Zero-Day Flaw

Zero-Day Flaw

There was a new vulnerability discovered last week in the way a variety of Windows operating systems graphics rendering engine processes WMF Meta files. This flaw was discovered the same day that the exploit was let loose on the public, leaving anti-virus venders completely in the dark. Microsoft, like everyone else, was shocked and found themselves desperately scrambling to produce a fix, which they still do not have.

WMF Meta Files are 116-bit image files that can contain both bitmap and Vector information concerning the image. The Zero-Day exploit focuses on the way Windows operating systems process these images, which can potentially allow specially crafted WMF files to write arbitrary code to the system. This is different from most conventional viruses, which tend to use buffer overflow techniques to write code to your PC. Most anti-virus venders can easily test and quickly create detection signatures for their products and stop these infection methods. With the Zero-Day flaw however, this process is written into the operating system, it does what it’s supposed to do, thus creating huge obstacles for anti-virus venders trying to thwart potential attacks.

To become infected, all one has to do is view one of these “specially crafted WMF images.” That’s it and there is no fix. No wonder McAfee anti-virus reported that 6 percent of their users are estimated to be infected, and when you think of the number of their customers, that’s pretty serious. The nature of this exploit moves fast and with no real fix in the immediate future many reputable security entities have categorized this threat as severe or critical.

There seems to be a lot of “home remedies” popping up out there that claim they can protect your system from this threat, but most of them simply mitigate the risk, which still leaves a chance to become exploited.

All is not completely lost however, even though Microsoft offers little more than some fundamentally good advice. There are other security companies with better protection methods that, together, can drastically lower your chances of being attached.

Below is a list of some of the procedures that you can use to effectively protect yourself against this attack:

1. First and for most, stay away from Web sites that you're not sure of. Stick with visiting only reputable sites and remember all it takes is to view one of these treacherous images to become exploited.
2. The same goes for e-mails. Avoid viewing images or linking out to the Web from an e-mail sent from an unknown source. Viewing e-mail in plain text can reduce your risk of being exploited but you still should not select any e-mail links.
3. Although switching browsers has a minimal affect on stopping these images, Firefox offers more protection. Internet Explorer immediately opens these files triggering the flaw where as newer versions of Firefox will prompt you before opening, in turn offering some support.
4. Of course, keep up with your anti-virus software and make sure your firewall is up and doing its job.

The next two methods are a little more extreme but are perfectly safe. Make sure, however, that you turn off all background running programs on the PC before installing the hot fix.

5. You can always stop the .dll files that are related to the WMF files. This will only lower your chances of becoming affected. You should use this along with step 7 to protect yourself. To install this, follow the directions below:

- Click Start

- Click Run

- Type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks)

- Click OK

- Confirm the process completion by selecting OK and that’s it

(Note: If you want re-register the DLLs follow the same procedure as above except with no "-u" so it should look like this: "regsvr32 %windir%\system32\shimgvw.dll" (without the quotation marks))

6. There is also an “unofficial patch” or “Hot Fix” created by Ilfak Guilfanov and tested by Sans Security's (security vender) own Tom Liston that, together with the .dll blocking method, is currently the best defense against the flaw. Basically, what this patch does is block the WMF files while still allowing you to view images on the Web. You can download the file here, and remember when installing, please disable all background running programs including anti-virus and other security software. This download is only supported by Windows 2000, and XP (Pro, Home Service Pack 1&2).

At the moment, this is the best we can do. Microsoft will eventually come out with a patch for Windows 2000 and above, and when it does you should uninstall this hotfix. It will be in the Add/Remove list in the Control Panel under the name Windows WMF Vulnerability Hot Fix. When the patch becomes available, I will post it in a newsletter. Until then, stay safe out there.

~Chad Stelnicki

Link for the "unofficial patch"
http://handlers.sans.org/tliston/wmffix_hexblog14.exe