WMF FAQ: What you need to know

IT staffers in the past week have been working to fend off attacks related to the recently disclosed Windows Metafile (WMF) vulnerability. With third-party patches already available, Microsoft released the official patch last Thursday, ahead of its original plan of issuing it on Tuesday of this week, which is when it will release its monthly set of security patches and updates.

Computerworld Security channel editor Angela Gunn has put together an extensive FAQ on the vulnerability, how it works, what systems are affected and what you can do about it.

The Problem

What's the fuss about? A major security hole involving WMF files. Exploits targeting the hole can use WMF files to run malicious code on a target machine -- infecting it with spyware, stealing data or recruiting it into a zombie network. The problem has existed for years, but its discovery was publicly announced in late December 2005.

Which versions of Windows are vulnerable? Microsoft stated that the vulnerability applies to all versions of Windows from 98 onward, though, practically speaking, only XP and Server 2003 installations are likely to have problems. Secunia confirmed the following systems to be at risk: Microsoft XP Pro, Microsoft XP Home, Microsoft Windows Server 2003 Datacenter Edition, Microsoft Windows Server 2003 Enterprise Edition and Microsoft Windows Server 2003 Standard Edition.

Are Mac, Linux or Unix systems vulnerable? Very funny.

The Situation

Is any real-world malware targeting this hole? Like rust, exploit writers never sleep, or even slow down enough to be counted. Close to 100 known exploits have been noted on the CastleCops.com discussion board, and antivirus firm Sophos reported over 200 attack methods thus far.

How are the exploits traveling? Infection vectors will be familiar to anyone who follows the malware scene: graphics or executables opened from within e-mail or instant messages, malicious or compromised sites, fake e-cards, fake system messages and the like. Antivirus firms have discovered instances of a stand-alone utility called WMFMaker that quickly constructs a malicious WMF. That program is believed to have been used in the first wave of exploits.

What's the launch sequence? When a user clicks on a WMF file, the application calls the shimgvw.dll library, which in turn can call the Escape() function in the gdi32.dll library. Escape() has a subfunction called SETABORTPROC, which lets users cancel a print job during spooling from within various applications. The exploit targets SETABORTPROC. It causes a buffer overflow and thus allows the targeted computer to run malicious code in the WMF file, whatever it may be.

What do those DLLs and functions do?

  • Shimgvw is used by Windows Picture and Fax Viewer, which is Windows' default program, for a variety of file formats. Other applications, including Mozilla, rely on this DLL as well.

  • As described by Microsoft, the GDI (Windows Graphic Display Interface) "enables applications to use graphics and formatted text on both the video display and the printer. Microsoft Windows-based applications do not access the graphics hardware directly; instead, GDI interacts with device drivers on behalf of applications. GDI can be used in all Windows-based applications."

  • The Escape() function translates certain calls from the GDI library to the driver for a particular device -- for instance, a scanner or a printer.

  • SETABORTPROC provides compatibility between newer versions of Windows and the older 16-bit versions, making this a so-called backward-compatible or "regression" bug.

What's the payload? It can be any kind of executable file, but payloads so far appear to be mainly of the adware and spyware type. Some versions attempt to "recruit" machines into zombie armies, presumably to be deployed for nefarious purposes at a later date. Symantec reports that one exploit, dubbed PWSteal.Bankash.G, carried a password-stealing Trojan horse that also attempted to open a proxy server on a random TCP port.

Did I hear something about this back in November? No, that was a different problem, affecting both WMF and EMF (Extended Metafile) formats. For those keeping track, the earlier vulnerabilities were profiled in Microsoft Security Bulletin MS05-053; the newer problem is covered in Microsoft Security Advisory 912840. The patch issued for the earlier vulnerability doesn't correct the newer problem.

The Solution (so far)

What do the patches do? According to Ilfak Guilfanov, the patch writer, the unofficial Hexblog patch blocks access to the Escape() function in gdi32.dll, making the vulnerable SETABORTPROC subfunction unreachable. After running the patch, a user should also deregister the shimgvw.dll library. Hexblog's fix works on Win2000, XP, XP64 and Win2003 systems.

Microsoft is, of course, working on a patch. A prerelease version was briefly posted on a developers' discussion board, probably in error. Microsoft says the release version will not be available until Jan. 10. The company recommends that users deregister the shimgvw.dll library until the official patch is installed.

Is a non-Microsoft patch safe? Microsoft and some analysts such as Gartner Inc. are suggesting that sysadmins not install the Hexblog patch, noting that most major antivirus packages have issued up-to-date signatures that handle the problem. Other reputable sources, such as SANS Institute's Internet Storm Center, recommend Hexblog installation. The U.S. Computer Emergency Readiness Team (US-CERT) is noncommittal but does link to the Hexblog patch.

What if I just block the WMF extension? Nope. Other graphics files, with extensions such as .bmp, .gif and .jpg, might also be problematic, since the rendering engine examines file headers (not extensions) when determining file type.

What about just deregistering the shimgvw.dll library? Microsoft says that'll do for now, but outside security experts note that shimgvw.dll is only an intermediate step, merely making the call to the function in gdi32.dll. An exploit could be written to call gdi32.dll directly and thus compromise the machine. Besides, Windows Picture and Fax Viewer, which uses the shimgvw.dll library, is merely the default program for WMF and graphics files in XP and Server 2003. Desktop search software such as Google Search could also trigger the vulnerability if such a program happened across an infected file, as detailed in F-Secure's testing blog. Additionally, IBM has issued a bulletin advising Lotus Notes users that the company is investigating whether Notes' file viewer will execute problematic code; Symantec seems confident that Notes is definitely at risk.

If I install the unofficial patch, what do I do with the official patch? Guilfanov claims there will be no conflict between the two but advises users to uninstall his fix after they've installed Microsoft's. It will be listed in the Add/Remove programs window. Users should also remember to reregister shimgvw.dll at that time.

The Human Factor

Who's this Guilfanov guy? Ilfak Guilfanov wrote IDA Pro, a popular disassembler program used to investigate malware of this sort at the binary level. Currently, he's employed by Belgium's Datarescue, which released a preview of the next version of IDA Pro on December 28 -- the day after the WMF problem was revealed.

How am I going to explain this to my nontechnical bosses? Or the users? Good heavens, the users! Even if you've managed to teach your users smart surfing behaviors (be careful what you click in e-mail, stay away from dodgy sites, etc.), they're still vulnerable, at least in theory -- and with malware writers racing against that Jan. 10 patch release, you should encourage users to be particularly wary for the next week or so. All users should exercise caution when clicking on attachments even from known e-mail addresses or IM pals. Switching from HTML e-mail to text-only e-mail is also a good idea. Those using the Internet Explorer browser should temporarily disable downloads by changing their browser's Internet Zone security to "high." Firefox and Opera users are prompted before WMF files are opened; these users should be encouraged not to open the files. And for those opting to use the unofficial patch but still needing to explain that choice to others in the organization, SANS has put together a brief explanation in PDF and PowerPoint formats.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

More about CERT AustraliaF-SecureGartnerGoogleHISIBM AustraliaIDAMicrosoftMozillaSANS InstituteSophosSymantecVideo Display

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Angela Gunn

Latest Videos

More videos

Blog Posts