Newly Discovered & Immediately
Exploited Windows Vulnerability

A serious new remotely exploitable Windows vulnerability has been discovered in a highly-used and readily exploitable Windows component. The "SHIMGVW.DLL" is used for rendering Windows Metafiles, but can reportedly also be invoked whenever Windows attempts to display non-metafile images as well.

Since malicious exploits for this vulnerability are already in the wild and are being actively used to install malware into user's machines . . .

You should IMMEDIATELY disable Windows' use of this
DLL until new patches from Microsoft are available.

To immediately disable the vulnerable Windows component:

Logon as a user with full administrative rights.

Click the Windows "Start" button and select "Run..."

Enter the following string into the "Open" field:

regsvr32 -u %windir%\system32\shimgvw.dll

(You can copy/paste from this page using Ctrl-C/Ctrl-V)

Click "OK" to unregister the vulnerable DLL.

If all goes well, you will receive a confirmation prompt, and your system is now safe. No need to reboot, but you might want to just to be sure that any possible currently loaded instance is flushed out.

To eventually reenable the "SHIMGVW.DLL" component:

Logon as a user with full administrative rights.

Click the Windows "Start" button and select "Run..."

Enter the following string into the "Open" field:

regsvr32 %windir%\system32\shimgvw.dll

(You can copy/paste from this page using Ctrl-C/Ctrl-V)
Same as the one above, but no "-u" for "uninstall".

Click "OK" to re-register the (hopefully) non-vulnerable DLL.

Web sites which engage in drive-by installations are going nuts. In less than 48 hours after this flaw became public knowledge, thousands of web sites are believed to have started using the exploit to install spyware. At least one adware program, which pops up advertisements on certain partner web sites, is exploiting the WMF flaw to install additional software.

This is a very dangerous problem. The Windows graphics rendering engine runs as a system process, which means that software installed through this flaw will have system-level permissions. Any piece of software, running on a vulnerable system, can execute a malicious package merely by attempting to open a specially-crafted image. This includes your email program, your web browser and image viewing software. The most likely means of exploiting this flaw will be to insert malicious images onto web pages and within spam email.

------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage

[This message was edited by Wiz Feinberg on 30 December 2005 at 11:39 AM.]

Steinar

------------------
www.gregertsen.com

Thanks for the alert!

Kind Regards, Walter

Steinar

------------------
www.gregertsen.com

GO TO RED ALERT

The news from various security sources indicates that this vulnerability is seated deep within the various versions of the Windows SubSystem, at least back to Windows 95, and possibly earlier. I remember using Windows WMF graphics files on my first Windows 95 computer, which was upgraded from Windows 3.11. It is browser and email client agnostic and can even infect a DOS box, provided Google Desktop Search is installed and tries to index a downloaded WMF image.

I propose these temporary solutions, in addition to the one I posted at the start of this thread:

Simply opening an email that contains a hostile WMF image can infect your computer. This can happen if you have a live preview of new emails. Turning off the Preview feature will give you one level of protection. Find your email options for layout and de-select Previewing. In Outlook Express this is found under View > Layout - with a checkbox labeled Show Preview Pane. Uncheck that option and click Apply.

You should also disable html functions when reading email, which also disables the displaying of any embedded images. If you use Microsoft Outlook Express open your options (Tools > Options) to the Read tab and check the box labeled "Read all messages in plain text." If you use Outlook there will be a similar option somewhere (I don't use Outlook). If you get your email via your browser find your options and see if there is one to block images and active content and select that option.

Users can also ditch Internet Explorer for Firefox or Opera. The vulnerability isn't within IE itself, but that browser does open WMF files automatically without asking permission from the user. Firefox and Opera at least put up a dialog box asking the user if he or she wants to open the file with Windows Picture and Fax Viewer. Using Firefox or Opera, however, doesn't guarantee that a PC is immune, since a malicious WMF file could still be introduced via e-mail.

People are out there trying to trick everybody they can to visit websites that have malicious WMF files embedded in them. Their goals are to install adware, spyware, keyloggers, backdoors and other bad stuff on your computers.

Another Useful Solution

One more thing you can do if you are running Windows 2000 or newer is to lower your user priviledges to "User" or "Limited User." First go to Control Panel and open the Users and Passwords item and create a new account with Admin privileges and give it a password. Next, open your existing account by name and change it to Limited User in Windows XP, or to User in Windows 2000 or Server. Once you apply these changes log off your account and log back in with limited privileges. This will limit the damage that can be done if your computer gets infected via this exploit.

If you need admin privileges to install or update a program use your RunAs command, or else log off and log into your new Admin account and perform the upgrade or installation from there, selecting All Users can use the program, if asked.

I have been reading a lot about this problem, and so far these are the best actions you can take to protect yourselves. As I learn of any more proactive things to do to protect your PCs I will post them in this thread.

------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage

[This message was edited by Wiz Feinberg on 31 December 2005 at 08:56 AM.]

Another temporary fix for the WMF Vulnerability

I just read information at GRC about a temporary patch that has been created by another security pro, and is available via GRC, on this page: http://www.grc.com/sn/notes-020.htm

Read the details first, then decide if you want to install this private sector patch. If you do apply it be sure to remove it after Microsoft issues it's official patch (hopefully real soon!)

I just installed the temporary patch with no ill effects.

For those of you who don't already know, GRC.com is owned and operated by Steve Gibson, one of the foremost professionals in the online security business. Maybe you've heard about, or used his ShieldsUp Port Scanner to test your defenses against hostile TCP scans. Steve is a forerunner in alerting the public to exploitable vulnerabilities in Windows operating systems, and I am an avid reader of his website.

Steve has teamed up with Leo Laporte, formerly of TechTV, to produce a series of security alerts with great details about the implications of various vulnerabilites in the technologies we depend upon. They are in downloadable audio and html format, and can be found at: http://www.grc.com/securitynow.htm

------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage

[This message was edited by Wiz Feinberg on 31 December 2005 at 12:35 PM.]

Secunia Advisory: Microsoft Windows WMF "SETABORTPROC" Arbitrary Code
Execution
. Extremely critical
. Description: A vulnerability has been discovered in Microsoft
Windows, which can be exploited by malicious people to compromise a
vulnerable system.

The vulnerability is caused due to an error in the handling of Windows
Metafile files (".wmf") containing specially crafted SETABORTPROC
"Escape" records. Such records allow arbitrary user-defined function
to be executed when the rendering of a WMF file fails. This can be
exploited to execute arbitrary code by tricking a user into opening a
malicious ".wmf" file in "Windows Picture and Fax Viewer" or
previewing a malicious ".wmf" file in explorer (i.e. opening a folder
containing a malicious image file).

The vulnerability can also be exploited automatically when a user
visits a malicious web site using Microsoft Internet Explorer.

NOTE: Exploit code is publicly available. This is being exploited in
the wild. The vulnerability can also be triggered from explorer if the
malicious file has been saved to a folder and renamed to other image
file extensions like ".jpg", ".gif, ".tif", and ".png" etc.

The vulnerability has been confirmed on a fully patched system running
Microsoft Windows XP SP2. Microsoft Windows XP SP1 and Microsoft
Windows Server 2003 SP0 / SP1 are reportedly also affected. Other
platforms may also be affected.

From F-Secure's Blog after their DOS box got infected with something lurking in a WMF file:

"The test machine had Google Desktop installed. It seems that Google Desktop creates an index of the metadata of all images too, and it issues an API call to the vulnerable Windows component SHIMGVW.DLL to extract this info. This is enough to invoke the exploit and infect the machine. This all happens in realtime as Google Desktop contains a file system filter and will index new files in realtime."

"So, be careful out there. And disable indexing of media files (or get rid of Google Desktop) if you're handling infected files under Windows."

It is possible that other desktop search indexers will have the same capability to index meta data, so turn them off for the time being, until the official patches are released and installed and tested.

Analyst's Diary

More on WMF exploitation

Roel December 31, 2005 | 11:54 GMT

comment:

It was only a matter of time, the first IM-Worm exploiting the wmf vulnerability has been spotted.

We have received multiple reports from the Netherlands about an IM-Worm which spreads via MSN using a link to "ht*p://[snip]/xmas-2006 FUNNY.jpg".
This may well turn out to become a local epidemic(in NL), however so far it has not become big.(Not even 1000 bots at this moment)

The jpg is actually an HTML page with a (link to a) malicious wmf file which is heuristically detected as Exploit.Win32.IMG-WMF by Kaspersky Anti-Virus.
This wmf will download and execute a .vbs file which is detected as Trojan-Downloader.VBS.Psyme.br which in turn will download an Sdbot. The IRCBot is detected as Backdoor.Win32.SdBot.gen by KAV.

At the time of writing this SdBot is instructed to download an IM-Worm.Win32.Kelvir variant. As you will know Kelvir is responsible for spreading across MSN.
Looking at this IRCBot it's extremely likely that it has been made for cyber criminals.

Going back to the wmf vulnerability itself, we see number of sites mention that shimgvw.dll is the vulnerable file.
This doesn't seem correct as it's possible to exploit a system on which shimgvw.dll has been unregistered and deleted. The vulnerability seems to be in gdi32.dll.

So while unregistering shimgvw.dll may make you less vulnerable, several attack scenarios come to mind where the system can still be compromised.
It has to be noted that in this case the attack vector of web browsers seems significantly smaller than that of explorer+third party programs.

I'm afraid we have to end this year with the warning to watch out for any unknown imagefile. With the flurry of e-cards and Happy New Year messages this could get really messy, so be careful.

------------------
-johnson

Here's a link to the Microsoft Security Advisory on this matter.

The URL is:

http://www.microsoft.com/technet/security/advisory/912840.mspx

Notice that this advisory came out on December 28th and was revised on December 30th.

I expect that due to the holiday, Microsoft will come out with a fix on Tuesday, January 3rd.

If you decide not to do anything suggested in this subject thread, it's important to run your updated antivirus software and avoid opening emails that you're not familar with.

Good luck and Happy New Year!

------------------
Regards,
Al Gershen
Grants Pass, Oregon. USA
Fender 1000 (1957),
Fender PS 210 (1970) &
Gibson Electraharp EH-820 (1961)
Al's Photographs at http://www.alsphotographs.com

BTW: Windows 98 has passed end of life at MS, but they have extended critical patch support for a few more months.

[This message was edited by Wiz Feinberg on 01 January 2006 at 10:44 PM.]

quote:

---

...avoid opening emails that you're not familar with

---

quote:

---

...using something other than Internet Explorer won't help (e.g. firefox or opera)

---

Read the instructions on that web page, download either the .exe or .zip file, check for viruses, then run it. It will tell you if your computer is vulnerable to at least one exploit, but not all of them (yet). This tool and the companion patch, on the same website, are being updated daily.

quote:

---

If you do apply it be sure to remove it after Microsoft issues it's official patch (hopefully real soon!)

---

Do you recommend we turn off Windows auto update after installing the above referenced temp patch? I'm wondering what would happen if the patch gets applied thru the auto update function before the temp patch gets removed.

Thanks again...

George

------------------
Sho-Bud: Professional & Fingertip

quote:

---

Do you recommend we turn off Windows auto update after installing the above referenced temp patch? I'm wondering what would happen if the patch gets applied thru the auto update function before the temp patch gets removed.

---

There will be more info released on the security sites once MS does release a patch, and I will post it here.

Until then I still recommend using the third part patch mentioned previously, as well as lowering your rights for your day to day browsing account. If you have Win XP you can use Fast User Switching to enter your Admin level account to install, uninstall, or update programs, or to run defragmenter, then switch back to continue browsing, etc.

Remember, the damage inflicted by any trojan, hijacker, backdoor, or sleazeware installer is limited by the scope of the user's rights for the affected account. Limited accounts will not allow any program to install any files into the system directories, or install any services, or alterations to the Windows "shell"

Go to this page and scroll down where it says - WMF Patch by Paolo Monti. You will find a download link to his zipfile containing the patch, along with his disclaimers and a list of OSs covered.

For those who didn't already know about NOD32 Anti Virus, it is among the top rated products in the World.

------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage

[This message was edited by Wiz Feinberg on 04 January 2006 at 04:24 PM.]

Date Bulletin Description Affected Software Service Packs Bulletin Rating
Jan 5, 2006 Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (912919): MS06-001

Affected Software: Windows 2000 Advanced Server, Windows 2000 Datacenter Server, Windows 2000 Professional, Windows 2000 Server, Windows XP Home Edition, Windows XP Professional, Windows Server 2003 for Small Business Server, Windows Server 2003, Datacenter Edition, Windows Server 2003, Enterprise Edition, Windows Server 2003, Standard Edition, Windows Server 2003, Web Edition Windows 2000 Service Pack 4, Windows XP Service Pack 1, Windows XP Service Pack 2, Windows Server 2003 Gold, Windows Server 2003 SP1 Critical

[This message was edited by Mike Selecky on 05 January 2006 at 04:21 PM.]

quote:

---

Are Windows 98, Windows 98 Second Edition, or Windows Millennium Edition critically affected by one or more of the vulnerabilities that are addressed in this security bulletin?
No. Although Windows 98, Windows 98 Second Edition, and Windows Millennium Edition do contain the affected component, the vulnerability is not critical because an exploitable attack vector has not been identified that would yield a Critical severity rating for these versions.

---

Leo LaPorte and Steve Gibson are joined by Ilfak Guilfanov, at Security Now

Here's one you guys won't want to miss. As you know by now, I am a security nut, and one of my feeding grounds is at grc.com/securitynow.htm

Well, there is a brand new audio transcript available at SecurityNow, in which Ilfak Guilfanov joins Leo and Steve to discuss the Windows WMF vulnerability and the patch he created, while the world waited for Microsoft to release it's own version. The new episode is #21, The Windows MetaFile (WMF) Vulnerability. Download it and play it in your media player, and learn.

------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage

[This message was edited by Wiz Feinberg on 05 January 2006 at 09:59 PM.]

[This message was edited by Ray Minich on 06 January 2006 at 12:13 PM.]

So am I good to go now? (besides the fact that I'm using a box that I got in '98).

------------------
My Website..... www.cmedic.net/~almarcus/

quote:

---

How do you "copy" and "Paste" from the forum and where do you paste it to?

---

It sounds to me like you want to copy and paste the command to de-, or re-register the vulnerable .dll, right? If that is the case follow my expert instructions to copy the code snippette from my first Post in this thread. Once it is copied it stays in a virtual space in memory called the Windows Clipboard. Next, click you left mouse button on the START button, on the left end of the taskbar on the bottom of the Windows Desktop. One of the first options to flyout (on the right in Windows XP) is named RUN. Click on RUN and a text input field will open. Click once inside that text input field to make it active, then press the Control and V keys together, to paste the command into the Run box, then press your ENTER key to execute it.

If you have copied the correct code, without leaving anything out, or including an unneeded character, you will see a popup notice that such and such a .dll was (Un)Registered (depending on which code you copied and pasted). The change should take place immediately. If it doesn't, click once on an empty spot on the Windows desktop to refresh the view and try viewing thumbnails in your images/pictures folder. If that still doesn't work , try rebooting the computer. If that doesn't work, try putting your boots to the computer (that'll fix 'er for good!).

------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage

[This message was edited by Wiz Feinberg on 06 January 2006 at 03:40 PM.]