News

Microsoft Responds to WMF Zero-Day Exploit

• By Michael Desmond
• 01/03/2006

As reported here last week, the exploit taps a flaw in the Windows graphics handling engine. Infected Windows Meta File (WMF) format images can compromise client and server systems running virtually any version of Windows, ceding control to malicious software. The exploit has so far been used to install spyware and adware.

The event is alarming, says Johannes Ullrich, CTO of the SANS Institute Internet Storm Center, because the industry had no warning of the attack. Unlike most exploits, where fixes and patches exist to stave off malware exploiting a Windows vulnerability, the WMF zero-day exploit is a problem with no ready solution. If an end user opens or looks at an infected WMF, his or her Windows machine will likely be infected.

Microsoft has announced that it a patch is all but complete, but according to an official statement the fix remains a week away.

"Microsoft has completed development of a security update to fix the vulnerability and that update is now being finalized through testing to ensure quality and application compatibility," reads a statement from the firm. "Microsoft’s goal is to release the update on Tuesday, January 10, 2006, as part of its monthly release of security bulletins on the second Tuesday of the month, although quality is the gating factor."

That patch will be released globally in 23 languages, according to the statement. In the meantime, IT professionals would be well advised to update their anti-virus and anti-spyware software, and to make sure that PC users practice safe surfing and e-mail habits. According to Microsoft, major anti-virus firms have released updated signatures to successfully mitigate the threat.

IT managers might also consider un-registering the Windows Picture and Fax Viewer (shimgvw.dll) on Windows XP and Windows Server 2003 installations. This action will prevent the application, which is a major vector for the exploit, from automatically opening. The action should give users time to assess a file for potential infection, at least until such time as the Windows patch removes the underlying vulnerability. To un-register shimgvw.dll, do the following:

Click Start, Run, and in the Run dialog box type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks). Click OK. Close the confirmation dialog box by clicking the OK button.

When the expected patch arrives Jan. 10, the shimgvw.dll can be re-registered by performing the above steps, only this time entering the following in the Run text box: “regsvr32 %windir%\system32\shimgvw.dll” (again without the quotation marks). That will restore Picture and Fax Viewer to normal behavior.

While an effective patch looks likely, it doesn't ease Ullrich's ongoing concerns about Windows vulnerabilities. He singles out the Windows graphics infrastructure as an ongoing problem. "These image libraries are notorious for being vulnerable," he says.

In fact, the WMF zero-day exploit is only the latest graphics-driven vulnerability to hit Windows PCs. A September 2004 Microsoft TechNet bulletin describes a buffer overrun exploit that enables infected JPEG files to drop executable code onto PCs. All a user has to do is glance at a JPEG file in a Web page or e-mail to fall victim.

Unlike the WMF exploit, the GDI+ vulnerability affected both the Windows operating system and various Windows applications. So while Windows XP SP2 was found to be immune to the exploit, Office 2003 was not. Microsoft released an Office update to close the flaw. Because the vulnerability was discovered before malicious code hit the Web, Microsoft was able to write, test, and release the patch before widespread vulnerability became an issue.