WMF (Windows meta file) exploit

The SANS Institute ^ | January 2, 2005 | Various

[KeyWest]

Looking forward to the week ahead, I find myself in the very peculiar position of having to say something that I don't believe has ever been said here in the Handler's diary before: "Please, trust us."

I've written more than a few diaries, and I've often been silly or said funny things, but now, I'm being as straightforward and honest as I can possibly be: the Microsoft WMF vulnerability is bad. It is very, very bad.

[KeyWest]

This is from just one of the articles at the link. If you go to some of the anti-virus sites they say they have the problem in hand but SANS disagrees. The info is fairly straight forward.

In essence, if you are using MSIE you are particularly vulnerable. Firefox and Moz give an intermediate step that can protect you if you know about the exploit, but most people do not and will open the "picture".

I have been around since 1998, and post infrequently, but this is a potential major problem. There has been one other post on the problem, but few saw it.

[KeyWest]

Moderator- OK, did something wrong to get the 404, but the links do work. Help!

[wvobiwan]

Foxnews.com had a story about this yesterday, I sent the link to my friends and family.

http://www.foxnews.com/story/0,2933,180244,00.html

You're right, this one is gonna be a major problem until they get a patch issued.

Don't you love MS development strategy? "Get it to market first, then finish programming."

[KeyWest]

OK. I see it was the link to FR that showed up as a 404 and now works.

[KeyWest]

Please change the date - it was not a year ago...

As I said, I post infrequently... :)

[backhoe]

I have been around since 1998, and post infrequently, but this is a potential major problem.

Shoot, fella- I know you-- haven't "talked" to you for a while, but you go back farther on this site than I do... you're an Oldtimer.

I have some links handy ( rummaging around old files hastily )...

John's Note:

 

I tried this-- seems OK on Win 2K:

 

Here's an update to the unofficial fix posted above. The folks at sans.org have taken the patch apart and modified it to work on WIN2K systems.. It's running on my system with no apparent ill effects. I'll be patching the other computers in the house shortly.

 

----------------------------------------------------------------------------------------

 

New exploit released for the WMF vulnerability - YELLOW (NEW)

 

Sites exploit Windows image flaw (New attacks for pc users)

 

Windows Security Flaw Is 'Severe'

 

 

For video players that can handle other formats, give your friends these links -

www.videolan.org

www.divx.com

Subnote: V-lan works fine on my home machines- others I know swear it "hosed my codecs"- so be advised I provide that and other links on a "use with caution" basis.

[A.Hun]

Thanks for the heads up. Once again this proves the worth of Free Republic and its posters.

I wouldn't know sans.org from Adam's housecat.

[Born Conservative]

Amazing. This post has been up for almost an hour, and we haven't had anyone post "Free Republic isn't a computer forum, blah, blah, blah..."

[backhoe]

I wouldn't know sans.org from Adam's housecat.

My late Mom's favorite variant of that was "wouldn't know him from a load of coal." ( She grew up in coal country )

[Born Conservative]

Ping

[backhoe]

Amazing. This post has been up for almost an hour, and we haven't had anyone post "Free Republic isn't a computer forum, blah, blah, blah..."

Not surprisingly ( since we have so many people from different backgrounds ) some of the best and fastest computer advice I have gotten has been right here.

There are some very good computer forums- Geeks to Go, VirtualDr, and others- but we're pretty durn good, too.

[A.Hun]

Well, thank you both for the background. Not being in IT, it is hard to know who or what to trust. I downloaded the patch with (seemingly) no ill effects.

What is it with mother's sayings? That one is straight from mine's lips! LOL

[an amused spectator]

This post has been up for almost an hour, and we haven't had anyone post "Free Republic isn't a computer forum

They know they'd get their asses handed to them. ;-)

[an amused spectator]

Not being in IT, it is hard to know who or what to trust. I downloaded the patch with (seemingly) no ill effects.

I'm going to think about it for a while before I do anything with it.

The unofficial patch seems to revolve around the desire to show images whilst Netting. I've de-registered, and I'm only allowing images from the originating site (FireFox). I'm thinking about disallowing images totally, until the official patch comes out, but who knows how long Redmond is going to take.

[an amused spectator]

Looks like some EXCELLENT info, KW.

[Mannaggia l'America]

Don't you love MS development strategy? "Get it to market first, then finish programming."

I've been in the software development business for over 20 years. Trust me, MS is not the only company that this applies to.

But you are never really "finished programming". And at some point, you have to release or you will never get a product out the door.

If everything released was "finished", wouldn't everything be at version 1.0 - heck, version numbers wouldn't even be necessary.

Is Linux "finshed"? Oracle? etc. etc.

I'm not trying to absolve MS, but I don't hold them up to any higher standard than I would any other company because I've been on the other side of things, and there is NO major piece of software out there that is perfectly written.

But you'd think so if you read the various anti-MS blogs - you find all of the perfect programmers there who never have written code with a bug in their lives. :-)

[satchmodog9]

bump

[irishfest]

Thanks Bump

[Woodstock]

Thank you. Fix seems to be running okay.

[rlmorel]

From the linked article: "...Publishing exploit code such as this for an unpatched vulnerability on a holiday weekend is, without any doubt, a totally irresponsible act..."

This struck me as kind of a stupid thing to say. As if the people who distribute these damned things give a crap about whether it is going to deleteriously impact their victims!

That aside, I appreciate the work that was done by these people on a holiday weekend to fight it. I just thought that comment was naive and silly.

[rlmorel]

Dang. You mean it ISN'T a computer forum?

[theFIRMbss]

>You mean it ISN'T a computer forum?

Well, if Forbin can cut the Colossus links to Guardian we can get back to chatting about news and politics. Till then, it's tech stuff . . .

[wireplay]

Don't you love MS development strategy? "Get it to market first, then finish programming."

What i naive comment. EVERY company releases software before it is finished: name one that doesn't.

No one who programs can say that their software is complete and bug-free. Hell, even if it's just 1 line of code you still can't be certain due to the code that runs under yours.

Program a little, put it in production, and see how much crap people find: it is truly astonishing. Do it without a profit motive and they will actually find more because you aren't as careful.

[rlmorel]

LOL!!!!

[rlmorel]

I don't code, but I see lots of parallels to confirm the truth in that.

Humans (we) are monkeys with typewriters. If you want something broke or exploited, release it to the masses. As sure as God made little green apples, it is going to break.

I don't necessarily hold it against MS or Apple when they release an OS update and something doesn't work. That happens. I hold it against them when they don't fix it ASAP when it is discovered.

I am much more critical of software companies...they have a more focused approach, and testing can be much more rigorous. Their products should be cleaner and more functional on first releases, IMHO.

[Born Conservative]

I agree; this is a great place for computer advice.

Here is an example of someone complaining about using FR for computer help.

[backhoe]

I actually got more answers, faster, here than on VirtualDr a couple of years ago- we have around 233,000 members now, but even then, with so many different people, professions, hobbies, etc., you can get just about any question answered, or get pointed in the right direction.

[El Gato]

Don't you love MS development strategy? "Get it to market first, then finish programming."

I suspect it's worse than that. Probably something more like. "Start coding, we'll design it later"

[csvset]

Bump

[wireplay]

You don't necessarily know what the issue is when a problem is discovered. I once spent 2 days tracking down a misplaced semicolon. You can bet the MS coders are pouring through it but even when you find it, you have to assess the impact on the other code for a fix. People act as if there is a behemoth behind all of this but my guess is that the load falls on a small number of coders to get it isolated and corrected.

Microsoft tests their code base on more than 10,000 software configurations and probably has a better QA department than any other software firm. That said, things get through. QA tests are only as good as who made the tests and they don't predict the real world use.

Imagine a machine where there are 200 million moving parts. You can work your tail off to isolate all possible failures but it is a bitch to get it 100% correct. Sure, we all want more stable software products but get into the code side and see how complex these things are. You have to realize that software is THE most complex thing ever created by human beings and we're are certainly not perfect.

Personally, I am suprised that Windows and its programs work as well as they do. I give Microsoft credit for making the best software available...period.

[rlmorel]

I kind of give them credit for that as well. To put out releases that don't break hardware and software is a real feat.

[wireplay]

I saw their next O\S (Vista) in alpha mode running a 1985ish program at the last TechEd. They really strive to make things work in today's world but not break what runs yesteryear. That takes feats of programming. As a coder, I respect that level of effort.

[an amused spectator]

This struck me as kind of a stupid thing to say. As if the people who distribute these damned things give a crap about whether it is going to deleteriously impact their victims!

Dude, the people who PUBLISHED the "new and improved" version are supposed to be on OUR side. Or at least they CLAIM to be.

I have to agree with the author. What a bonehead move on somebody's part.

[an amused spectator]

Yeah - but al baby put him in his place...

[an amused spectator]

I once spent 2 days tracking down a misplaced semicolon.

Ain't it the truth?

What's worse is when you read the code, and your MIND sticks the semicolon in there...

That's usually another several hours, depending on how computer-melted your brain is by that time.

[ReignOfError]

In essence, if you are using MSIE you are particularly vulnerable.

(C) 1998. All Rights Reserved.

[ReignOfError]

Imagine a machine where there are 200 million moving parts.

If you have a machine with 200 million moving parts, the engineers aren't just addressing the problem. The engineers are the problem.

Personally, I am suprised that Windows and its programs work as well as they do. I give Microsoft credit for making the best software available...period.

Except for all the others.

[BlessedBeGod]

I don't seem to see anything telling what the symptoms are.

[Bonafide]

I am so amazed that it works as well as it does, that I don't have any complaint if it messes up a little. We are in the beginning of understanding a technology that will ultimately prove itself smarter than all of us.

[Royal Wulff]

I don't seem to see anything telling what the symptoms are.

It's not a virus it's an exploit. A means of gaining access to your computer. A malicious person can do *anything* he wants using this exploit.

It looks pretty serious. I would suggest at the very least performing the Microsoft workaround mentioned on the various sites linked here.

Otherwise, I would suggest you not continue reading FR, since any hack DU clown could post a malicious image in a thread here and you are done.

As I understand it, anyway.

[an amused spectator]

Potential new unpatched IE exploit ? ~ Yes...may affect other Browsers also...

Some screen shots here on this FR post.

[an amused spectator]

I have my Firefox configured to load images for the originating website only [two checked boxes in FF Tools].

Dulls the entire FR experience, but Safety Pup says...

[rlmorel]

I was referring to the comment in the article about the "irresponsibility" of the person(s) who wrote the virus and released it into the wild on a holiday weekend. The people writing the fix, or those of us who may have to get this fixed know that referring to people who write viruses as irresponsible is just plain wrong. Irresponsible indicates a capacity for responsibilty, and those people are defined simply by the lack of it.

[BlessedBeGod]

Thanks for your help!

[BlessedBeGod]

Thanks for your help! I deregistered the .dll and increased my internet security in IE to high.

[ReignOfError]

It's not a virus it's an exploit. A means of gaining access to your computer. A malicious person can do *anything* he wants using this exploit.

If I may venture an analogy, it's like discovering that you can't lock your doors. The point isn't to dust for prints or inventory what's missing; it's to tighten up before someone strolls in.

[IpaqMan]

As mentioned before, this is an exploit and not a virus. It is a backdoor way into your computer. WMF (windows meta files) are pictures that can execute programs. This is similar to the problem of Windows Word DOC files that can execute macros or Outlook email messages that can execute scripts.

A malicious person can do all sorts of nasty things to your PC like formatting your C drive or simply using it to distribute child pornography via "zombie" bots. Most of those denial of service attacks on Google and Amazon come from compromised PCs. An enterprising individual can compromise and gain control of thousands of PCs. Imagine what you could do with a thousand PCs under your remote control.

You can access a WMF file via your browser or via an email message. There was a report of a contamination on a "trusted" website, so there is a significant risk.

Steve Gibson's website www.grc.com has a lot on exploits including this one.

[IpaqMan]

As mentioned on another site, a malicious program may be able to re-register that DLL or even a normal application may re-register that DLL in regular activities. There is a lot of criticism of that "workaround".

BTW, changing IE's security higher will not stop this exploit. Turning off the viewing of images will stop it temporarily.

[BlessedBeGod]

Thanks for the additional info. This is scary.

[GeorgiaBushie]

People think that the most horrible thing about being hacked is that a Hijacker could format their harddrive or make their current system unstable. That is probably the best case scenario.

The worst case would be that they hacked a person's system and stayed hidden for well over a year.

My hacker stayed hidden and stole a wealth of information from me ,my family and everyone that used my computer; like the social security numbers and address information from me and others. I had programs that were from 01, 02, and 03 that did not need to be added but I added them anyway because of my new computer and for the reason that, sometimes, programs would not work correctly, if they did not have the previous programs to build on. These programs were not used by me after the new install, but a hacker had changed a blue and red background to a icky gray and yellow( with a strange smiley face and someone added my most personal information that I thought nobody knew to those never used programs).

My opinion is that some people are having problems with the workaround because their system has already been compromised by the newest exploit or most likely a previous one.

I found out in January 05 that I had been hacked and my hacker had been with me for well over a year.

Perhaps the hacker is able to "workaround" because they are able to edit the Windows Registry. My hacker was sophisticated enough to disable Microsoft's system pack 2 (installed on a fresh format)Zone Alarm Pro, Norton Internet Security, Spyware doctor, a SOHO fire box (exernal firewall) and the Linksys router.

The hacker was able to make registry changes to all of those software programs so that it looked like they were working but the machine was basically told to ignore all threats. The 2nd Edition updates were basically written to interpret the same thing, it was installed on my machine and I could go to the security center, but could not make any changes and if I clicked on start/right-click on my computer and properties and went to general information, it would show that I was running service pack 1. If my security software (Zone Alarm, Norton, SpywareDR were to find a virus/infection, they were told to run once and ignore and if I were to apply updates, they were told to ignore those as well.

My lesson out of all of this was that if you were having problems with windows and added a program to help get rid of a virus/infection, you could be at risk!

(1)Run in safe mode and find out how many accounts(administrator) there are and make sure all of them are for you. If you cannot get into an administrator account, you may have a problem and treat it as such.

(2) If you are on a router (Linksys for me) go and change the password, be especially aware of the address bar after you change the password and push the submit button (if you can see your administrative name and password you just typed on the address bar(mine went to a mozilla account), you have a hacker and a grave threat.

(3) If you have Microsoft home edition, you have full or no powers ( not good because you can only run programs if you are an administrator and if you have Microsoft Pro and have no idea how to use it you are at an even graver imposition. Do not misunderstand me here, I believe that Microsoft Pro would be the best choice, but you better know how to use it or the hackers will use it against you. I do not have a choice and must use windows for my programs and am installing Pro on 2 other computers (previously home edition, as there are more powers and it is better for security matters if I update to Pro for my computers that were running home before.


With Pro, you can make power users, which have more power than limited-users and can actually do a lot of work, if you have ever tried a limited user account then you know what I mean; and home edition users do not have any choices other than limited and administrative account privileges.

I want to give you a place to go, it is really for people running XP Pro, but will be a little bit helpful for people using Home Edition it is LabMice This is not my site, nor am I connected with it in any way. It works on basic security principles and was information that has proved helpful for me.