Just getting back into the swing of things and reading all I can about the WMF vulnerability and exploits. I’ve summarized everything (I think) we know so far, if I’m missing anything please drop me a note (paul /at/ pauldotcom.com):
Update – 01/06/2006 – Added the official patch section, corrected the IDS statements, added the “other unofficial” patch info (use with extreme caution).
The Vulnerability

  • Systems running most versions of Windows are vulnerable (Windows 95/98/ME/XP, XP-64, 2000, 2003)
  • Researchers have been testing older versions of Windows, more information here
  • Any application that displays, renders, or indexes a WMF file can be an attack vector
  • Repeat, applications such as Google desktop that index files are a valid attack vector
  • WMF files are images, so any way that a graphics file can get on your system is a potential threat (email, web, P2P, IM, etc..)
  • Windows DEP (Data Execution Prevention) does nothing to stop the exploit from running on most systems, even when set to cover all programs
  • If you run Windows 95/98/ME you are vulnerable, no fixes, no patches, no workarounds
  • You can call Microsoft and try to get help at 1-866-PC-SAFETY

The Exploit

  • Metasploit has included exploits in the framework
  • People criticized them for this. Some people just don’t get it, releasing the exploit is important for us to understand how it works
  • FrSirt has published two exploits. You can find them here and here
  • A worm that uses MSN Messenger has been reported in the wild

The Remediation

  • Unregistering SHIMGVW.DLL does little to prevent exploitation, and can easily be re-registered by attackers
  • Unregistering the SHIMGVW.DLL also breaks thumbnails in explorer and other similar functionality
  • IDS/IPS signatures that rely on payload do little to detect the WMF vulnerability
  • Accurate Snort Sigs from Bleeding Snort that detect the WMFHEADER and Escape() function can be found here
  • The Snort sigs will not detect attacks that are gzipped and have some known false positives
  • Filtering by extension does not protect you because a Windows processes WMF files by embedded flags, not just by extension
  • Virus checkers offer some protection, but it is naive to assume that they will be able to keep up with all the different malware variants (74 known at last count)

The Unofficial Patch

The Official Patch



About the author

Paul Asadoorian is the Founder & CEO of Security Weekly, where the flagship show recently re-titled "Paul's Security Weekly" has been airing for over 8 years. By day he is the Product Evangelist for Tenable Network Security. Paul produces and hosts the various shows here at Security Weekly, all dedicated to providing the latest security news, interviews with the industries finest and technical how-to segments. Paul is also the founder and host of "The Stogie Geeks Show", featuring cigar reviews for cigar enthusiasts.