WMF (Windows meta file) exploit

The SANS Institute ^ | January 2, 2005 | Various

[KeyWest]

Looking forward to the week ahead, I find myself in the very peculiar position of having to say something that I don't believe has ever been said here in the Handler's diary before: "Please, trust us."

I've written more than a few diaries, and I've often been silly or said funny things, but now, I'm being as straightforward and honest as I can possibly be: the Microsoft WMF vulnerability is bad. It is very, very bad.

[an amused spectator]

Potential new unpatched IE exploit ? ~ Yes...may affect other Browsers also...

Some screen shots here on this FR post.

[an amused spectator]

I have my Firefox configured to load images for the originating website only [two checked boxes in FF Tools].

Dulls the entire FR experience, but Safety Pup says...

[rlmorel]

I was referring to the comment in the article about the "irresponsibility" of the person(s) who wrote the virus and released it into the wild on a holiday weekend. The people writing the fix, or those of us who may have to get this fixed know that referring to people who write viruses as irresponsible is just plain wrong. Irresponsible indicates a capacity for responsibilty, and those people are defined simply by the lack of it.

[BlessedBeGod]

Thanks for your help!

[BlessedBeGod]

Thanks for your help! I deregistered the .dll and increased my internet security in IE to high.

[ReignOfError]

It's not a virus it's an exploit. A means of gaining access to your computer. A malicious person can do *anything* he wants using this exploit.

If I may venture an analogy, it's like discovering that you can't lock your doors. The point isn't to dust for prints or inventory what's missing; it's to tighten up before someone strolls in.

[IpaqMan]

As mentioned before, this is an exploit and not a virus. It is a backdoor way into your computer. WMF (windows meta files) are pictures that can execute programs. This is similar to the problem of Windows Word DOC files that can execute macros or Outlook email messages that can execute scripts.

A malicious person can do all sorts of nasty things to your PC like formatting your C drive or simply using it to distribute child pornography via "zombie" bots. Most of those denial of service attacks on Google and Amazon come from compromised PCs. An enterprising individual can compromise and gain control of thousands of PCs. Imagine what you could do with a thousand PCs under your remote control.

You can access a WMF file via your browser or via an email message. There was a report of a contamination on a "trusted" website, so there is a significant risk.

Steve Gibson's website www.grc.com has a lot on exploits including this one.

[IpaqMan]

As mentioned on another site, a malicious program may be able to re-register that DLL or even a normal application may re-register that DLL in regular activities. There is a lot of criticism of that "workaround".

BTW, changing IE's security higher will not stop this exploit. Turning off the viewing of images will stop it temporarily.

[BlessedBeGod]

Thanks for the additional info. This is scary.

[GeorgiaBushie]

People think that the most horrible thing about being hacked is that a Hijacker could format their harddrive or make their current system unstable. That is probably the best case scenario.

The worst case would be that they hacked a person's system and stayed hidden for well over a year.

My hacker stayed hidden and stole a wealth of information from me ,my family and everyone that used my computer; like the social security numbers and address information from me and others. I had programs that were from 01, 02, and 03 that did not need to be added but I added them anyway because of my new computer and for the reason that, sometimes, programs would not work correctly, if they did not have the previous programs to build on. These programs were not used by me after the new install, but a hacker had changed a blue and red background to a icky gray and yellow( with a strange smiley face and someone added my most personal information that I thought nobody knew to those never used programs).

My opinion is that some people are having problems with the workaround because their system has already been compromised by the newest exploit or most likely a previous one.

I found out in January 05 that I had been hacked and my hacker had been with me for well over a year.

Perhaps the hacker is able to "workaround" because they are able to edit the Windows Registry. My hacker was sophisticated enough to disable Microsoft's system pack 2 (installed on a fresh format)Zone Alarm Pro, Norton Internet Security, Spyware doctor, a SOHO fire box (exernal firewall) and the Linksys router.

The hacker was able to make registry changes to all of those software programs so that it looked like they were working but the machine was basically told to ignore all threats. The 2nd Edition updates were basically written to interpret the same thing, it was installed on my machine and I could go to the security center, but could not make any changes and if I clicked on start/right-click on my computer and properties and went to general information, it would show that I was running service pack 1. If my security software (Zone Alarm, Norton, SpywareDR were to find a virus/infection, they were told to run once and ignore and if I were to apply updates, they were told to ignore those as well.

My lesson out of all of this was that if you were having problems with windows and added a program to help get rid of a virus/infection, you could be at risk!

(1)Run in safe mode and find out how many accounts(administrator) there are and make sure all of them are for you. If you cannot get into an administrator account, you may have a problem and treat it as such.

(2) If you are on a router (Linksys for me) go and change the password, be especially aware of the address bar after you change the password and push the submit button (if you can see your administrative name and password you just typed on the address bar(mine went to a mozilla account), you have a hacker and a grave threat.

(3) If you have Microsoft home edition, you have full or no powers ( not good because you can only run programs if you are an administrator and if you have Microsoft Pro and have no idea how to use it you are at an even graver imposition. Do not misunderstand me here, I believe that Microsoft Pro would be the best choice, but you better know how to use it or the hackers will use it against you. I do not have a choice and must use windows for my programs and am installing Pro on 2 other computers (previously home edition, as there are more powers and it is better for security matters if I update to Pro for my computers that were running home before.


With Pro, you can make power users, which have more power than limited-users and can actually do a lot of work, if you have ever tried a limited user account then you know what I mean; and home edition users do not have any choices other than limited and administrative account privileges.

I want to give you a place to go, it is really for people running XP Pro, but will be a little bit helpful for people using Home Edition it is LabMice This is not my site, nor am I connected with it in any way. It works on basic security principles and was information that has proved helpful for me.