Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2006-01-05 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

* Microsoft Patches Released

Published: 2006-01-06
Last Updated: 2006-01-06 19:25:45 UTC
by Marcus Sachs (Version: 4)
0 comment(s)
Many of you already know this if you receive advance notification from Microsoft.  For everybody else, see their announcement about an early release of the WMF patch.  The patch and details about it are available here.  If you have installed any of the earlier patches or workarounds, here is our recommendation for updating:

1.  Reboot your system to clear any vulnerable files from memory
2.  Download and apply the new patch
3.  Reboot
4.  Uninstall the unofficial patch, by using one of these methods:
a.  Add/Remove Programs on single systems.  Look for "Windows WMF Metafile Vulnerability HotFix"
b. or at a command prompt:
"C:\Program Files\WindowsMetafileFix\unins000.exe" /SILENT
c. or, if you used msi to install the patch on multiple machines you can uninstall it with this:
msiexec.exe /X{E1CDC5B0-7AFB-11DA-8CD6-0800200C9A66} /qn
5.  Re-register the .dll if you previously unregistered it (use the same command but without the "-u"):
regsvr32 %windir%\system32\shimgvw.dll
6.  Optionally, reboot one more time just for good measure (not required, but doesn't hurt)

We tested the patch, and it does block the attack just like the unofficial patch does.

If you experience any problems with the official patch, check support.microsoft.com and call the toll-free number listed for free assistance. Microsoft will not support the unofficial patch. As an alternative to the sequence shown above, you may want to uninstall the unofficial patch first. But make sure you keep shimgvw.dll unregistered until the official patch is applied. Either sequence works in our testing. Removing the unofficial patch later provides an extra layer of protection.

You can use our test image at http://sipr . net/test . wmf as a test to make sure you are not vulnerable. The test image will start the calculator if you are vulnerable.

I'd like to take this opportunity to thank all of our incident handlers for the endless hours of analysis over the past week.  Also, many thanks to the hundreds of readers who sent in analysis and observations.  Finally, thanks to the response team at Microsoft for issuing the patch today.  We all appreciate the extra internal effort it took to do this out of cycle.

Marcus  H. Sachs
Director, SANS Internet Storm Center

UPDATED News on the official WMF patch and DLL registration

  • If you installed the LEAKED Microsoft patch, make sure that you un-install it before installing the officially released patch. Windows Update will detect the presence of the leaked patch. Bad things may happen.

  • If you installed the un-official Ilfak patch, you can un-install it before or after the official Microsoft patch. The order doesn't matter, should work either way. Windows Update will apparently not detect the un-official patch.

  • If you un-registered the DLL (shimgvw.dll) you will need to re-register it in order to regain the functionality. The official Microsoft patch will NOT re-register the DLL for you. You will have to do it via the followng command:
                regsvr32 %windir%\\system32\\shimgvw.dll

  • ISC has pulled the un-official patch from our web site, if you download the text file that replaces it, it won't execute.






Keywords:
0 comment(s)

A sober New Years update.

Published: 2006-01-05
Last Updated: 2006-01-06 00:00:09 UTC
by donald smith (Version: 1)
0 comment(s)

Sober.Y will be attempting to update itself tonight at midnight. If you have the ability you may wish to monitor traffic towards the sites listed below. The ISPs and hosting sites have known about this update for a while and I believe the malware has been removed from these sites so I don't recommend blocking those sites. Monitering them might provide you with a list of infected  computers:)

From http://www.f-secure.com/v-descs/sober_y.shtml

Sober.Y monitors a fixed list of NTP servers to syncronize its time. If the date is 6.1.2006 or later, instead of mass mailing, it tries to download and execute file from one of the following domains:

 people.freenet.de
 scifi.pages.at
 free.pages.at
 home.pages.at
 home.arcor.de
Keywords:
0 comment(s)

WMF mitigation may cause printer problems.

Published: 2006-01-05
Last Updated: 2006-01-05 23:58:11 UTC
by donald smith (Version: 2)
0 comment(s)

We have received reports and researched an issue with Ilfak's patch AND/OR deregistering SHIMGWV.DLL causing printing issues.

De-registering SHIMGVW.DLL can cause printer issues. This has been verified.

Pedro a fellow SANS handler provided this:
"From Microsoft Windows Server 2003 Inside Out
By William R. Stanek The client first uses the print driver to partially render the document into EMF and then spools the EMF file to the print server. The print server converts the EMF file to final form and then queues the file to the printer queue (printer)."

ScottF another SANS handler states "I have seen a few new printing bugs...basically the printer spooler tray icon pops up and says there is an error and then prints without a problem" this was when SHIMGWV.DLL was deregistered.

It appears that Ilfak Guilfanov's patch can also cause printer problems.

Paul Shane reported
"It seems that users printing with Lotus
1-2-3 V5  for windows (yes...the old version), running on Windows XP, cannot print with the hexblog patch installed.  As soon as the patch is uninstalled and the machine is rebooted, printing works."

 Finally JimC another SANS handler writing about Ilfak's patch states:
"Actually, I guess this one doesn't surprise me too much.  The "legitimate" use of the SETABORTFUNC Escape() call in gdi32.dll is for printing. We have heard of a couple of other widely scattered situations where some sort of printing function was disrupted by the unofficial patch.

Only a few cases of printer problems have been reported so far. Over 100,000 people have installed the patch and/or deregistered the shimgwv.dll. We still recommend doing both! Either can be easily reversed if printer problems occur.


Keywords:
0 comment(s)

Infocon back to green

Published: 2006-01-05
Last Updated: 2006-01-05 21:46:29 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
Microsoft released an official patch early. I would like to thank all handlers who spent countless hours over the last few days (and the holiday weekend) analyzing the situation. We hope that the information we provided made the net a slightly safer place for you. Thanks to Microsoft for taking our input and we hope it contributed to the decision to publish this most important patch early.

For more details about installing the patch, and uninstalling the unofficial patch, see our
prior diary.


---------
johannes ullrich, jullrich@/sans.org
CTO Internet Storm Center.
Keywords:
0 comment(s)

Technical document on WMF vulnerability and Guilfanov's patch available

Published: 2006-01-05
Last Updated: 2006-01-05 21:45:49 UTC
by Tom Liston (Version: 1)
0 comment(s)
I've written a technical document describing what is going on "behind-the-scenes" to cause the current WMF SETABORTPROC vulnerability and how Ilfak Guilfanov's patch worked to mitigate it.  Included are both annotations to the patch's source code and an annotated disassembly of the patch itself. 

Interestingly, reading Microsoft's description of their patch:

Specifically, the change introduced to address this vulnerability removes the support for the SETABORTPROC record type from the META_ESCAPE record in a WMF image. This update does not remove support for ABORTPROC functions registered by application SetAbortProc() API calls.

it appears that they ended up doing the same thing that Guilfanov's patch did (but where Guilfanov' had to jump though .dll injection hoops, they could just change the source code and recompile GDI32.DLL...).

The document can be found here.
Keywords:
0 comment(s)
Diary Archives