Windows Metafile vulnerability

This article documents a current event. Information may change rapidly as the event progresses, and initial news reports may be unreliable. The latest updates to this article may not reflect the most current information. Feel free to improve this article or discuss changes on the talk page, but please note that updates without valid and reliable references will be removed. (Learn how and when to remove this message)

The Windows Metafile vulnerability is a vulnerability in Microsoft Windows which was first disclosed on Bugtraq on 27 December 2005 ^[1], and subsequently used in a variety of exploits. The vulnerability, located in gdi32.dll, arises from the way in which Windows operating systems handle Windows Metafile (WMF) vector images, and permits arbitrary code to be executed on affected computers without the permission of their users. Windows versions from Windows 98 to Windows Server 2003 R2 are known to be vulnerable to the exploit, while versions as old as Windows 3.0 are probably also vulnerable. Exploits of this vulnerability are thus among the very few examples of genuine drive-by download.

Computers are mostly being affected via the spread of infected e-mails which carry the hacked WMF file as an attachment, but infection can also result from:

• Viewing a malicious website in Internet Explorer (in which case the file may be automatically downloaded and opened)
• Viewing such a website in any other web browser and agreeing to open and download at the prompt
• Previewing an infected file in Windows Explorer
• Previewing infected emails in older versions of Microsoft Outlook
• Indexing a hard disk containing an infected file with Google Desktop.

Other vectors may also be used to propagate infection.

McAfee, an anti-virus software provider, claims that the first generation of such exploits had infected more than 6% of their customer base by 31 December 2005. According to Secunia, "The vulnerability is caused due to an error in the handling of Windows Metafile files (".wmf") containing specially crafted SETABORTPROC "Escape" records. Such records allow arbitrary user-defined function to be executed when the rendering of a WMF file fails."

As of 2 January 2006, Microsoft has not released an official patch to address the problem. As a workaround ^[2], on 28 December 2005 Microsoft advised Windows users to unregister the dynamic-link library file (shimgvw.dll) which invokes previewing of image files and is exploited by most of these attacks. However, while unregistering this file may reduce the vulnerability of systems, attacks could also exploit similar vulnerabilities in gdi32.dll.

Although a third party patch ^[3] by Ilfak Guilfanov removes the flawed functionality in gdi32 (see External links), the scope of the WMF vulnerability is still growing and a defence in depth approach is required to mitigate the risk of infection. The steps that users should consider taking include:

• Making Data Execution Protection ^[4] effective for all applications.
• Set the default WMF application to be something innocuous such as notepad.
• Turn off downloads in Internet Explorer by setting the default security settings to HIGH.
• Be vigilant in keeping all anti-virus products up-to-date. Consider frequent manual updates.
• Block all WMF files at your network perimeter by file header filtering.
• Utilize users accounts that are configured with as few user rights as necessary.
• Use an alternative browser such as Mozilla Firefox or Opera. This reduces, but does not eliminate, risk of infection.
• Disable Google Desktop indexing until the problem is corrected.
• Do not click on any links in emails or instant messages this week.
• Do not open any attached files this week.
• Do not visit any new web sites this week.

1. ^ http://www.securityfocus.com/archive/1/420288/30/30/, first mention of vulnerability on security mailing list Bugtraq.
2. ^ Microsoft Security Advisory (912840) - Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution, Microsoft Official Advisory on the vulnerability.
3. ^ http://www.hexblog.com/2005/12/wmf_vuln.html, unofficial patch by Ilfak Guilfanov.
4. ^ How to Configure Memory Protection in Windows XP SP2, software-enforced Data Execution Prevention (DEP) feature in Microsoft Windows XP SP 2.

Wikinews has related news:

• Microsoft Windows metafiles are a vector for computer viruses

• Steve Gibson of Gibson Research Corp. endorses Guilfanov patch
• WMF FAQ - SANS Institute Internet Storm Center
• History of the WMF Vulnerability and why we are on alert - F-Secure
• Windows Security Flaw Is 'Severe' - Washington Post
• Microsoft Windows WMF "SETABORTPROC" Arbitrary Code Execution - Secunia advisory
• CERT advisory - US-CERT
• Summary of status as of 1 January
• New exploit released for the WMF vulnerability - SANS Institute Internet Storm Center
• Be careful with WMF files - F-Secure
• Vulnerability Checker - Ilfak Guilfanov
• Example exploit - Metasploit
• MSDN pages for Escape and SetAbortProc
• WMF Defense-in-Depth Strategy - Jim Manico