Threat Level: green Handler on Duty: Yee Ching Tok

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!


Published: 2006-01-07
Last Updated: 2006-01-07 17:16:23 UTC
by Swa Frantzen (Version: 5)
0 comment(s)
This version has been updated to reflect the release of the official patch by Microsoft. Take care with the translations as they might very well not be up to date.

[a few users offered translations of this FAQ into various languages. Obviously, we can not check the translation for accuracy, nor can we update them. Most of these translations are hosted on servers operated by the translation authors. So use at your own risk: Deutsch and Deutsch (pdf), Catalan , Espaņol , Italiana and Italiana, Polski, Suomenkielinen, DanishJapanese, Slovenian, Chinese, Norwegian and Nederlands ]

To assist with internal presentations about this issue, we made a slide set available:
PDF, Power Point , OpenOffice 2.0
  • Why is this issue so important?
The WMF vulnerability uses images (WMF images) to execute arbitrary code. It will execute just by viewing the image. In most cases, you don't have click anything. Even images stored on your system may cause the exploit to be triggered if it is indexed by some indexing software. Viewing a directory in Explorer with 'Icon size' images will cause the exploit to be triggered as well. Microsoft initially announced that an official patch would not be available before January 10th 2006 (next regular update cycle). But they did release a patch out of cycle earlier.
  • Is it better to use Firefox or Internet Explorer?
Internet Explorer will view the image and trigger the exploit without warning. New versions of Firefox will prompt you before opening the image. However, in most environments this offers little protection given that these are images and are thus considered 'safe'.
  • What versions of Windows are affected?
Windows XP, (SP1 and SP2), Windows 2003 are affected by the currently circulating exploits.  Other versions may be affected to some extent. Mac OS-X, Unix or BSD is not affected.

Note: If you're still running on Win98/ME, this is a watershed moment: we believe (untested) that your system is vulnerable and there will be no patch from MS.  Your mitigation options are very limited. You really need to upgrade.
  • What can I do to protect myself? 
We did, due to the expectional conditions, endorse an unofficial patch for a while, but are now recommending you install the official Microsoft supported patch ASAP.

The unofficial patch was made available by Ilfak Guilfanov. Our own Tom Liston reviewed the patch and we tested it. The reviewed and tested version is not available form us any longer (last version was 1.4, MD5: 15f0a36ea33f39c1bcf5a98e51d4f4f6), PGP signature (signed with ISC key) here. THANKS to Ilfak Guilfanov for providing the patch!!
We also advised the suggested mitigation action by Microsoft to unregister another DLL, due to the availability of an official patch there is no more need for that.
  • How do I re-register the DLL and remove the patch?
Important: You need to REBOOT the system before re-enabling the DLL. Malicious WMF images may still be sitting in memory waiting to be displayed. Our testing has shown, that they will be executed as soon as the DLL is re-enabled.

To re-register the DLL, click State, click Run, type
    regsvr32 %windir%\system32\shimgvw.dll
This is the same command as you used to unregister, with the -u part).

To remove the patch, open the control pannel, open the "Add/Remove Programs" icon, find the patch in the list and uninstall.

To uninstall the patch from the command line (vs. using the Control Panel), enter this command:
msiexec.exe /X{E1CDC5B0-7AFB-11DA-8CD6-0800200C9A66} /qn

  • How does the unofficial patch work?
The wmfhotfix.dll is injected into any process loading user32.dll.  The DLL then patches (in memory) gdi32.dll's Escape() function so that it ignores any call using the SETABORTPROC (ie. 0x09) parameter.  This should allow Windows programs to display WMF files normally while still blocking the exploit.  The version of the patch we distributed was carefully checked against the source code provided as well as tested against all known versions of the exploit.  It would work on WinXP (SP1 and SP2) and Win2K. The documentation provided by Microsoft show the official patch does remove exactly the same functionality from gdi32.dll than the unofficial patch prevent from begin used.
  • Are there other patches?
ESET, the maker of the antivirus product NOD32, published another patch.  We haven't gotten around to check it as thoroughly as Ilfan's patch and the official patch release pre-empted possible efforts to do much with it. The ESET patch claimed to work for older versions of Windows (e.g. ME). The ESET patch does not require a reboot. Please refer to the ESET site for any additional questions. Microsoft's official (preliminary) patch was leaked and posted to some web sites. Microsoft recommends against installing that version.
  • Is there a test to see if I am vulnerable?
We created an image that will start the windows calculator. See http:// / test.wmf. This image should be detected by all up to date antivirus scanners and uses an easy to detect version of the exploit. Your antivirus scanner should detect this image. However, it detecting the image is not sufficient to prove that it will detect other versions of the exploit.
  • Would unregistering the DLL (without using the official or unofficial patch) protect me?
It might help. But it is not foolproof. We want to be very clear on this: we have some very stong indications that simply unregistering the shimgvw.dll isn't always successful. The .dll can be re-registered by malicious processes or other installations, and there may be issues where re-registering the .dll on a running system that has had an exploit run against it allowing the exploit to succeed.  In addition it might be possible for there to be other avenues of attack against the Escape() function in gdi32.dll.  We strong recommend to install the official patch. 
  • Should I just delete the DLL?
It might not be a bad idea, but Windows File Protection will probably replace it. You'll need to turn off Windows File Protection first. Also, once an official patch is available you'll need to replace the DLL. (renaming, rather than deleting is probably better so it will still be handy).
  • Should I just block all .WMF images?
This may help, but it is not sufficient. WMF files are recognized by a special header and the extension is not needed. The files could arrive using any extension, or embeded in Word or other documents.
  • What is DEP (Data Execution Protection) and how does it help me?
With Windows XP SP2, Microsoft introduced DEP. It protects against a wide range of exploits, by preventing the execution of 'data segements'. However, to work well, it requires hardware support. Some CPUs, like AMD's 64 Bit CPUs, will provide full DEP protection and will prevent the exploit. You can learn more about DEP, how to enable it and check that it is running, here.
  • How good are Anti Virus products to prevent the exploit?
At this point, we are aware of versions of the exploit that will not be detected by all the antivirus engines. We hope they will catch up soon. But it will be a hard battle to catch all versions of the exploit. Up to date AV systems are necessary but likely not sufficient.
  • How could a malicious WMF file enter my system?
There are too many methods to mention them all. E-mail attachments, web sites, instant messaging are probably the most likely sources. Don't forget P2P file sharing and other sources.
  • Is it sufficient to tell my users not to visit untrusted web sites?
No. It helps, but its likely not sufficient. We had at least one widely trusted web site ( which was compromissed. As part of the compromise, a frame was added to the site redirecting users to a corrupt WMF file. "Tursted" sites have been used like this in the past.
  • What is the actual problem with WMF images here?
WMF images are a bit different then most other images. Instead of just containing simple 'this pixel has that color' information, WMF images can call external procedures. One of these procedure calls can be used to execute the code.
  • Should I use something like "dropmyrights" to lower the impact of an exploit.
By all means yes. Also, do not run as an administrator level users for every day work. However, this will only limit the impact of the exploit, and not prevent it. Also: Web browsing is only one way to trigger the exploit. If the image is left behind on your system, and later viewed by an administrator, you may get 'hit'.
  • Are my servers vulnerable?
Maybe... do you allow the uploading of images? email? Are these images indexed? Do you sometimes use a web browser on the server? In short: If someone can get a image to your server, and if the vulnerable DLL may look at it, your server may very well be vulnerable.
  • What can I do at my perimeter / firewall to protect my network?
Not much. A proxy server that strips all images from web sites? Probably wont  go over well with your users. At least block .WMF images (see above about extensions...). If your proxy has some kind of virus checker, it may catch it. Same for mail servers. The less you allow your users to initiate outbound connections, the better. Close monitoring of user workstations may provide a hint if a work station is infected.
  • Can I use an IDS to detect the exploit?
Most IDS vendors are working on signatures. Contact your vendor for details. is providing some continuosly improving signatures for snort users. Recent releases of this exploit take advantage of http compression and randomization of the exploit to evade IDS signatures.
  • If I get hit by the exploit, what can I do?
Not much :-(. It very much depends on the exact exploit you are hit with. Most of them will download additional components. It can be very hard, or even impossible, to find all the pieces. Microsoft offers free support for issues like that at 866-727-2389 (866 PC SAFETY).
  • Does Microsoft have information available?
There was information on the workarounds and impact available from Microsoft at
but Microsoft in the mean time has release an official patch
  • What does CERT have to say?
0 comment(s)

.wmf FAQ Translations

Published: 2006-01-03
Last Updated: 2006-01-04 20:36:34 UTC
by Marcus Sachs (Version: 4)
0 comment(s)
Thanks to the work of several of our handlers and readers, we've got a nice set of FAQs in multiple languages:

Deutsch and Deutsch (pdf)
Italiana and Italiana
Portugues - Br

More coming as they are submitted to us.

0 comment(s)

WMF: patches and workarounds explained

Published: 2006-01-03
Last Updated: 2006-01-04 10:47:18 UTC
by Swa Frantzen (Version: 1)
0 comment(s)
We continue to get many questions on the WMF vulnerability, and are trying to explain it a bit more graphically.

Feel free to use the presentations below to explain why you need to use the unofficial patch or how it works on a high level.
To help you answer the "kill" questions:
  • You might not have seen exploits yet because:
    • You are lucky so far: estimates are that up to now 10% of our readers have seen them.
    • The bad guys haven't released their worst (yet), but we know they have the tools and means to create it and we expect them to do so well enough before the official patches are released next week.
    • The detection might be insufficient or might be failing, so you would not know it.
      (esp. if the attack was subtle enough in a first phase, it can be very hard to detect as it's designed to be very hard to detect by anti-virus and IDS/IPS systems)
    • We were told of McAfee reporting a 6% infection rate at their customers on New Year's Eve already.
But when you will see the exploits, it will be too late. So act now and be prepared for the coming storm.
  • The Internet Storm Center knows of quite a few goverment and larger organisations that did roll-out the unofficial patch, so your "peers" might very well be doing the right thing already.
  • The usual precautions, such as telling the users not to click or surf to bad sites, updating anti-virus signatures, filtering email, ... will help just like a drop of water helps to fill a bucket. It's just not good enough by far.
    • No user interaction is required. This is one of those where the user is a sitting duck, not the offender.
    • Many anti-virus signatures still trigger on the payload, not on the call in the WMF and therefore might get a working signature only after you got hit. This can be more painful if you are unlucky to get hit early.
    • IDS/IPS can be easily bypassed by using off-the-shell tools already available to the bad guys.
    • Firewalls will not prevent filesharing once the files are inside.
    • ...

In addition to this, please do make the difference between a vulnerability and the lack of an exploit.
  • One working exploit proves a vulnerability.
  • Many non-functional exploits prove nothing towards the lack of a vulnerability.

Swa Frantzen
0 comment(s)


Published: 2006-01-03
Last Updated: 2006-01-03 18:17:57 UTC
by Tom Liston (Version: 1)
0 comment(s)
"Although the issue is serious and malicious attacks are being attempted, Microsoft's intelligence sources indicate that the scope of the attacks are not widespread."
- Microsoft Security Advisory (912840)

"...Microsoft's intelligence sources..."?!?

Go ahead and laugh.  I'll wait.

Through?  O.K.

While all of the rest of us were sleeping, it appears that the propeller-heads working on Billy Wonka's Official Microsoft Research and Development Team have been hard at work creating a crystal ball capable of foretelling the future.  The only problem: it appears that they made it from rose-colored crystal.

In their rosy vision of the future, over the next seven days, nothing bad is going to happen.  The fact that there are point-n-click toolz to build malicious WMFs chock full o' whatever badness the kiddiez can cook up doesn't exist in that future.  The merry, lil' Redmond Oompa Loompas are chanting "Our patch isn't ready / you have to wait / so keep antivirus / up-to-date" which makes perfectly accurate, current AV signatures appear on every Windows computer - even those with no antivirus software.

The future, according to Microsoft, is a wonderful, safe, chocolaty place.

And why not?  Everything just seems to work out for them!

Imagine!  You have tons and tons of work to do!  Even now, the Oompa Loompas are hard at work out in Redmond, simultaneously regression-testing and translating Microsoft's WMF patch into Swahili and Urdu.  And, somehow, as if by magic, all of this work will wind down at precisely the right moment so that the WMF patch doesn't have to be released "out of cycle."  How convenient!  Especially if you're wanting to avoid all of that nasty "Microsoft Releases Emergency Patch" publicity.

And remember, if something bad does happen to you during the next seven days, Billy Wonka and his Magic Metafiles aren't to blame.  You are!

"Customers who follow safe browsing best practices are not likely to be compromised by any exploitation of the WMF vulnerability. Users should take care not to visit unfamiliar or un-trusted Web sites that could potentially host the malicious code."

Why are you visiting places on the web you've never been before?  Restrict your browsing to safe places, and everything will be just fine.  'Cause no one could ever put a bad graphic file on a place you trust.

Tom Liston - Intelguardians Network Intelligence, L.L.C.

0 comment(s)

.MSI installer file for WMF flaw available

Published: 2006-01-04
Last Updated: 2006-01-04 04:19:23 UTC
by Tom Liston (Version: 2)
0 comment(s)
For all of you corporate folk out there, we now have a .msi installer file available for version 1.4 of Ilfak Guilfanov's unofficial patch for the Windows .WMF flaw.  A very big "thank you" goes out to Evan Anderson of Wellbury Information Services, L.L.C. for his diligent efforts to get this put together.  Note:  Like Mr. Guilfanov's original patch, this will dump out not only Guilfanov's source code, but also the code that Evan wrote to do the install from within the .msi.  Note also:  We have reverse engineered and verified that the installation/uninstallation code in the .msi does what it says it does and nothing more.  The wmfhotfix.dll installed is the binary equivalent of the previously vetted version 1.4.

WMFHotfix-1.4.msi has an MD5 of 0dd56dac6b932ee7abf2d65ec34c5bec
A pgp signature using the SANS ISC key is available as well.

We renamed the file from WMFHotfix-1.1.14.msi to WMFHotfix-1.4 to be more consistent with the version number (1.4)
To uninstall, use the "Add / Remove Program" button in your control panel.
0 comment(s)

MS to Release Update on Jan 10

Published: 2006-01-03
Last Updated: 2006-01-03 13:52:41 UTC
by Scott Fendley (Version: 2)
0 comment(s)

Microsoft updated its advisory (KB 912840) this morning with the below information.  For those in academic environments, this may actually work in your favor as students will be coming back after the supposed release date. 

For corporate environments, IT Staffers are going to have to make a risk assessment.  What would be cost to your company if you are compromised between now and January 10 if the update is released as mentioned?  Can you really afford to do nothing?  Are you willing to gamble that unregistering the dll is sufficient or do you go with defense in depth and apply the unofficial patch?   You make the choice.

'Microsoft has completed development of the security update for the vulnerability. The security update is now being localized and tested to ensure quality and application compatibility. Microsoft's goal is to release the update on Tuesday, January 10, 2006, as part of its monthly release of security bulletins. This release is predicated on successful completion of quality testing.

The update will be released worldwide simultaneously in 23 languages for all affected versions of Windows once it passes a series of rigorous testing procedures. It will be available on Microsoft's Download Center, as well as through Microsoft Update and Windows Update. Customers who use Windows' Automatic Updates feature will be delivered the fix automatically.

Based on strong customer feedback, all Microsoft's security updates must pass a series of quality tests, including testing by third parties, to assure customers that they can be deployed effectively in all languages and for all versions of the Windows platform with minimum down time.

Microsoft has been carefully monitoring the attempted exploitation of the WMF vulnerability since it became public last week, through its own forensic capabilities and through partnerships within the industry and law enforcement. Although the issue is serious and malicious attacks are being attempted, Microsoft's intelligence sources indicate that the scope of the attacks are not widespread."

0 comment(s)
Diary Archives