?

Log in

No account? Create an account
[MeFi] Windoze WMF vulnerability patch. - Adventures in Engineering — LiveJournal
The wanderings of a modern ronin.

Ben Cantrick
  Date: 2006-01-02 07:52
  Subject:   [MeFi] Windoze WMF vulnerability patch.
Public
Microsoft Windows Metafile (WMF) format images are graphical files that can contain both vector and bitmap-based picture information. WMF files contain a sequence of GDI function calls. The image is created by executing the GDI functions. Certain GDI functions can have unexpected security implications. The GDI Escape function allows an application to access capabilities of a device that are not directly available through GDI. For example, a print job can be cancelled via a GDI Escape call.

A remote, unauthenticated attacker may be able to execute arbitrary code if the user is persuaded to view a specially crafted Windows Metafile.


http://www.kb.cert.org/vuls/id/181038

http://www.f-secure.com/weblog/archives/archive-122005.html#00000757

http://isc.sans.org/diary.php?storyid=999


Yup, you read that right: VIEW AN IMAGE, GET P0WNED! Thanks a lot for designing the GDI so that images can execute code, MS. Great idea there. Almost as good as letting an email execute arbitrary javascript when I click on it.

Patch this now. There is already one verified worm in the wild that takes advantage of this, and more are undoubtedly on the way. This is literally a "view a web page with a bad image on it, and your computer is owned" exploit, so your firewall and such do not protect you one whit. Do not wait; patch it. Until MS bestirs itself to fix the problem, use Ilfak Guilfanov's patch. (Note: Bastard spammers are now apparently churning out many fake "patches" for this problem that do not fix it, but instead just install spyware and popup loaders on your system. So either install Guilfanov's patch, or do not install any patch at all.)

Edit: A tool to check if your system is vulnerable here. Thanks to cassandrapoe.

Edit 2: Also check out spiderfarmer's post on the subject, which includes a link to an excellent Wikipedia page on the vulnerability.
Post A Comment | 8 Comments | | Link






  User: randomchris
  Date: 2006-01-02 15:00 (UTC)
  Subject:   (no subject)
The other way around it is not to use Windows Picture and Fax Viewer - which Microsoft have mentioned, but it's buried several layers deep.
Reply | Thread | Link



Ben Cantrick
  User: mackys
  Date: 2006-01-02 18:12 (UTC)
  Subject:   Wrong.
There are methods where files with other image extensions (such as BMP, GIF, PNG, JPG, JPEG, JPE, JFIF, DIB, RLE, EMF, TIF, TIFF or ICO) could be used to exploit a vulnerable machine.

We got several questions on our note on Google Desktop yesterday. Bottom line is that if an image file with the exploit ends up to your hard drive, Google Desktop will try to index it and will execute the exploit in the process. There are several ways such a file could end up to the local drive. And this indexing-will-execute problem might happen with other desktop search engines too.


- http://www.f-secure.com/weblog/archives/archive-122005.html#00000757

I wouldn't be making nearly as much noise about this if you had to use a particular program to view the image and get owned. But this is in a widely-used Windows API, and that makes any program that uses GDI rendering (which is a hell of a lot of them) vulnerable.


-Ben
Reply | Parent | Thread | Link



  User: cassandrapoe
  Date: 2006-01-02 17:19 (UTC)
  Subject:   (no subject)
Yup. Patched it and set WMFs to view in Notepad.
Stupid MS. Get off your drunken overpaid asses!
Reply | Thread | Link



Pacchi
  User: pacchi
  Date: 2006-01-02 17:26 (UTC)
  Subject:   (no subject)
thanks for the heads up
Reply | Thread | Link



Alex Belits: iskra
  User: abelits
  Date: 2006-01-04 00:30 (UTC)
  Subject:   (no subject)
Keyword:iskra
<troll>Now, which of my boxes need that patch?...</troll>
Reply | Thread | Link



  User: (Anonymous)
  Date: 2006-01-04 23:03 (UTC)
  Subject:   Oddly enough...
I downloaded the checker, and my windoze 98 box isn't vulnerable! What's up with that?
Reply | Parent | Thread | Link



  User: jsharley
  Date: 2006-01-05 22:08 (UTC)
  Subject:   Security Patch Released
FYI, M$ released the patch early. You can get it through windows update.
Reply | Thread | Link



Ben Cantrick
  User: mackys
  Date: 2006-01-06 19:18 (UTC)
  Subject:   Cool, thanks for the info!
Time to fire up Windows Update...
Reply | Parent | Thread | Link



browse
May 2015