Matt Hull has updated the letter to his users, and offered it for your benefit. It now includes information about the *non-Microsoft* fix and a bit more detail about the vulnerability. Thanks, Matt, for sharing and helping everyone out!

==== Updated Message ====
A vulnerability with WMF (Windows Metafile) files was discovered on December 27, 2005. There are no patches from Microsoft for it at this time (zero day exploit). Currently there are many websites in the wild that use the weakness in WMF to install Spyware on a user’s computer without the user‘s permission. Even if you are using Firefox on a fully patched Windows XP SP2 system you are vulnerable. There is also a MSN worm on the loose and an email worm with a “Happy New Year” subject. If the picture displays in your preview pane you are infected. This affects all versions of Windows above and including Windows 98, both server and client.

A WMF file is an image file that supports both Vector and Bitmapped formats. When a program opens a WMF multiple GDI calls are made to “draw” the image on the screen. In older 16 bit versions of Windows there was a GDI call called SETABORTPROC that was used to execute code if there were any problems drawing the image. This call still exists in current versions of Windows. A WMF file can have any extension, including JPG, GIF, and PNG.

When you go to a website that takes advantage of the vulnerability it will send a corrupted WMF file to you. When your computer draws the image it will fail, at that point it will execute the code from the SETABORTPROC section. The code can do pretty much anything that the SYSTEM account can do. (Install Spyware, virus, become a bot in an IRC chat etc..) This means even if the user doesn’t have local admin rights they can still get infected.

Alternatively the corrupt WMF file can cause buffer overflow errors as well using different GDI calls.

At this point a person named Ilfak Guilfanov has come out with a fix. He has reverse engineered the GDI32.DLL file by removing support for the SETABORTPROC call. This fix will break any application that uses this function, but there aren’t many current programs that do. (It is 16bit code). He has included a silent installer for the fix. We can easily deploy it using logon scripts or Alteris. Once the patch is run the computer will restart unless you use the /norestart switch. The fix can be found here:

Symantic’s website has not had any information about the vulnerability, or any new viruses/worms that take advantage of problem. Here is a link to the latest definition that can be pushed out just in case.

If you have any questions let me know. If I get any new information I will pass it along.

Happy New Year

===== END MESSAGE =====

Part of the function of Security Catalyst is to help pass along information information and insights. If you have something you would like to share, please send an email message to securitycatalyst -at – gmail -dot- com.

About the Author Michael Santarcangelo

The founder of Security Catalyst, Michael develops exceptional leaders and powerful communicators with the security mindset for success.

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Don't know where to start?

Check out Security Catalyst Office Hours to meet your peers and celebrate the good, help each other, and figure out your best next step. We meet each Friday… and it’s free to attend.