And Just One More Thing

Mainly computer and world related comments and postings.

Monday, January 02, 2006

What's with the .wmf vulnerability this time?

This is going to be big, folks!!!

I mean here is a vulnerability we've known about and along comes a sideswiping release of proof of concept code during, no less, the New Year's celebration weekend. What gives? I don't really understand the thought process that goes through the minds of some people. Why do we all have to have our Holiday weekends ruined by something like this? Maybe it's that old mantra, "No rest for the wicked"?

So folks, if you aren't aware, please take the time to learn about this issue. Right now there is no Microsoft patch available and we're all essentially sitting ducks unless you happen to be using an operating system that isn't vulnerable (i.e. any OS that Microsoft hasn't released).

Essentially the problem with this vulnerability is this: You load a compromised .wmf file on your system (and it doesn't have to be a .wmf extension, it could also be a .gif, .jpg, .jpeg or a myriad of other extensions) and you're going to be toast. Okay, maybe that's a bit harsh, but to understand it better, read the f-secure weblog for more information. And since the file extension doesn't matter at this point, it's essentially destroying any hope of using an Antivirus signature to help thwart it. i.e. No McAfee or Norton to help us out this time.

"Just trust us" is what's coming out of the Internet Storm Center. (http://isc.sans.org) Personally, I have applied the patch and unregistered the offending .dll on my test system and I've seen, so far, that it's still okay. Unfortunately the people behind the operating system running most of the worlds PC's are conspicuously quiet at this point. Granted their last official word was from December 30th, but that isn't adequate at this point. I shudder to think what is going to happen tomorrow morning when offices start opening back up after the long weekend and holiday festivities. I for one will be crossing my fingers all this week.

My instructions are as follows:
Open up cmd.exe and execute the following line without the quotes:
"regsvr32 -u %windir%\system32\shimgvw.dll"
(To re-register the .dll if you feel like it for some reason, just run the command but remove the "-u" from the above line)

And then, after you have done that, run this patch:
wmfhotfix.dll

What does the patch do and how does it work? (Pulled from isc.sans.org)
The wmfhotfix.dll is injected into any process loading user32.dll. The DLL then patches (in memory) gdi32.dll's Escape() function so that it ignores any call using the SETABORTPROC (ie. 0x09) parameter. This should allow Windows programs to display WMF files normally while still blocking the exploit. The version of the patch located here has been carefully checked against the source code provided as well as tested against all known versions of the exploit. It should work on WinXP (SP1 and SP2) and Win2K.

This is an untested patch (other than the bulk of the security community that has tested and verified the patch) so use at your own risk, however, right now it's safer to apply this patch and unregister the .dll than to sit and wait for your PC and network to become infected.

I hope that this ends up being a small blip in the overall scheme of security issues for 2006, but I'm a bit more afraid that this could be the worst security issue this year if not this decade. Time will tell.

The more people that communicate this issue the better. Help spread the word.

Jimmy

0 Comments:

Post a Comment

<< Home