Windows Meta File vulnerability explained
Can you explain in simple terms the nature of this "vulnerability?"
Likewise, what does the "patch" do?
WMF files are native to Windows. They contain vector graphics -- all straight lines. Curve are simulated by connecting a series of points with many straight lines. Such files can be enlarged or reduced with little or no loss of quality. Typically these graphics files are used to exchange graphics information between Microsoft Windows applications.
A part of Windows called the "WMF graphics rendering engine" has a flaw that launches various kinds of evil exploits when a user views a maliciously formatted WMF file. Any application that automatically displays a WMF image will cause the user’s machines to get infected. This includes older versions of Firefox, current versions of Opera, Outlook and all current versions of Internet Explorer on all versions of Windows.
Because WMF files are ubiquitous on the Internet, you can get an infection from almost anywhere. A Web site that displays even one WMF file can get you. So can an email, if you're using a preview window. These image files can be modified very easily to download any malware or virus. Different Web sites download different kinds of spyware -- even worms are possible. (Worms differ somewhat from viruses in that they are proactive -- you might say "alive" -- and can bypass standard virus protection filters.)
I saw one such infection last week in a print shop. While the boss was out, the pressman browsed "just one" pornographic Web site for "the first time in my life". His computer caught an evil piece of spyware. It called itself "Spy Sheriff" and offered to remove itself for a fee. It blew right past Microsoft Windows AntiSpyware (which I highly recommend) and passed unnoticed through an Ad-Aware scan. (Ad-Aware is a usually excellent free spyware removal program.) In this case Spybot - Search and Destroy -- another excellent freebie -- caught it, but that's not true of some of the malware that the WMF vulnerability enables.
Typically it's the naive user who gets burned with unwanted garbage on his/her computer. But the WMF vulnerability spreads the wealth around, so that even sophisticated users can get burned.
Note that the biggest problems will be found in Windows XP and 2000.
Installing the patch prevents the computer from displaying certain WMF elements. One of the unfortunate side effects is that with the patch installed, you can no longer see thumbnails of photos stored in an XP folder. Current thinking is that we can live with that until January 10, when Microsoft claims it will have its official patch available for download.
The following material is excerpted from a Blog page at
http://www.f-secure.com/weblog/archives/archive-122005.html#00000753:
Researchers at Sunbelt Software have discovered more sites that are carrying malicious WMF files. One, the domain "beehappyy.biz", is supposedly owned by a previous president of Soviet Union, according to the WHOIS domain registry database:
Registrant Name: Mikhail Sergeevich Gorbachev
Registrant Address1: Krasnaya ploshad, 1
Registrant City: Moscow
Registrant Postal Code: 176098
Registrant Country: Russian Federation
Registrant Country Code: RU
"Krasnaya ploshad" is the Red Square in Moscow.
You can get burned even while working in a DOS box! Just simply using the WGET command-line tool to download a malicious WMF file is enough for the file to execute.
The Google Desktop program creates an index of the metadata of all images, which is enough to invoke the exploit and infect the machine. This all happens in real time, as Google Desktop contains a file system filter and will index new files in realtime.
So . . . be careful out there!
Likewise, what does the "patch" do?
WMF files are native to Windows. They contain vector graphics -- all straight lines. Curve are simulated by connecting a series of points with many straight lines. Such files can be enlarged or reduced with little or no loss of quality. Typically these graphics files are used to exchange graphics information between Microsoft Windows applications.
A part of Windows called the "WMF graphics rendering engine" has a flaw that launches various kinds of evil exploits when a user views a maliciously formatted WMF file. Any application that automatically displays a WMF image will cause the user’s machines to get infected. This includes older versions of Firefox, current versions of Opera, Outlook and all current versions of Internet Explorer on all versions of Windows.
Because WMF files are ubiquitous on the Internet, you can get an infection from almost anywhere. A Web site that displays even one WMF file can get you. So can an email, if you're using a preview window. These image files can be modified very easily to download any malware or virus. Different Web sites download different kinds of spyware -- even worms are possible. (Worms differ somewhat from viruses in that they are proactive -- you might say "alive" -- and can bypass standard virus protection filters.)
I saw one such infection last week in a print shop. While the boss was out, the pressman browsed "just one" pornographic Web site for "the first time in my life". His computer caught an evil piece of spyware. It called itself "Spy Sheriff" and offered to remove itself for a fee. It blew right past Microsoft Windows AntiSpyware (which I highly recommend) and passed unnoticed through an Ad-Aware scan. (Ad-Aware is a usually excellent free spyware removal program.) In this case Spybot - Search and Destroy -- another excellent freebie -- caught it, but that's not true of some of the malware that the WMF vulnerability enables.
Typically it's the naive user who gets burned with unwanted garbage on his/her computer. But the WMF vulnerability spreads the wealth around, so that even sophisticated users can get burned.
Note that the biggest problems will be found in Windows XP and 2000.
Installing the patch prevents the computer from displaying certain WMF elements. One of the unfortunate side effects is that with the patch installed, you can no longer see thumbnails of photos stored in an XP folder. Current thinking is that we can live with that until January 10, when Microsoft claims it will have its official patch available for download.
The following material is excerpted from a Blog page at
http://www.f-secure.com/weblog/archives/archive-122005.html#00000753:
Researchers at Sunbelt Software have discovered more sites that are carrying malicious WMF files. One, the domain "beehappyy.biz", is supposedly owned by a previous president of Soviet Union, according to the WHOIS domain registry database:
Registrant Name: Mikhail Sergeevich Gorbachev
Registrant Address1: Krasnaya ploshad, 1
Registrant City: Moscow
Registrant Postal Code: 176098
Registrant Country: Russian Federation
Registrant Country Code: RU
"Krasnaya ploshad" is the Red Square in Moscow.
You can get burned even while working in a DOS box! Just simply using the WGET command-line tool to download a malicious WMF file is enough for the file to execute.
The Google Desktop program creates an index of the metadata of all images, which is enough to invoke the exploit and infect the machine. This all happens in real time, as Google Desktop contains a file system filter and will index new files in realtime.
So . . . be careful out there!
posted by The View from Landmark @ 1/04/2006
