recipient. This is typically used as a simple method to share documents and images...
. Infection may also result from:
- Viewing a websiteWebsiteA website, also written as Web site, web site, or simply site, is a collection of related web pages containing images, videos or other digital assets. A website is hosted on at least one web server, accessible via a network such as the Internet or a private local area network through an Internet...
in a web browser that automatically opens WMF files, in which case any potential malicious code may be automatically downloaded and opened. Internet ExplorerInternet ExplorerWindows Internet Explorer is a series of graphical web browsers developed by Microsoft and included as part of the Microsoft Windows line of operating systems, starting in 1995. It was first released as part of the add-on package Plus! for Windows 95 that year...
, the default Web browser for all versions of Microsoft Windows since 1996, does this. - PreviewingPreview (computing)Preview is a computing function to display a document, page, or film before it is produced in its final form. In the case of printed material this is known as "print preview".- Contents Preview :...
an infected file in Windows ExplorerWindows ExplorerThis article is about the Windows file system browser. For the similarly named web browser, see Internet ExplorerWindows Explorer is a file manager application that is included with releases of the Microsoft Windows operating system from Windows 95 onwards. It provides a graphical user interface...
. - Viewing an infected image file using some vulnerable image-viewing programs.
- Previewing or opening infected emails in older versions of Microsoft OutlookMicrosoft OutlookMicrosoft Outlook is a personal information manager from Microsoft, available both as a separate application as well as a part of the Microsoft Office suite...
and Outlook ExpressOutlook ExpressOutlook Express is an email and news client that is included with Internet Explorer versions 4.0 through 6.0. As such, it is also bundled with several versions of Microsoft Windows, from Windows 98 to Windows Server 2003, and is available for Windows 3.x, Windows NT 3.51, Windows 95 and Mac OS 9...
. - Indexing a hard disk containing an infected file with Google DesktopGoogle DesktopGoogle Desktop is desktop search software made by Google for Linux, Mac OS X, and Microsoft Windows. The program allows text searches of a user's e-mails, computer files, music, photos, chats, Web pages viewed, and other "Google Gadgets"....
. - Clicking on a link through an instant messagingInstant messagingInstant Messaging is a form of real-time direct text-based chatting communication in push mode between two or more people using personal computers or other devices, along with shared clients. The user's text is conveyed over a network, such as the Internet...
program such as Windows Live MessengerWindows Live MessengerWindows Live Messenger is an instant messaging client created by Microsoft that is currently designed to work with Windows XP , Windows Vista, Windows 7, Windows Mobile, Windows CE, Xbox 360, Blackberry OS, iOS, Java ME, S60 on Symbian OS 9.x and Zune HD...
, AOL Instant MessengerAOL Instant MessengerAOL Instant Messenger is an instant messaging and presence computer program which uses the proprietary OSCAR instant messaging protocol and the TOC protocol to allow registered users to communicate in real time. It was released by AOL in May 1997...
(AIM) or Yahoo! MessengerYahoo! MessengerYahoo! Messenger is an advertisement-supported instant messaging client and associated protocol provided by Yahoo!...
.
Other methods may also be used to propagate infection. Because the problem is within the operating system, using non-Microsoft browsers such as Firefox or Opera
Opera (web browser)
Opera is a web browser and Internet suite developed by Opera Software with over 200 million users worldwide. The browser handles common Internet-related tasks such as displaying web sites, sending and receiving e-mail messages, managing contacts, chatting on IRC, downloading files via BitTorrent,...
does not provide complete protection. Users are typically prompted to download and view a malicious file, infecting the computer. Infected files may be downloaded automatically
Web cache
A web cache is a mechanism for the temporary storage of web documents, such as HTML pages and images, to reduce bandwidth usage, server load, and perceived lag...
, which opens the possibility for infection by disk indexing or accidental previewing.
According to assessments from the McAfee
McAfee
McAfee, Inc. is a computer security company headquartered in Santa Clara, California, USA. It markets software and services to home users, businesses and the public sector. On August 19, 2010, electronics company Intel agreed to purchase McAfee for $7.68 billion...
antivirus company, the vulnerability has been used to propagate the Bifrost backdoor trojan horse
Trojan horse (computing)
A Trojan horse, or Trojan, is software that appears to perform a desirable function for the user prior to run or install, but steals information or harms the system. The term is derived from the Trojan Horse story in Greek mythology.-Malware:A destructive program that masquerades as a benign...
. Other forms of malware
Malware
Malware, short for malicious software, consists of programming that is designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, or gain unauthorized access to system resources, or that otherwise exhibits abusive behavior...
have also exploited the vulnerability to deliver various malicious payload
Payload (software)
Payload in computing is the cargo of a data transmission. It is the part of the transmitted data which is the fundamental purpose of the transmission, to the exclusion of information sent with it solely to facilitate delivery.In computer security, payload refers to the...
s.
McAfee claims that the first generation of such exploits had been encountered by more than 6% of their customer base by 31 December 2005.
Official patch
MicrosoftMicrosoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
released an official patch
Patch (computing)
A patch is a piece of software designed to fix problems with, or update a computer program or its supporting data. This includes fixing security vulnerabilities and other bugs, and improving the usability or performance...
(available here) to address the problem on 5 January 2006. This patch may be applied in lieu of other corrective measures.
The official patch is available for Windows 2000
Windows 2000
Windows 2000 is a line of operating systems produced by Microsoft for use on personal computers, business desktops, laptops, and servers. Windows 2000 was released to manufacturing on 15 December 1999 and launched to retail on 17 February 2000. It is the successor to Windows NT 4.0, and is the...
, Windows XP
Windows XP
Windows XP is an operating system produced by Microsoft for use on personal computers, including home and business desktops, laptops and media centers. First released to computer manufacturers on August 24, 2001, it is the second most popular version of Windows, based on installed user base...
and Microsoft Windows Server 2003. Windows NT 4 and other older operating systems will not receive a patch as they are no longer supported by Microsoft. Steve Gibson stated here, in his Security Now! podcast
Podcast
A podcast is a series of digital media files that are released episodically and often downloaded through web syndication...
#20, that his company Gibson Research Corporation would make a patch available for Windows 9x systems if Microsoft did not. After further research, Steve Gibson stated here, in the more recent Security Now! podcast
Podcast
A podcast is a series of digital media files that are released episodically and often downloaded through web syndication...
#23, that Windows 9x and ME are not vulnerable and do not need patching. Windows 9x/ME users can run his Mouse Trap utility to see this for themselves.
A free downloadable patch for Windows NT has been provided by Paolo Monti from Future Time, the Italian distributor of Eset
Eset
ESET is an IT security company head-quartered in Bratislava, Slovakia that was founded in 1992 by the merger of two private companies. The company was awarded as the most successful Slovak company in 2008, 2009 and 2010...
's NOD32
NOD32
ESET NOD32 Antivirus, commonly known as NOD32, is an antivirus software package made by the Slovak company ESET. ESET NOD32 Antivirus is sold in two editions, Home Edition and Business Edition...
anti-virus system. The patch works on older operating systems, but it is supplied without warranty.
There have been reports of the official patch being automatically installed even when Windows Automatic Update is configured to ask before installing automatically downloaded updates. This causes an automatic reboot
Booting
In computing, booting is a process that begins when a user turns on a computer system and prepares the computer to perform its normal operations. On modern computers, this typically involves loading and starting an operating system. The boot sequence is the initial set of operations that the...
, which can cause loss of data if the user has a program open with unsaved changes.
Other corrective measures
These measures are of historical interest only on systems updated on or after 5 January 2006.Workaround
As a workaroundWorkaround
A workaround is a bypass of a recognized problem in a system. A workaround is typically a temporary fix that implies that a genuine solution to the problem is needed...
before a patch was available, on 28 December 2005 Microsoft advised Windows users to unregister the dynamic-link library
Dynamic-link library
Dynamic-link library , or DLL, is Microsoft's implementation of the shared library concept in the Microsoft Windows and OS/2 operating systems...
file shimgvw.dll (which can be done by executing the command
regsvr32.exe /u shimgvw.dll from the Run menu or the command prompt) which invokes previewing of image files and is exploited by most of these attacks. The DLL can be re-registered after patching by running regsvr32.exe shimgvw.dll. This workaround blocks a common attack vector but does not eliminate the vulnerability.Third-party patch
A third partyThird-party software component
In computer programming, a third-party software component is a reusable software component developed to be either freely distributed or sold by an entity other than the original vendor of the development platform...
patch was released by Ilfak Guilfanov
Ilfak Guilfanov
Ilfak Guilfanov is a software developer, computer security researcher and blogger. He became well known when he issued a free hotfix for the Windows Metafile vulnerability on 31 December 2005. His unofficial patch was favorably reviewed and widely publicized because no official patch was...
on 31 December 2005 to temporarily disable the vulnerable function call in gdi32.dll. This unofficial patch received much publicity
Publicity
Publicity is the deliberate attempt to manage the public's perception of a subject. The subjects of publicity include people , goods and services, organizations of all kinds, and works of art or entertainment.From a marketing perspective, publicity is one component of promotion which is one...
due to the unavailability of an official one from Microsoft, receiving the recommendation of SANS Institute
SANS Institute
The SANS Institute is a private US company that specializes in internet security training. It was founded in 1989, provides computer security training, professional certification through Global Information Assurance Certification , and a research archive - the SANS Reading Room...
Internet Storm Center
Internet Storm Center
The Internet Storm Center is a program of the SANS Technology Institute, a branch of the SANS Institute which monitors the level of malicious activity on the Internet, particularly with regards to large-scale infrastructure events....
and F-Secure. Because of the large amount of publicity, including being indirectly slashdotted
Slashdot effect
The Slashdot effect, also known as slashdotting, occurs when a popular website links to a smaller site, causing a massive increase in traffic. This overloads the smaller site, causing it to slow down or even temporarily close. The name stems from the huge influx of web traffic that results from...
, Guilfanov's website received more visitors than it could cope with, and was suspended on 3 January 2006; the patch was still available for download from a number of mirrors
Mirror (computing)
In computing, a mirror is an exact copy of a data set. On the Internet, a mirror site is an exact copy of another Internet site.Mirror sites are most commonly used to provide multiple sources of the same information, and are of particular value as a way of providing reliable access to large downloads...
including the Internet Storm Center website
Guilfanov's website went back online on 4 January in a much-reduced state. No longer providing the patch on-site due to bandwidth
Bandwidth (computing)
In computer networking and computer science, bandwidth, network bandwidth, data bandwidth, or digital bandwidth is a measure of available or consumed data communication resources expressed in bits/second or multiples of it .Note that in textbooks on wireless communications, modem data transmission,...
issues, the homepage provided a list of mirrors where a user could download the patch and the associated vulnerability-checker, and the MD5
MD5
The MD5 Message-Digest Algorithm is a widely used cryptographic hash function that produces a 128-bit hash value. Specified in RFC 1321, MD5 has been employed in a wide variety of security applications, and is also commonly used to check data integrity...
checksum
Checksum
A checksum or hash sum is a fixed-size datum computed from an arbitrary block of digital data for the purpose of detecting accidental errors that may have been introduced during its transmission or storage. The integrity of the data can be checked at any later time by recomputing the checksum and...
for the file, so that it could be checked that a downloaded file was probably genuine.
After Microsoft released its patch, Guilfanov withdrew his.
Risk reduction techniques
Microsoft says its patch removes the flawed functionality in gdi32 that allowed the WMF vulnerability. For computers running an unpatched version of Windows, a defence in depthDefence in depth
Defence in depth is a military strategy; it seeks to delay rather than prevent the advance of an attacker, buying time and causing additional casualties by yielding space...
approach is recommended, to mitigate the risk of infection. Various sources have recommended mitigation efforts that include:
- Making use of hardware-enforced Data Execution PreventionData Execution PreventionData Execution Prevention is a security feature included in modern operating systems.It is known to be available in Linux, Mac OS X, and Microsoft Windows operating systems and is intended to prevent an application or service from executing code from a non-executable memory region. This helps...
effective for all applications. - Set the default WMF application to be one not susceptible to infection, such as Notepad.
- Do not use Internet Explorer, or at least turn off downloads by setting the default security settings to high.
- Keep all anti-virus software up-to-date. Consider frequent manual updates.
- Block all WMF files on the network perimeter by file-header filtering.
- Making use of users accounts that are configured with only the user rights that are required.
- Disable image loading in Internet Explorer and all other browsers.
- Disable image loading in Outlook ExpressOutlook ExpressOutlook Express is an email and news client that is included with Internet Explorer versions 4.0 through 6.0. As such, it is also bundled with several versions of Microsoft Windows, from Windows 98 to Windows Server 2003, and is available for Windows 3.x, Windows NT 3.51, Windows 95 and Mac OS 9...
. - Disable hyperlinks in MSN Messenger.
- Disable the Indexing Service on Windows 2000Windows 2000Windows 2000 is a line of operating systems produced by Microsoft for use on personal computers, business desktops, laptops, and servers. Windows 2000 was released to manufacturing on 15 December 1999 and launched to retail on 17 February 2000. It is the successor to Windows NT 4.0, and is the...
, Windows XPWindows XPWindows XP is an operating system produced by Microsoft for use on personal computers, including home and business desktops, laptops and media centers. First released to computer manufacturers on August 24, 2001, it is the second most popular version of Windows, based on installed user base...
and Windows Server 2003Windows Server 2003Windows Server 2003 is a server operating system produced by Microsoft, introduced on 24 April 2003. An updated version, Windows Server 2003 R2, was released to manufacturing on 6 December 2005...
. - Disable Desktop Search applications such as Google DesktopGoogle DesktopGoogle Desktop is desktop search software made by Google for Linux, Mac OS X, and Microsoft Windows. The program allows text searches of a user's e-mails, computer files, music, photos, chats, Web pages viewed, and other "Google Gadgets"....
or Windows Desktop Search until the problem is corrected.
According to this SANS Institute Internet Storm Center article, using a web browser other than Internet Explorer may offer additional protection against this vulnerability. Depending on settings, these browsers may ask the user before opening an image with the .wmf extension, but this only reduces the chance of opening the maliciously crafted Windows Metafile, and does not protect against the vulnerability being exploited as these browsers still open the metafile if it is masquerading as another format. It is better to entirely disable image loading in any browser used.
Accusations
An independent examination of the vulnerability by Steve Gibson of Gibson Research had suggested that the peculiar nature of the 'bug' was an indication that the vulnerability was actually a backdoor engineered consciously into the system. Some sources have questioned this conclusion . Steve Gibson has since clarified that his use of the term backdoor was never intended to imply anything done by malicious intentMalice (legal term)
Malice is a legal term referring to a party's intention to do injury to another party. Malice is either expressed or implied. Malice is expressed when there is manifested a deliberate intention unlawfully to take away the life of a human being...
. He still maintains that the backdoor was intentional, though not necessarily intended by Microsoft (e.g. an employee may have put it in without Microsoft's knowledge).
External links
- GRC's M.I.C.E. Metafile Image Code Execution
- Microsoft Security Bulletin for novice Home Users
- Microsoft Security Bulletin MS08-021
- Microsoft Security Bulletin MS06-001
- WMF FAQ - SANS Institute Internet Storm Center
- Windows Security Flaw Is 'Severe' - Washington Post
- Microsoft Windows WMF "SETABORTPROC" Arbitrary Code Execution - SecuniaSecuniaSecunia is a Danish computer security service provider best known for tracking vulnerabilities in a large variety of software and operating systems.Numbers of "unpatched" vulnerabilities in popular applications are frequently quoted in software comparisons....
advisory - Summary of status as of 1 January
- Looking at the WMF issue, how did it get there? - Microsoft Security Response Center Blog
- New exploit released for the WMF vulnerability - SANS Institute Internet Storm Center
- Be careful with WMF files - F-Secure
- Lotus Notes Vulnerable to WMF 0-Day Exploit - SANS Institute Internet Storm Center
- Vulnerability Checker - Ilfak Guilfanov
- Example exploit - Metasploit ProjectMetasploit ProjectThe Metasploit Project is an open-source computer security project which provides information about security vulnerabilities and aids in penetration testing and IDS signature development....
- Microsoft Developer NetworkMicrosoft Developer NetworkThe Microsoft Developer Network is the portion of Microsoft responsible for managing the firm's relationship with developers and testers: hardware developers interested in the operating system , developers standing on the various OS platforms, developers using the API and scripting languages of...
pages for Escape and SetAbortProc - Mark Russinovich's Technical Commentary on the Backdoor Controversy