WynApse Home Page
Home    Blog    About    Contact       
Latest Article:

My Tags:
My Sponsors:

Lifetime Member:

January 3, 2006: WMF File Vulnerability

Over the last week or so a new virus vulnerability has been found and exploited in Windows. This vulnerability is very serious because it relies on documented approved behavior to install just about any type of virus/trojan/key scanner it wants.

Background -

WMF is the Microsoft Multimedia Format and is used for image and movie files. By design, WMF is more than just a image format - it has the ability to include and execute code. The new vulnerability makes use of this feature to install viruses and such on to your computer. What makes this especially bad is that the code inside an WMF could be executed even if you don't open up the file. For example, viewing a directory that contains a folder that contains an infected WMF could result in the malicious program being executed on your machine. In addition, Windows is fully capable of detecting and executing the malicious code in a WMF file even if it is named with something other than the standard .wmf extension.

Virus scanning software is almost useless in detecting a WMF that has been designed to carry a virus since the WMF specification allows for executable code in the file. Such software might detect the virus as it is being installed, but there is no guarantee of that and even if it does it may be too late. Note also, that even after infection the original WMF will still be resident on your machine and can re-infect you at any time.

What you can do -

Microsoft has indicated that they HOPE to release a patch to fix this vulnerability on January 10th. However, this is contingent on Microsoft completing their QA process by that time. In any case, be sure to run Windows Update on the evening of January 10th.

In the mean time, the SANS Institute Internet Storm Center, working with a number of folks around the world, has published a temporary fix. This fix has been carefully crafted, reverse engineered, code and binary reviewed, and vetted to do only what it says it does. In my opinion, this fix is about as trustworthy as it is possible to get. It has been strongly recommended that everyone install this fix on your machines AS SOON AS POSSIBLE. This fix can be found at: http://handlers.sans.org/tliston/WMFHotfix-1.1.14.msi. For those with the capability, the MD5 signature of this file is 0dd56dac6b932ee7abf2d65ec34c5bec.

Below I have included a FAQ from the Internet Storm Center that provides additional information on this vulnerability. Note: for ease of installation I would use the WMFHotfix-1.1.14.msi referenced above over the link provided in item 1 below.


  • Why is this issue so important?

  • The WMF vulnerability uses images (WMF images) to execute arbitrary code. It will execute just by viewing the image. In most cases, you don't have click anything. Even images stored on your system may cause the exploit to be triggered if it is indexed by some indexing software. Viewing a directory in Explorer with 'Icon size' images will cause the exploit to be triggered as well. Microsoft announced that an official patch will not be available before January 10th 2006 (next regular update cycle).

  • Is it better to use Firefox or Internet Explorer?
  • Internet Explorer will view the image and trigger the exploit without warning. New versions of Firefox will prompt you before opening the image. However, in most environments this offers little protection given that these are images and are thus considered 'safe'.

  • What versions of Windows are affected?
  • Windows XP, (SP1 and SP2), Windows 2003 are affected by the currently circulating exploits. Other versions may be affected to some extent. Mac OS-X, Unix or BSD is not affected.

    Note: If you're still running on Win98/ME, this is a watershed moment: we believe (untested) that your system is vulnerable and there will be no patch from MS. Your mitigation options are very limited. You really need to upgrade.

  • What can I do to protect myself?

    1. Microsoft has not yet released a patch. An unofficial patch was made available by Ilfak Guilfanov. Our own Tom Liston reviewed the patch and we tested it. The reviewed and tested version is available here (now at v1.4, MD5: 15f0a36ea33f39c1bcf5a98e51d4f4f6), PGP signature (signed with ISC key) here. THANKS to Ilfak Guilfanov for providing the patch!!
    2. You can unregister the related DLL.
    3. Virus checkers provide some protection.

    To unregister the DLL:

  • Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks... our editor keeps swallowing the backslashes... its %windir%(backslash)system32(backslash)shimgvw.dll), and then click OK.
  • A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

  • Our current "best practice" recommendation is to both unregister the DLL and to use the unofficial patch.

  • How does the unofficial patch work?
  • The wmfhotfix.dll is injected into any process loading user32.dll. The DLL then patches (in memory) gdi32.dll's Escape() function so that it ignores any call using the SETABORTPROC (ie. 0x09) parameter. This should allow Windows programs to display WMF files normally while still blocking the exploit. The version of the patch located here has been carefully checked against the source code provided as well as tested against all known versions of the exploit. It should work on WinXP (SP1 and SP2) and Win2K.

  • Will unregistering the DLL (without using the unofficial patch) protect me?
  • It might help. But it is not foolproof. We want to be very clear on this: we have some very stong indications that simply unregistering the shimgvw.dll isn't always successful. The .dll can be re-registered by malicious processes or other installations, and there may be issues where re-registering the .dll on a running system that has had an exploit run against it allowing the exploit to succeed. In addition it might be possible for there to be other avenues of attack against the Escape() function in gdi32.dll. Until there is a patch available from MS, we recommend using the unofficial patch in addition to un-registering shimgvw.dll.

  • Should I just delete the DLL?
  • It might not be a bad idea, but Windows File Protection will probably replace it. You'll need to turn off Windows File Protection first. Also, once an official patch is available you'll need to replace the DLL. (renaming, rather than deleting is probably better so it will still be handy).

  • Should I just block all .WMF images?
  • This may help, but it is not sufficient. WMF files are recognized by a special header and the extension is not needed. The files could arrive using any extension, or embeded in Word or other documents.

  • What is DEP (Data Execution Protection) and how does it help me?
  • With Windows XP SP2, Microsoft introduced DEP. It protects against a wide range of exploits, by preventing the execution of 'data segements'. However, to work well, it requires hardware support. Some CPUs, like AMD's 64 Bit CPUs, will provide full DEP protection and will prevent the exploit.

  • How good are Anti Virus products to prevent the exploit?
  • At this point, we are aware of versions of the exploit that will not be detected by antivirus engines. We hope they will catch up soon. But it will be a hard battle to catch all versions of the exploit. Up to date AV systems are necessary but likely not sufficient.

  • How could a malicious WMF file enter my system?
  • There are too many methods to mention them all. E-mail attachments, web sites, instant messaging are probably the most likely sources. Don't forget P2P file sharing and other sources.

  • Is it sufficient to tell my users not to visit untrusted web sites?
  • No. It helps, but its likely not sufficient. We had at least one widely trusted web site (knoppix-std.org) which was compromissed. As part of the compromise, a frame was added to the site redirecting users to a corrupt WMF file. "Tursted" sites have been used like this in the past.

  • What is the actual problem with WMF images here?
  • WMF images are a bit different then most other images. Instead of just containing simple 'this pixel has that color' information, WMF images can call external procedures. One of these procedure calls can be used to execute the code.

  • Should I use something like "dropmyrights" to lower the impact of an exploit.
  • By all means yes. Also, do not run as an administrator level users for every day work. However, this will only limit the impact of the exploit, and not prevent it. Also: Web browsing is only one way to trigger the exploit. If the image is left behind on your system, and later viewed by an administrator, you may get 'hit'.

  • Are my servers vulnerable?
  • Maybe... do you allow the uploading of images? email? Are these images indexed? Do you sometimes use a web browser on the server? In short: If someone can get a image to your server, and if the vulnerable DLL may look at it, your server may very well be vulnerable.

  • What can I do at my perimeter / firewall to protect my network?
  • Not much. A proxy server that strips all images from web sites? Probably wont go over well with your users. At least block .WMF images (see above about extensions...). If your proxy has some kind of virus checker, it may catch it. Same for mail servers. The less you allow your users to initiate outbound connections, the better. Close monitoring of user workstations may provide a hint if a work station is infected.

  • Can I use an IDS to detect the exploit?
  • Most IDS vendors are working on signatures. Contact your vendor for details. Bleedingsnort.org is providing some continuosly improving signatures for snort users. Recent releases of this exploit take advantage of http compression and randomization of the exploit to evade IDS signatures.

  • If I get hit by the exploit, what can I do?
  • Not much :-(. It very much depends on the exact exploit you are hit with. Most of them will download additional components. It can be very hard, or even impossible, to find all the pieces. Microsoft offers free support for issues like that at 866-727-2389 (866 PC SAFETY).

  • Does Microsoft have information available?
  • http://www.microsoft.com/technet/security/advisory/912840.mspx
    Microsoft announced that there will be a patch on January 10th, the next regular "black Tuesday".

  • What does CERT have to say?
  • http://www.kb.cert.org/vuls/id/181038

    Microsoft MVP

    Member of WPF and Silverlight Insiders
    Silverlight Control
    Creative Commons License

    Copyright © 2006-2014, WynApse