WMF Vulnerability Patch And Lessons Learned

Question

So after two machines on my LAN got spyaxe twice, I got annoyed to say the least.  I don't post on this board often, so if this has been said before my apologies ahead of time.   Here a temporary patch that should solve the problem till MS comes up with something better:  http://www.hexblog.com/2005/12/wmf_vuln.html   Here's a list of domains that currently use the exploit (I'm sure the list will grow):  http://www.f-secure.com/weblog/archives/archive-122005.html#00000754  (scroll down to see them all).   Note that my worthless router (di-524 modded into a di624) cannot block the entire list (hold a max of 6 ot 7 entries).  It can however filter based on URL keyboards.  Here's a warning.  Do not block 'iframe' -- it will prevent you from posting replies in this forum (which is a bit of an annoyance to say the least.

msil217 · Answer

Thank you for a link to the patch!!

msgale · Answer

1. I think I will take Microsoft's advice on this one 2. The idea of using a patched DLL supplied by some one without the source code of the DLL scares the heck out of me.

msgale · Answer

The size of the DLL is irrelevant or put anothe way 'size doesn't matter'

NemesisDB · Answer

msgale, he claims the source is included in the installer (although i didn't really look). that said, the guy is reputable and I'm willing to trust fsecure's recommendation on this one (both for the guy and for the patch).

also, while I'm fairly confident I can protect my own machine, I'm less certain of other machines on my LAN (and the less careful users that operate them). They all got the patch today.

edit: grc is recommending it too: http://www.grc.com/sn/notes-020.htm -- the only concern I've seen mentioned is that the exploit may be able to be reworked to evade this fix and that unregistering the dll may provide more security (at the cost of significantly more functionality)

Message Edited by NemesisDB on 01-01-2006 01:53 AM

Message Edited by NemesisDB on 01-01-2006 01:54 AM

msil217 · Answer

Since I have GoBack, I tried it. Not sure if it protects me, but I open pictures a lot on my computer, and Windows fax viewer is the fastest opening. I don't want to disable it unless I have to.   Also, they said if you open an affected file in paint, you can get infected.  So, you would then have to use a third-party program to view pictures, I believe.   I located the dll file in my System32 folder, it's only 3kB.

msgale · Answer

I kinda’ doubt anyone outside of Microsoft has the real source, they have been to say the least reluctant to release it. What is probably available is a uncommented decompliation of the DLL, not exactly the same thing. Since Microsoft has both the source code and all the internal documentation, I would believe that they could more easily product a solution. I then repeat I will wait for Microsoft to either supply a solution or recommend one.

msil217 · Answer

Let's hope we all don't die of old age waiting for Microsoft to come up with a fix. :smileyvery-happy:

msgale · Answer

I'll drink to that

NemesisDB · Answer

yeah, I think we were all hoping MS would have had something by this past friday, but no such luck...    this site recommends the patch and unregistering the dll ... says no patch from MS likely till Jan 9th at the earliest:  http://isc.sans.org/diary.php?rss&storyid=996 Message Edited by NemesisDB on 01-01-2006 01:46 PM

msil217 · Answer

I went ahead anf ungregistered the dll. I downloaded the latest version of Irfanview, and use that as my default viewer. It opens fast. I miss being able to see the thumbnails pictures, but as soon as M$ patches, I'll re-register the dll if it's safe.

I went to a website, and my anti-virus blocked a wmf virus. I went ahead and used GoBack to revert it to a time before the virus.

msil217 · Answer

By the time Microsoft patches this, there will be another exploit or 2 discovered. Dang, they are slow.:smileymad:

NemesisDB · Answer

you didn't see? people were kind enough to post codes for generation 2 of the exploit (for any hacker in the world to see). We can all be happily assured that AV programs will never have definitions to capture the new, random, varients. http://isc.sans.org/diary.php?rss&storyid=992

The exploit generates files:

with a random size;
no .wmf extension, (.jpg), but could be any other image extension actually;
a random piece of junk in front of the bad call; carefully crafted to be larger than the MTU on an ethernet network;
a number of possible calls to run the exploit are listed in the source;
a random trailer

ky331 · Answer

for what it's worth:   Microsoft announced on Tuesday (3 Jan) that it believes it has developed a patch for this flaw --- however, the patch is still being tested, and isn't expected to be released until next Tuesday (10 Jan), as part of Microsoft's regular monthly critical/security updates.

Virus & Spyware

WMF Vulnerability Patch And Lessons Learned

Was this post helpful?