Windows Metafile vulnerability

The Windows Metafile vulnerability is a security vulnerability in Microsoft Windows NT-based operating systems which has been used in a variety of exploits since late December 2005. The vulnerability was first discussed in the computer security community around 26 and December 27 2005, with the first reports of affected computers subsequently announced within 24 hours. As of January 5, 2006, a high priority update to fix this vulnerability is available via Windows Update (see [http://www.microsoft.com/presspass/press/2006/jan06/01-05UpdatePR.mspx announcement] ). No patches are needed for Windows 98, Windows 98 Second Edition or Windows Millennium Edition, as they are unaffected by this vulnerability.

The vulnerability, located in gdi32.dll, arises from the way in which Windows operating systems handle Windows Metafile (WMF) vector images, and permits arbitrary code to be executed on affected computers without the knowledge or permission of their users. The vulnerability therefore facilitates the propagation of various types of malware, typically through drive-by downloads.

Affected systems

Windows Metafiles are extensively supported by all versions of the Microsoft Windows operating system. All versions from Windows 3.0 to the latest Windows Server 2003 R2 contain this security flaw. However, versions from Windows XP onwards are more severely affected than earlier versions, since they have a handler and reader for the WMF file in their default installation.ref|abcReport

According to [http://www.grc.com/wmf/wmf.htm Steve Gibson's M.I.C.E. analysis] , no versions of Windows made before Windows XP are affected, except for Windows 2000 and Windows NT 4. However, Windows NT 4 may be affected by known exploits if it has an Image Preview Feature enabled.ref|MEImPrev Computers NOT susceptible to known exploits of the flaw (but potentially susceptible to future versions or as-yet undiscovered exploits) include: those running other versions of Windows, without Image Previewing enabled, or those with hardware-based Data Execution Prevention (DEP) effective for all applications ref|sunbeltblog

Machines running non-Windows operating systems (e.g. Mac OS, Linux, etc.) are not directly affected. A scenario in which such computers might become vulnerable would be where a third-party program or library, designed to view WMF files on a non-Windows system, used the native Windows GDI DLL,ref|libwmf or a clone, that copied the design flaw leading to this bug, e.g. through a Windows emulator or compatibility layer. As an example, while Wine has its own version of GDI, it follows the Microsoft GDI so closely (even beyond the documented Windows specifications) that until recently it did, in fact, have the flaw,ref|ZDNet although it might not have been exploitable in the same way. According to a test using MouseTrap, though, the vulnerability is no longer an issue. This test was done using wine-0.9.46.

More recently, Steve Gibson stated [http://www.grc.com/sn/SN-023.htm here] that the vulnerability could be exploited in Wine, and has provided a tool called [http://www.grc.com/wmf/wmf.htm MouseTrap] to detect this on all Windows systems, together with a command line version called [http://www.grc.com/wmf/wmf.htm MouseTrapCmd] for testing less compatible Wine builds.

The vulnerability

According to assessments by F-Secure,ref|designNotBug the vulnerability is an inherent defect in the design of WMF files, because the underlying architecture of such files is from a previous era, and includes features which allow actual code to be executed whenever a WMF file opens. The original purpose of this was mainly to handle the cancellation of print jobs during spooling.

According to Secunia, “The vulnerability is caused due to an error in the handling of Windows Metafile files (‘.wmf’) containing specially crafted SETABORTPROC ‘Escape’ records. Such records allow arbitrary user-defined function to be executed when the rendering of a WMF file fails.” According to the Windows 3.1 SDK docs, the SETABORTPROC escape was obsoleted and replaced by the function of the same name in Windows 3.1, long before the WMF vulnerability was discovered.

The vulnerability is [http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4560 CVE-2005-4560] in the Common Vulnerabilities and Exposures database, US-CERT reference [http://www.kb.cert.org/vuls/id/181038 VU#181038] and Microsoft Knowledge Base Article [http://support.microsoft.com/kb/912840 912840] .

Propagation and infection

Computers can be affected via the spread of infected e-mails which may carry the hacked WMF file as an attachment. Infection may also result from:
* Viewing a website in a web browser that automatically opens malicious WMF files, in which case any potential malicious code may be automatically downloaded and opened. This includes Internet Explorer, the default Web browser for all versions of Microsoft Windows since 1996.
*Previewing an infected file in Windows Explorer.
* Viewing an infected image file using some vulnerable image viewing programs.
*Previewing infected emails in older versions of Microsoft Outlook and Outlook Express.
*Indexing a hard disk containing an infected file with Google Desktop.
*Clicking on a link through an instant messaging program such as Windows Live Messenger, AOL Instant Messenger (AIM) or Yahoo! Messenger.

Other methods may also be used to propagate infection. Because the problem is within the operating system, using different browsers like Firefox or Opera would not provide complete protection. Users will commonly be prompted to download and view the file, upon which infection would occur. Infected files may be downloaded automatically which opens the possibility for infection by disk indexing or accidental previewing.

According to assessments from the McAfee antivirus company,ref|backdoor-CEP the vulnerability has been used to propagate the Bifrost backdoor trojan horse. Other forms of malware have also exploited the vulnerability to deliver various malicious payloads.

McAfee claims that the first generation of such exploits had been encountered by more than 6% of their customer base by 31 December 2005.

Official patch

Microsoft released an official patch (available [http://www.microsoft.com/technet/security/Bulletin/ms06-001.mspx here] ) to address the problem on 5 January 2006, five days earlier than originally stated. This patch may be applied in lieu of other corrective measures.

The official patch is available for Windows 2000, Windows XP and Microsoft Windows Server 2003. A patch has not been released for Windows 9x/Me, as the vulnerability is non-existent on these operating systems. Windows NT 4 and other affected operating systems will not receive a patch as they are no longer supported by Microsoft. Steve Gibson stated [http://www.grc.com/sn/SN-020.htm here] , in his Security Now! podcast #20, that his company Gibson Research Corporation would make a patch available for Windows 9x systems if Microsoft did not. After further research, Steve Gibson stated [http://www.grc.com/sn/SN-023.htm here] , in the more recent Security Now! podcast #23, that Windows 9x and Me users are not vulnerable, and that these systems do not need to be patched. Windows 9x users can run his [http://www.grc.com/wmf/wmf.htm Mouse Trap] utility to see this for themselves.

Users of Windows NT who are seeking a patch should install Paolo Monti's patch from Future Time, the Italian distributor of Eset's NOD32 anti-virus system. The patch is free, and works on older operating systems, but it is supplied without warranty. It is available for download from its [http://futuretime.itaweb.it/wmfpatch11.zip official server] .

There have been reports of the official patch being automatically installed even when Windows Automatic Update is configured to download the updates automatically but ask before applying them. This results in an automatic reboot, which can cause loss of data (particularly if the user has a program open with unsaved changes).ref|emailbattles

Other corrective measures

Workaround

As a workaround,ref|KB912840 on 28 December 2005 Microsoft advised Windows users to unregister the dynamic-link library file shimgvw.dll (which can be done by executing the command regsvr32.exe /u shimgvw.dll from the Run menu or the command prompt) which invokes previewing of image files and is exploited by most of these attacks. The DLL can be re-registered once the flaw is fixed by running regsvr32.exe shimgvw.dll. This workaround does not eliminate the vulnerability, it only blocks a common attack vector.

Third party patch

A third party patchref|IlfakPatch was released by Ilfak Guilfanov on 31 December 2005 to temporarily disable the vulnerable function call in gdi32.dll. This unofficial patch received much publicity due to the unavailability of an official one from Microsoft, receiving the recommendation of SANS Institute Internet Storm Centerref|iscEndorseIlfak and F-Secure.ref|fsEndorseIlfak Because of the large amount of publicity, including being indirectly slashdotted,ref|IlfakSlashdotted Guilfanov's website was overrun with more visitors than it could have coped with, causing it to be suspended on 3 January 2006. During the downtime, the patch was available for download from a number of mirrors including the Internet Storm Center websiteref|iscMirror

Guilfanov's website went back online on 4 January in a much reduced state. No longer providing the patch on site due to bandwidth issues, the [http://www.hexblog.com/ homepage] provides a list of mirrors where a user can download the patch and the associated vulnerability checker. Also available is the MD5 checksum for the original file, so that a user can check the file they downloaded is an unmodified version.

After Microsoft released its patch, Guilfanov took his offline and urged visitors to install the official patch, as his intention was always to spur the release of a supported and tested patch.

Risk reduction techniques

Microsoft says its patch removes the flawed functionality in gdi32 that allowed the WMF vulnerability. For computers running a version of Windows that Microsoft has not patched, a defence in depth approach is recommended, to mitigate the risk of infection. Various sources have recommended mitigation efforts that include:
*Making use of hardware-enforced Data Execution Preventionref|DEP effective for all applications.
*Set the default WMF application to be something innocuous such as Notepad.
*Do not use Internet Explorer or at least turn off downloads by setting the default security settings to HIGH.
*Be vigilant in keeping all anti-virus software up-to-date. Consider frequent manual updates.
*Block all WMF files at your network perimeter by file header filtering.
*Making use of users accounts that are configured with as few user rights as necessary.
*Disable image loading in Internet Explorer, and all other browsers.ref|ieDisImage
*Disable image loading in Outlook Express.ref|oeDisImage
*Disable hyperlinks in MSN Messenger.
*Disable the Indexing Service on Windows 2000, Windows XP and Windows Server 2003.
*Disable Desktop Search applications such as Google Desktop or Windows Desktop Search until the problem is corrected.According to [http://isc.sans.org/diary.php?storyid=994 this] SANS Institute Internet Storm Center article, using a web browser other than Internet Explorer "may" offer additional protection against this vulnerability. Depending on settings, these browsers may ask the user before opening an image with the .wmf extension, but this only reduces the chance of opening the maliciously crafted Windows Metafile and does not protect against the vulnerability being exploited, as these browsers still open the metafile if it is masquerading as another format. It is better to entirely disable image loading in the browser you choose to use.

Accusations

An independent examination of the vulnerability by Steve Gibson of Gibson Research had suggested that the peculiar nature of the 'bug' was an indication that the vulnerability was actually a backdoor engineered consciously into the system [http://www.grc.com/x/news.exe?cmd=article&group=grc.news.feedback&item=60006] . Some sources have questioned this conclusion [http://lists.grok.org.uk/pipermail/full-disclosure/2006-January/041388.html] [http://blogs.technet.com/msrc/archive/2006/01/13/417431.aspx] [http://blogs.technet.com/markrussinovich/archive/2006/01/18/inside-the-wmf-backdoor.aspx] . Steve Gibson has since clarified [http://www.grc.com/sn/SN-023.htm] that his use of the term backdoor was never intended to imply anything done by malicious intent . He still maintains that the backdoor was intentional, though not necessarily officially mandated by Microsoft (e.g. a rogue employee may have put it in).

Notes

# [http://www.pcmag.com/article2/0,2817,1907400,00.asp Security Watch: Iniquitous Images Imperil the Internet!] , Larry Seltzer, PC Magazine.
# [http://support.microsoft.com/?kbid=272969 A Description of the Image Preview Feature in Windows Millennium Edition] , Microsoft.
# [http://sunbeltblog.blogspot.com/2005/12/microsoft-clarifies-dep-issue.html sunbeltblog.blogspot.com] Microsoft clarifies DEP issue
# [http://www.icewalkers.com/Linux/Software/5400/libwmf.html Library for non-Windows operating systems] to run WMF files.
# [http://blogs.zdnet.com/Ou/index.php?p=146 Linux/BSD still exposed to WMF exploit through WINE] , ZDNet.
# [http://www.f-secure.com/weblog/archives/archive-012006.html#00000761 It's not a bug, it's a feature] , F-Secure.
# [http://vil.mcafeesecurity.com/vil/content/v_137760.htm Exploit-WMF] , by McAfee
# [http://www.emailbattles.com/archive/battles/vuln_aacfhddccc_de/ Does Windows Patch Without Permission?]
# [http://www.microsoft.com/technet/security/advisory/912840.mspx Microsoft Security Advisory (912840) - Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution] , Microsoft Official Advisory on the vulnerability.
# [http://www.hexblog.com/2005/12/wmf_vuln.html http://www.hexblog.com/2005/12/wmf_vuln.html] , unofficial patch by Ilfak Guilfanov.
# [http://isc.sans.org/diary.php?rss&storyid=996 Trustworthy Computing] , SANS Institute Internet Storm Center.
# [http://www.f-secure.com/weblog/archives/archive-122005.html#00000756 Ilfak to the rescue!] , F-Secure.
# [http://it.slashdot.org/it/06/01/02/1153244.shtml?tid=201 Trustworthy Computing] , Slashdot. Linking to SANS Institute Internet Storm Center's article titled Trustworthy Computing (see above).
# [http://isc.sans.org/diary.php?storyid=1010 .MSI installer file for WMF flaw available] , SANS Institute Internet Storm Center.
# [http://www.microsoft.com/technet/security/prodtech/windowsxp/depcnfxp.mspx How to Configure Memory Protection in Windows XP SP2] , software-enforced Data Execution Prevention (DEP) feature in Microsoft Windows XP SP 2.
# [http://support.microsoft.com/kb/153790 How to improve browsing performance in Internet Explorer (KB153790)] , Microsoft.
# [http://support.microsoft.com/kb/843018 Images are blocked when you open an e-mail message in Outlook Express on a Windows XP Service Pack 2-based computer (KB843018)] , Microsoft.
# [http://www.nod32.ch/en/download/tools.php http://www.nod32.ch/en/download/tools.php] Unofficial WMF patch by Paolo Monti distributed by ESET.
# [http://blogs.securiteam.com/index.php/archives/210 http://blogs.securiteam.com/index.php/archives/210] Unofficial Windows 98SE patch by Tom Walsh.

External links

* [http://www.grc.com/wmf/wmf.htm GRC's M.I.C.E.] Metafile Image Code Execution
* [http://www.microsoft.com/athome/security/update/bulletins/200601_WMF.mspx Microsoft Security Bulletin for novice Home Users]
* [http://www.microsoft.com/technet/security/bulletin/ms08-021.mspx Microsoft Security Bulletin MS08-021]
* [http://www.microsoft.com/technet/security/Bulletin/ms06-001.mspx Microsoft Security Bulletin MS06-001]
* [http://isc.sans.org/diary.php?storyid=994 WMF FAQ] - SANS Institute Internet Storm Center
* [http://www.washingtonpost.com/wp-dyn/content/article/2005/12/29/AR2005122901456.html Windows Security Flaw Is 'Severe'] - Washington Post
* [http://secunia.com/advisories/18255/ Microsoft Windows WMF "SETABORTPROC" Arbitrary Code Execution] - Secunia advisory
* [http://www.node707.com/archives/006520.shtml Summary of status as of 1 January]
* [http://blogs.technet.com/msrc/archive/2006/01/13/417431.aspx Looking at the WMF issue, how did it get there?] - Microsoft Security Response Center Blog
* [http://isc.sans.org/diary.php?storyid=992 New exploit released for the WMF vulnerability] - SANS Institute Internet Storm Center
* [http://www.f-secure.com/weblog/archives/archive-122005.html#00000753 Be careful with WMF files] - F-Secure
* [http://isc.sans.org/diary.php?storyid=981 Lotus Notes Vulnerable to WMF 0-Day Exploit] - SANS Institute Internet Storm Center
* [http://www.hexblog.com/2006/01/wmf_vulnerability_checker.html Vulnerability Checker] - Ilfak Guilfanov
* [http://www.metasploit.com/projects/Framework/exploits.html#ie_xp_pfv_metafile Example exploit] - Metasploit Project
*Microsoft Developer Network pages for [http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gdi/prntspol_0d6b.asp Escape] and [http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gdi/prntspol_0883.asp SetAbortProc]
* [http://www.sysinternals.com/blog/2006/01/inside-wmf-backdoor.html Mark Russinovich's Technical Commentary on the Backdoor Controversy]