MoMusings

Now most people are back at work and are aware of the WMF exploit problem I thought it might be a good time to collate and discuss the myriad tools, patches and workarounds for this issue. So, here goes:

Un-official patches:

1. Ilfak Guilfanov has published a temporary fix which does not remove any functionality from the system (all pictures and thumbnails continue to work normally). The fix works by injecting itself to all processes loading USER32.DLL. It patches the Escape() function in GDI32.DLL, revoking WMF’s SETABORT escape sequence that is the root of the problem. The fix is available here: http://www.hexblog.com/2005/12/wmf_vuln.html
2. Paolo Monti from Eset has also released an unofficial patch which he claims will work on all Windows versions except the 64 Bit version. The fix is available here: http://www.nod32.it/getfile.pp?tool=wmfpatch

Mitigation Tools/Techniques:

1. For administrators/security staff there are SNORT signatures available from Bleedingsnort. These can be used with the SNORT/Sourcefire IDS/IPS products and may also work with the ISS RealSecure IDS/IPS products via the TRONS [SNORT backwards] functionality.
2. Kerio personal firewall [now owned by Sunbelt] can use the Snort signatures in the in-built NIPS, and you can use it for FREE, or if you prefer you can pay for it. Details on how to use the SNORT signatures can be found here: http://sunbeltblog.blogspot.com/2005/12/protect-yourself-from-wmf-exploit.html



3. Make sure you anti-virus is updated regularly; at least once a day.
4. Keep a close eye on your personal firewall; be especially suspicious of new programs/files asking to connect to the internet after visiting an untrusted site.
5. Use Firefox or Mozilla web browser instead of Internet Explorer as this offers some protection; you’ll at least be warned.
6. If you must use Internet Explorer set the security level to High which allegedly will stop automatic exploitation via a malicious WMF.
7. Do not go to untrusted URLS [websites] even if they are sent to you via e-mail or instant messaging from someone you know.
8. Anyone receiving graphic file attachments [via e-mail] from UNTRUSTED sources should NOT open or view them.
9. Anyone receiving graphic file attachments [via e-mail] from TRUSTED sources should verify with the alleged sender that they actually sent them, before they open or view them.
10. It is strongly suggested that you unregister the offending DLL from the registry as this will stop you becoming infected via a browser or explorer.
11. For administrators/security staff you can also block the currently known web sites that are hosting the malicious WMF files.
12. Roger Thompson has made a new tool available; known as SocketScanner. It is currently in BETA phase, but in limited testing seems to work as advertised. The neat thing about SocketScanner is that can be updated remotely, so if another unpatched vulnerability is found then SocketScanner can be quickly updated to close the usual window of opportunity that new exploit code uses to compromise vulnerable systems. In other words SocketScanner is not a single, fixed, exploit patch, unlike the others.
13. Ilfak Guilfanov has also published a testing tool which will tell you if your system is vulnerable or not. It can be found here: http://www.hexblog.com/2006/01/wmf_vulnerability_checker.html

Do not install any of the above on a computer that you are not responsible for, such as a work computer. If in doubt check with your support/security staff first. The same goes for the steps below which will unregister the Windows Picture and Fax viewer.

Unregistering the Windows Picture and Fax Viewer
Click ‘Start‘, then ‘Run‘ and type the following ‘regsvr32 -u %windir%\system32\shimgvw.dll‘ (without the single quotes), and then click ‘OK‘.

This will stop the Windows Picture and Fax Viewer from being run when a registered extension is double-clicked, and will also disable the thumbnail function in certain programs and explorer.

Re-registering the Windows Picture and Fax Viewer
Click ‘Start‘, then ‘Run‘ and type the following ‘regsvr32 %windir%\system32\shimgvw.dll‘ (without the single quotes), and then click ‘OK‘.

Latest news just in is that Microsoft expect to have their own ‘official’ patch ready for the 10th of January…..I’m just hoping that they mean THIS year.