https



Supplemental Resources and Links for Episode #20

Official WMF Vulnerability update
from Microsoft Available NOW!
http://update.microsoft.com/



Ilfak Guilfanov on "Security Now" #21 !

Ilfak Guilfanov, developer of "The Patch" for temporarily protecting Windows users from exploitation of the WMF vulnerability (while we were waiting for Microsoft's official security update) joined Leo and me to discuss this first serious Windows vulnerability of the New Year.

If you wish to be automatically notified whenever we post a new Security Now! audio program, you may use the button below to register an eMail address with the trustworthy "Change Detection" service. You will be able to easily remove yourself at any time:



(it's private by ChangeDetection)


Microsoft is not fixing Windows 98/ME
 . . . so GRC will.

Microsoft has now "reclassified" the WMF vulnerability in Windows 95, 98, and ME as non-critical (instead of just fixing it!). This means that it will probably NOT be updated and patched to eliminate the WMF handling vulnerability that those older versions of Windows apparently still have. (This vulnerability still needs to be confirmed.)

So, if Microsoft does not produce an update to repair those older versions of Windows, GRC will make one available.

Microsoft's official security update does
the same thing as Ilfak's patch

Users of Ilfak's temporary patch — which is no longer needed in the wake of Microsoft's early released official update — may rest easily. Ilfak reports that he checked-out Microsoft's new replacement GDI32.DLL . . . and it permanently does the same thing as his temporary patch: It simply revokes support for the age-old WMF "SETABORT" command from metafile processing.




Please Note: The material below is being left in place
for historical/archival purposes. It is obsolete with the
release of Microsoft's Windows security update patch.

Windows WMF Vulnerability News & Updates

Quick Background:

 The active exploitation of a very serious vulnerability in all versions of Windows was discovered in late December.

 Word of this spread rapidly through the hacker community — many of whom where presumably on holiday vacation from school, bored, and looking for something to do.

 So several days later nearly one hundred different instances of exploitation of this newly discovered vulnerability had been found.

 Note that this is not a "new vulnerability" — it (and perhaps other similar bugs) have been lying unknown in Windows since 1991. What's "new" is the discovery of this long-present vulnerability in Windows' metafile processing.

 Almost immediately there were reports of an MSN Messenger worm, and now F-Secure is reporting that "Happy New Year" SPAM eMail is carrying an exploit.

 Anti-Virus vendors quickly updated and began pushing out their A-V signature files. These have been effective, but a new very flexible exploit generation tool has appeared that's able to create so many different variations of the exploit that A-V signatures are having trouble keeping up.

 Microsoft responded with an acknowledgement of the problem which included a very weak workaround (the shimgvw.dll unregistration) that provides very little protection. Theirs is not a cure, and it is not known how long the Windows user community will now be waiting for a true patch from Microsoft.

 Ilfak Guilfanov (see GREEN box below) produced a highly-effective true patch which successfully suppresses all known exploitable vulnerabilities for anyone using Windows 2000, XP, server 2003, or 64-bit XP. No patch is available for Windows 95, 98, ME or NT, and none is expected to be forthcoming. But anyone using Windows 2000, XP, server 2003, or 64-bit XP should IMMEDIATELY install Ilfak's exploit suppressor into all of their systems.

Other Updates

 A special (short) edition of "Security Now!" — On Sunday, January 1st, I phoned into Leo Laporte's KFI "Tech Guy" radio program to inform him and his radio audience of the availability of Ilfak's new patch and real solution. Leo produced a special edition of our weekly "Security Now!" audio podcast. Since this was by telephone the audio quality is not great, but the high-quality and lower-quality MP3 audio files are available here:

    Higher-quality (larger) KFI Radio program update (64 kbps, MP3, 5.4 MB)
    Lower-quality (smaller) KFI Radio program update. (16 kbps, MP3, 1.4 MB)

 Ilfak has produced a WMF Vulnerability Checker — Many users want to verify that their "exploit suppressed" systems are now safe to use. And others want to see whether their anti-virus A-V systems are now detecting some WMF exploit code. So Ilfak has produced a simple WMF Vulnerability tester:

    Download Ilfak's WMF Vulnerability Checker from GRC (3.6 kb)

You can read more about his checker, and users' experiences, on his Vulnerability Checker blog page.

 An important Note about A-V signatures: As useful as anti-virus protection is as a first line of defense, new WMF exploits are succeeding at bypassing them. So A-V cannot be relied upon. The only safe measure is to install Ilfak's vulnerability suppression solution until Microsoft has updated the GDI32.DLL file and permanently resolved this problem.

 Windows 98/SE/ME users: Microsoft's original advice to "unregister the shimgvw.dll" (shell image viewer) was never correct or useful on those platforms. The good news is that all current WMF exploits appear to be non-functional on the older Win9x vintage platforms . . . so you will likely be okay until Microsoft has updated your system with the next security patches. There is no short-term workaround for Windows 9x/SE/ME users.

 Other new links: See the bottom of the RED box below for many "original discovery" links.

    SANS "Handler's Diary" update for January 1st, 2006

    F-Secure's ongoing coverage and updates

 Get generic WMF Vulnerability news — from GoogleNews:

http://news.google.com/news?q=WMF+vulnerability


New High Quality Temporary
WMF Exploit Patch Available!

Ilfak Guilfanov, well known in "reverse engineering" circles for his wildly popular IDA Disassembler, needed a temporary patch for his own system due to the seriousness of the WMF vulnerability (see RED box below) . . . so he wrote one!

Download Ilfak's Temporary WMF Patch

291 kb — for Windows 2000, XP, 64-bit XP and 2003 server

 This safely and "dynamically patches" the vulnerable function in Windows to neuter it and, after rebooting, renders any Windows 2000, XP, 64-bit XP and 2003 systems completely invulnerable to exploitation of the Windows Metafile vulnerability.

 Please Note: Unlike the "DLL unregister" recommendation offered by Microsoft (see RED box below) Ilfak's patch completely eliminates the vulnerability. Therefore, until Microsoft is able to update and repair their vulnerable GDI32.DLL, this is what you should use. You do NOT need to unregister the DLL as described in the RED box below.

 You SHOULD REMOVE THIS PATCH to restore full functionality to Windows Metafile processing once WIndows has been officially updated and repaired.

To Remove: Simply open the Windows Control Panel "Add/Remove Programs", where you will find the "Windows WMF Metafile Vulnerability HotFix" listed. Remove it, then reboot.

Newly Discovered & Immediately
Exploited Windows Vulnerability

A serious new remotely exploitable vulnerability has been discovered in Microsoft Windows' image processing code.

UNTIL THIS IS REPAIRED BY MICROSOFT, ANY ATTEMPT
TO DISPLAY A MALICIOUS IMAGE IN WINDOWS COULD
INSTALL MALICIOUS SOFTWARE INTO THE COMPUTER.

 This is a so-called "0-day vulnerability" because exploits for the vulnerability appeared before any updates or patches were available.

 All versions of Windows from Windows 98 through ME, NT, 2000, XP, and 2003 are known to be vulnerable, and a large and rapidly growing number of malicious exploits (57 at last count) are already circulating in the wild. They are being actively used to install malware and Trojans into user's machines. Viruses and worms are expected to appear shortly.

 Although NOT a complete solution, Microsoft has recommended temporarily disabling the automatic display of some images by the operating system and web browser. This can be done, as detailed below, by "unregistering" the "SHIMGVW.DLL" Windows DLL. THIS IS NOT A COMPLETE SOLUTION, but it significantly lowers the risk from this vulnerability from web surfing.

For Windows 2000, XP, 64-bit XP and 2003 server

The temporary patch described above is a FAR superior
solution. ONLY use the de-registration approach below if
you are unable to use Ilfak's temporary patch.

 Do not open any "WMF" — Windows Metafiles — you receive by eMail, and reports are that other file types may also be dangerous.

 Anti-virus companies have responded to this, so update your anti-virus signature files for updated protection.

You should IMMEDIATELY disable Windows' use of this
vulnerable DLL until patches from Microsoft are available.

Note that this WILL temporarily disable the "Thumbnail" view
in Windows Explorer and Window's Image and FAX viewer. This is
by design, since these viewers are no longer safe to use until a
non-vulnerable file has been produced by Microsoft and installed.

To immediately disable the vulnerable Windows component:

 Logon as a user with full administrative rights.

 Click the Windows "Start" button and select "Run..."

 Enter the following string into the "Open" field:

regsvr32 -u shimgvw.dll

(You can copy/paste from this page using Ctrl-C/Ctrl-V)

 Click "OK" to unregister the vulnerable DLL.

If all goes well, you will receive a confirmation prompt, and your system is now safe. No need to reboot, but you might want to just to be sure that any possible currently loaded instance is flushed out.


To eventually re-enable the "SHIMGVW.DLL" component:

 Logon as a user with full administrative rights.

 Click the Windows "Start" button and select "Run..."

 Enter the following string into the "Open" field:

regsvr32 shimgvw.dll

(You can copy/paste from this page using Ctrl-C/Ctrl-V)
Same as the one above, but no "-u" for "uninstall".

 Click "OK" to re-register the (hopefully) non-vulnerable DLL.


Additional reading and information:
 http://www.f-secure.com/weblog/archives/archive-122005.html#00000754
 http://secunia.com/advisories/18255/
 http://vil.mcafeesecurity.com/vil/content/v_137760.htm
 http://www.securityfocus.com/bid/16074/info
 http://sunbeltblog.blogspot.com/2005/12/new-exploit-blows-by-fully-patched.html
 http://redxii.blogspot.com/2005/12/vulnerabilities-in-graphics-rendering.html
 http://www.microsoft.com/technet/security/advisory/912840.mspx

Resource links for Security Now! Episode #20:

Listener's Questions & Answers — #2

 Tack Tech SRVANY Page
Resolving Hamachi and Remote Desktop logon troubles:
The Hamachi client must be run as a Windows service to prevent logon name collisions that occur when a remote Hamachi user attempts to logon using Windows remote desktop as the same user their local Hamachi client is logged on as. This can be resolved by running the local Hamachi client as a Windows service which causes the local Hamachi client to run in the SYSTEM account.

The Tack Tech page link above is one of many pages on the web describing how to run applications as services. You can simply "Google" for the string "SRVANY" to find many more . . . including a page by Microsoft.

Additionally and conveniently, the Tack Tech page provides a ZIP file containing the two Microsoft Windows utilities required to perform this work: http://www.tacktech.com/pub/microsoft/service/srvany.zip

 McAfee's Free WPA Software
If you have older WiFi equipment that won't run under WPA, you may be able to use McAfee's free WPA client in its "Pre-Shared Key" or "Disable Authentication" mode to get your older equipment running.

However, since McAfee is desperately trying to sell you more than you need (a dynamic WiFi endpoint authentication service), you MUST READ THIS page carefully and be sure to choose the "Disable Authentication" option when installing the client. You don't need their for-pay dynamic authentication subscription service since the use of your system-wide pre-shared key is completely sufficient.

 The Gravity Newsreader  v2.5 — a 2.5 MB download from GRC's server.
Just a reminder that GRC (this site) runs a set of really terrific Internet security and privacy oriented newsgroups. Discussions page, (linked at the bottom of every page), provides an introduction to our groups. And we now have a very active and terrific "Security Now!" group on the server where many listeners are participating. If you've never checked it out and if you just can't get enough of solid security and privacy discussion, our news server is the place to go!

USENET-style newsgroups have been around for so long that most PCs already have a newsreader built-in. So you can easily configure the newsreader that you already have. Or you can use my personal favorite newsreader, "Gravity" which is free and very capable. Gravity is a highly-configurable and capable USENET-style news forum reading and posting application. Once it's set up and running there's no better way to participate in online threaded discussion forums.



Jump to top of page
Gibson Research Corporation is owned and operated by Steve Gibson.  The contents
of this page are Copyright (c) 2014 Gibson Research Corporation. SpinRite, ShieldsUP,
NanoProbe, and any other indicated trademarks are registered trademarks of Gibson
Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy.
Jump to top of page

Last Edit: May 04, 2013 at 18:12 (353.51 days ago)Viewed 10 times per day