Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2006-01-02 InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

VMWare Browser

Published: 2006-01-02
Last Updated: 2006-01-07 13:21:13 UTC
by Marcus Sachs (Version: 2)
0 comment(s)
In all of the confusion over the .wmf issue comes a bit of hope from one of our favorite vendors.  VMWare has a Browser Appliance virtual machine available for free download.  It's a BIG file (258Mb zipped) so be sure you have a plenty of time for downloading.  The appliance can be run in either VMWare Workstation or the free VMWare Player and provides you with a safer environment for web surfing.  Thanks to John Holmblad for pointing this out to us. 

(Be sure that you are running the latest version of VMWare Workstation, since there was a security issue disclosed several days ago.  Also, note that the VMWare Player installion process asks if you want to install the Google desktop search application, which should remind you of yet another vector for the .wmf vulnerability to manifest itself.)

UPDATE - two more sandbox approaches to browsing were sent to us.  Morland Halliday said to check out, and Derrill Guilbert pointed us to  Thanks to both of you!

0 comment(s)

Overview of the WMF related articles at the ISC

Published: 2006-01-02
Last Updated: 2006-01-03 16:28:03 UTC
by Tom Liston (Version: 6)
0 comment(s)
Since this is one of the more complex stories to follow I've made a quick overview of the WMF issues.

The first story on the WMF vulnerability and the initial exploit

The update explaining why we went to yellow the first time around

The story pointing to the Microsoft bulletin

The availability of the first snort sigs

The going back to green article

More WMF signatures

Lotus notes affected

The bandaid post: deregistering not reliable, extension filtering not enough

The free phone number for micrsoft support

Indexing and WMF

Musings on how to protect organisations beyond the trivial

An IM worm found using the WMF stuff

The second exploit, back to yellow, new sigatures and an unoffical patch


2nd generation exploit use in spam

Trustwothy computing

Recommended block list

Status of the anti-virus detection after one day

Updated version of Ilfak Guilfanov's patch

More .wmf woes

Installing a Patch Silently

.wmf FAQ Translations

Checking for .wmf Vulnerabilities

MS to Release Update on Jan 10

.MSI installer file for WMF flaw available

Swa Frantzen

0 comment(s)

Scripting the Unofficial .wmf Patch

Published: 2006-01-02
Last Updated: 2006-01-03 16:06:03 UTC
by Marcus Sachs (Version: 1)
0 comment(s)
Brent Hughes sent us a script that he used today to push the unofficial .wmf patch across his enterprise.  Here is what he sent us, and I suspect that it will work nicely with the updated patch from Ilfak.  Note that our html editor sometimes eats backslashes, apologies if that happens below.

I put the patches in netlogon to help distribute the load a bit across the domain controllers.  Here's just the relevent section of my script (in vbscript).  It assumes the patch always installs in c:program files.  If program files is somewhere else you might have to find it [ie. progdir = objShell.ExpandEnvironmentStrings("%programfiles%")].  

Const HOTFIXDIR = "%home%\netlogon\patches"

set objShell = CreateObject("") Set oFSO = CreateObject("Scripting.FileSystemObject")

if NOT oFSO.FileExists("c:program files\Windows\MetafileFix\wmfhotfix.cpp") then
    objShell.Popup "Installing WMF unofficial patch", 5
    objShell.Run "%windir%\system32\regsvr32.exe -u %windir%\system32\shimgvw.dll"
    objShell.Run HOTFIXDIR & "wmffix_hexblog13.exe /VERYSILENT /SUPPRESSMSGBOXES"
end if

You could batch file it too (though I've never tried this in group
@echo off
if exist "c:program files\windows\metafilefix\wmfhotfix.cpp" goto end
    %windir%\system32\regsvr32.exe -u %windir%\system32\shimgvw.dll
     %home%\netlogon\patches\wmffix_hexblog13.exe /VERYSILENT /SUPPRESSMSGBOXES

Put one of those in a group policy under shutdown scripts and it should patch on reboot.  I'm still working on the best way to script rebooting the network, but I'll send that too when I've got it.

0 comment(s)

.wmf FAQ Translations

Published: 2006-01-03
Last Updated: 2006-01-04 20:36:34 UTC
by Marcus Sachs (Version: 4)
0 comment(s)
Thanks to the work of several of our handlers and readers, we've got a nice set of FAQs in multiple languages:

Deutsch and Deutsch (pdf)
Italiana and Italiana
Portugues - Br

More coming as they are submitted to us.

0 comment(s)

Installing a Patch Silently

Published: 2006-01-02
Last Updated: 2006-01-03 02:53:29 UTC
by Marcus Sachs (Version: 2)
0 comment(s)
For those who are manually patching systems using Ilfak Guilfanov's unofficial patch, handler Tom Liston says that you can install it in an unattended mode by using this incantation:


More details are here.  This version looks like it will work well with startup scripts in the Active Directory.  Previous versions were a bit noisy and would create annoying error messages to users that might not understand what they were seeing.

A reminder:  be sure to test the patch above before deploying it across an enterprise.  While the handlers (including me) are running it on our own personal systems and it works as advertised, we can't vouch for any special software you might have in your own systems that could be disabled after the patch is installed.

0 comment(s)

Checking for .wmf Vulnerabilities

Published: 2006-01-02
Last Updated: 2006-01-03 02:44:21 UTC
by Marcus Sachs (Version: 1)
0 comment(s)
As far as we know there are no tools available yet for remote scanning and detection of systems vulnerable to the .wmf issue.  Ilfak Guilfanov has a testing tool available on his website, and he cautions users that it only checks for one version of the exploit so it might not detect new variations. 

If you want to experiment with another file submitted to us by Kevin Gennuso (thanks, Kevin) you can download it here.  The file will open calc.exe and kill explorer.exe on vulnerable systems but otherwise causes no damage as far as we can tell.  As always, test this file before using it on a production or enterprise computer.  This file is useful for seeing if Ilfak's patch worked for your system.

Reik Bohne sent us a link to a test on  It's in German but essentially what it does is provides you with a way to check your browser and your email client to see if you are vulnerable.  Like the file above, it starts calc.exe on an unpatched system.

0 comment(s)

More .wmf Woes

Published: 2006-01-02
Last Updated: 2006-01-02 18:01:15 UTC
by Marcus Sachs (Version: 1)
0 comment(s)
The WMF issue continues to spin.  Overnight we received a note from HD Moore at Metasploit:

We released a new version of the metasploit framework module  for the WMF flaw, this one uses some header padding tricks and gzip encoding to bypass all known IDS signatures. Consider this "irresponsible" if you like, but it clearly demonstrates that a run-of-the-mill signature-based IDS (or A/V) is not going to work for this flaw. If anyone has any questions about why we are releasing these types of modules so early after the disclosure, feel free to drop me an email.


While many might disagree with what Moore and others are doing in the Metasploit project, be grateful that their efforts are "open" and available for both defenders and attackers to view.  If only the bad guys had the tools then the good guys would be left guessing on how this stuff works.  This reminds me of how bad we felt in the early 1990s when Satan was released.  We (the good guys) felt that they (the bad guys) had a tool that was "unfair" in that it allowed them to scan our networks looking for flaws.  Today of course no sysadmin worth his or her GIAC certification would run a network without scanning periodically for vulnerable systems.  So, if you haven't looked at the Metasploit project then today might be the day you should.  Think of it as a defender's best friend rather than an evil hacking tool.

0 comment(s)
Diary Archives