January 2, 2006

Here is the message from Matt. Hopefully this saves you some time or otherwise helps out! Thanks, Matt, for taking the time to share!

====== Begin Message ========

A vulnerability with WMF (Windows Metafile) files was discovered on December 27, 2005. There are no patches for at this time to fix the problem (zero day exploit). Currently there are many websites in the wild that use the weakness in WMA to install Spyware on a user’s computer without the user‘s permission. Even if you are using Firefox on a fully patched Windows XP SP2 system you are vulnerable.

A WMF file is an image file that supports both Vector and Bitmapped formats. When a program opens a WMF multiple GDI calls are made to “draw” the image on the screen. In older 16 bit versions of Windows there was a GDI call called SETABORTPROC that was used to execute code if there were any problems drawing the image. This call still exists in current versions of Windows.

When you go to a website that takes advantage of the vulnerability it will send a corrupted WMF file to you. When your computer draws the image it will fail, at that point it will execute the code from the SETABORTPROC section. The code that executes can do pretty much anything that the currently logged on user can do. (Install Spyware, virus, become a bot in an iRC chat etc..)

Alternatively the corrupt WMF file can cause buffer overflow errors as well using different GDI calls.

There really isn’t a fix for this. There are some things you can do to help your self.

* One is get ride of Google Desktop, it will launch (or relaunch) a virus or this vulnerability when it indexes a file.
* Unregistered the Windows Picture and Fax Viewer by click Start – Run and typing “regsvr32 -u %windir%system32shimgvw.dll”
* Enable DEP (Data Execution Prevention)
* Watch where you are going on the web…. (you know what I mean)
* Block Windows Metafile, although this can be tough since it can come in as something other then WMF.

Happy New Year

Matt Hull

====== end message =====

About the Author Michael Santarcangelo

The founder of Security Catalyst, Michael develops exceptional leaders and powerful communicators with the security mindset for success.

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Don't know where to start?

Check out Security Catalyst Office Hours to meet your peers and celebrate the good, help each other, and figure out your best next step. We meet each Friday… and it’s free to attend.