Print this article  |  E-mail this article  |  Comment on this article

MS Confirms WMF Flaw, Variants Spread

By Ed Oswald, BetaNews

December 29, 2005, 3:35 PM

Microsoft acknowledged late Wednesday the existence of a zero-day exploit for Windows Metafile images, and said it was looking into ways to better protect its customers. Even worse, by the end of the day nearly 50 variants of the exploit had already appeared.

One security company said the possibilities were endless on how the flaw could be exploited. "This vulnerability can be used to install any type of malicious code, not just Trojans and spyware, but also worms, bots or viruses that can cause irreparable damage to computers," said Luis Corrons of Panda Software.

Attempting to allay fears, Microsoft said there would be no way for an attacker to force a user to visit a malicious Web site. However, Sunbelt vice president of Research and Development Eric Sites said there were ways to easily get around that issue.

"For example, take the latest craze of posting spam in blog talkbacks," Sites said. "How would you like to be reading your favorite blog, click the talkback link and get infected so badly your only option is to reinstall your operating system."

While most trackback spam is obvious in Web logs, spammers have gotten craftier in recent months in getting users to click links.

According to Panda Software, the following Web sites are being used to exploit the vulnerability: toolbarbiz.biz, toolbarsite.biz, toolbartraff.biz, toolbarurl.biz, buytoolbar.biz, buytraff.biz, iframebiz.biz, iframecash.biz, iframesite.biz, iframetraff.biz and iframeurl.biz.

The company estimates the amount of computers infected by the flaw at 1.48 percent.

Microsoft in its advisory was vague as to how it planned to deal with the issue. "[The fix] will include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs," the company wrote.

The company cautioned users from opening e-mail or clicking links in e-mail from non-trusted sources as a way to avoid being infected.

Jupiter Research senior analyst Joe Wilcox says that the problem is happening at an unfortunate time for Microsoft.

"It's a holiday week, where the company might not be running full staff," he said. "Additionally, the last week of the year tends to be a slow high-tech news period, so the WMF security vulnerability is getting lots of attention."

Add a Comment (65 Comments)

BetaNews reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic. Foul language and personal attacks will not be tolerated.

Name (required):

E-mail (required):

Enter Your Comment:

By Black-Wolf

edited Jan 4, 2006 - 12:53 PM

Well, every person has flaws too, right?

That's why we also try to patch ourselves.

Score: 0

By Aegis69

posted Jan 4, 2006 - 11:18 AM

More proof that SP2 doesn't do a thing to protect consumers, as was HEAVILY advertised. It was a PR patch to avoid class action lawsuits.

Microsoft is NOT a software company (unless you consider buying all your software from other companies 'software development'), they are strictly a marketing company, and reasonably good at that one thing.

Score: 0

By Banquo

posted Dec 31, 2005 - 12:33 PM

Is there an easy way to block all .biz sites? Like with the hosts file or something?

Score: 0

By morriscox

posted Jan 4, 2006 - 12:40 PM

What??? Not all .biz sites are bad. I'm making one myself that reviews sites based on how well they're made. Web standards, usability, whether or not they install spyware, etc. Why not also filter out .com sites too? After all, the vast majority of porn sites use .com, you know.

Score: 0

By yamaneko

posted Jan 2, 2006 - 1:21 AM

Proxomitron can easily block .biz, .ru and so on (with URL killfile).

Score: 0

By joeshmoe7

posted Jan 1, 2006 - 11:34 AM

http://www.privoxy.org/

Score: 0

By fewt

posted Dec 31, 2005 - 12:35 PM

You could probably do it with a local proxy.

Score: 0

By passerby

edited Dec 30, 2005 - 8:13 PM

More here

http://www.updatexp.com/wmf-exploit.html

Score: 0

By bourgeoisdude

edited Dec 30, 2005 - 2:12 PM

Heh a new vulnerability...nope this .dll has been around since Windows 3.1 I wouldn't call it NEW.

By the way, Windows x64 does not support WMF formats at all since it has no native support for 16 bit processes. Finally all this old stuff that's been hanging around since Windows 3.1 will go away.

Score: 0

By GoodThings2Life

posted Jan 1, 2006 - 10:53 PM

What!? Upgrade to NEW technology? Blasphemy!

Score: 0

By surfbum4fun

posted Dec 30, 2005 - 6:27 AM

this is why i use Linux and Solaris 10. enjoy your windows

Score: 0

By cowgaR

edited Dec 30, 2005 - 12:33 PM

I DO enjoy my Windows, because I KNOW how to use them properly!

When u use windows as a restricted user, e.g. a standard way since NT times, and you use other non-IE browser (personally I use Firefox) and you have DEP turned on (default on all programs on 2003), you should not be afraid. Add to it FW, Antivirus, etc

It is a problem and security issue, but for companies who let their users use computers as admins, do not learned them use other browsers and do not care about antiviruses or security at all!

Score: 0

By fewt

edited Dec 31, 2005 - 11:46 AM

Windows is not so bad, especially once you've loaded it with lots of free software and locked it down. My only complaints with it today are spyware, and viruses which can't be blamed on Microsoft. Sure there are bugs here and there, but they are addressing them much better today than they did 3 years ago.

Score: 0

By Adrian79

posted Dec 29, 2005 - 10:26 PM

A couple of security firms, including Verisign's iDefense, have published workarounds that appear to mitigate the threat. According to iDefense, Windows users can disable the rendering of WMF files using the following hack:

1. Click on the Start button on the taskbar.
2. Click on Run...
3. Type "regsvr32 /u shimgvw.dll" to disable.
4. Click ok when the change dialog appears.

iDefense notes that this workaround may interfere with certain thumbnail images loading correctly, though I have used the hack on my machine and haven't had any problems yet. The company notes that once Microsoft issues a patch, the WMF feature may be enabled again by entering the command "regsvr32 shimgvw.dll" in step three above.

Score: 0

By mjm01010101

posted Dec 30, 2005 - 12:18 PM

Be careful of this hack. Some people are reporting inability to load JPG's at all, even on alternative viewers as regsitered. Also, on my system, it appears to have messed with 7-zip's ability to extract jpg images through right clicking. Not a big deal, a logoff/logon fixed it.

Score: 0

By GoodThings2Life

edited Jan 1, 2006 - 10:59 PM

If you're going to post, post accurate details, please. Deregistration does not cause the issue you describe. That type of issue is caused if the file formats were never properly registered to another application.

http://www.eweek.com/art...2/0,1895,1907131,00.asp

More details can be found there including some relatively minor caveats with the current workaround.

Score: 0

By Karitku

edited Jan 1, 2006 - 5:36 AM

True but it's easily undone. Just write
regsvr32 /i shimgvw.dll to install it back

Score: 0

By athome

posted Dec 30, 2005 - 7:17 AM

Thanks for the tip Adrian79. I really don't get a chance to read all articles and it is very helpful when I come across these. Another one of the reasons I like BN.

Score: 0

By asellus

posted Dec 30, 2005 - 4:45 AM

If you have CPU with NoExecute features, like latest AMD/Intel CPUs, you can also be protected from this bug by enabling Data Execution Prevention for all programs. No need to unregister shimgvw.dll

Score: 0

By jacec

posted Dec 30, 2005 - 11:49 AM

Also if you only have software DEP, from Microsoft's advisory:

"I have software DEP enabled on my system, does this help mitigate the vulnerability?
Yes. Windows XP Service Pack 2 also includes software-enforced DEP that is designed to reduce exploits of exception handling mechanisms in Windows. By default software-enforced DEP applies to core operating system components and services. This vulnerability can be mitigated by enabling DEP for all programs on your computer.
For additional information about how to “Enable DEP for all programs on your computer”, see the product documentation."

Microsoft Security Advisory (912840)
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution.

http://www.microsoft.com...ty/advisory/912840.mspx

Score: 0

By gawd21

edited Dec 29, 2005 - 10:58 PM

You mean like was stated here: http://www.grc.com/sn/notes-020.htm

EDIT: Didn't see the post below.

Score: 0

By alphasurfer

posted Dec 29, 2005 - 10:02 PM

I came across this that may be usefull... Not sure!

http://www.grc.com/sn/notes-020.htm

Score: 0

By robmanic44

posted Dec 29, 2005 - 7:17 PM

When are we going to go back and create a OS from scratch? Windoes is a minefield, Linux is a bad joke, and I don't think BSD or Solaris are going to provide the answer.
I spent a lot of my career training people how to use this garbage. I've run everything from BeOS 5 to Solaris 10 and they all have serious problems. Maybe we should go back to DOS 8bit and see if we can get it right. I'm seriously thinking of formatting all my drives and taking up embroidery.

Score: 0

By Kamika007z

posted Jan 2, 2006 - 11:34 AM

Everything has it's flaws, you need to understand that by now :)

Nothing is ever perfect. Programming languages are created by us, humans, and we are flawed beings, therefore how are we going to produce something that is 100% perfect?

Score: 0

By GoodThings2Life

edited Jan 1, 2006 - 11:02 PM

When users decide compatibility and learning curves no longer matter. Also, if and when a company with a lot of money and guts decides to take on Microsoft, Apple, and Open Source.

Score: 0

By bourgeoisdude

posted Dec 29, 2005 - 8:44 PM

"When are we going to go back and create a OS from scratch?"

One word: Compatability.

Score: 0

By PC_Tool

posted Dec 30, 2005 - 8:44 AM

Bah....if Apple can do it...

Score: 0

By mjm01010101

posted Dec 30, 2005 - 12:19 PM

By scratch you mean using the very old OS BSD?

Score: 0

By PC_Tool

posted Dec 30, 2005 - 3:22 PM

I was joking, but yeah, I guess that'd be the one. ;)

Score: 0

By cowgaR

posted Dec 30, 2005 - 12:36 PM

we have a nice OS written from scratch by AWESOME coders, e.g. hard programming veteran experts from MS.

its called Singularity and is written in C# and some other similar language, e.g. in languages that are the MOST progressive and powerfull or inovative today. Just it is in early alpha research state, and is not expecting to be much windows nt compatibile.

Score: 0

By bourgeoisdude

posted Dec 30, 2005 - 2:08 PM

"...is written in C#..."

That's all I had to see to know never to even try it (kidding)

Score: 0

By barcrest

posted Dec 31, 2005 - 11:49 AM

Why not use ASM?

Score: 0

By No Beer For You

posted Dec 29, 2005 - 5:17 PM

Great.

Maybe now people will understand why I don't trust MS to secure my computer.

MS are totally useless. I bet they won't even act on this for at least a few months.
By which time a lot of their customers will have their computers destroyed by spyware and viruses...

Score: 0

By badriram

edited Dec 29, 2005 - 7:00 PM

Sure, MS can help... All you have to do is turn on DEP for all programs. And you are protected and dont have to worry.

Score: 0

By GoodThings2Life

edited Dec 29, 2005 - 5:24 PM

Why would this flaw... something that requires deliberate user action and easily blocked by proxies and filters, somehow be worse than a worm? Why would one new flaw like this change people's opinions if they've had their preference for years?

Score: 0

By athome

edited Dec 30, 2005 - 7:32 AM

This is also not the fault of MS. How long has there been WMF? This is not a flaw in any way, but truly an incident that has been exploited. Why is it an issue with WMF and not in the webpage code and how it is handled. Blame is always pushed quickly to MS and not where they should be. If blog sites would prevent 'talkback' for a brief period while a fix is developed, I would see an effort of collaboration in fixing the problem, but everyone seems to stop and point fingers to MS.

Maybe I am too naive or don't fully understand the root of the problem here, but don't see how MS could have forseen this problem. Therefore, if they weren't deliberate in knowing this could be exploited and hid it from the rest, the problem is not really a reason to hate MS in any way as 'No Beer For You' suggests. Purely, it is his way of validating his use of Linux products(which by the way has shown to have problems in the past few months).

The issue, as I am sure you will agree, is how quickly MS will respond. Not only do they have to do their own research on the problem to define the extent of the problem, but then develop a fix as quickly as possible. Enter the Holiday season and they are even further criticized.

It is bad for them as well as us, but I am sure there are people working on this problem as we speak. I really dislike the MS hater comments in that they believe they are better protected with the use of LINUX. Time and time again, they have been shown that no one or any piece of software is secure, and it is not the fault of MS when it is exploited. The threats of Windows XP from 2001 are totally different than those of 2005. Get a grip and comment on what really matters.

Score: 0

By GoodThings2Life

posted Jan 1, 2006 - 11:18 PM

It is true that WMF has been around for years and never before recent years been a major concern. It is equally true, however, that WMF should never have been capable of execute priviledges. I also recognize that attackers are determined to take advantage of any exploit they can.

I admit that Linux has its flaws, and that often- not always- those flaws are minor by comparison, however, I still believe that its ease of use (or rather lack thereof) with common users contradicts any benefit of security that it currently offers. In time, I believe that will change just as it has with Microsoft from version to version of Windows.

Ultimately, however, I have and will always place responsibility on administrators and users to protect themselves rather than depend on a single company or solution. Security comes only through education and effort.

Score: 0

By No Beer For You

edited Dec 31, 2005 - 2:16 AM

Maybe if you actually took the time to read my comment you'd see the phrase "I bet they won't even act on this for at least a few months."

I'm not a linux user. I use MS products.
I have no other problem with MS apart from the fact they like to sit on exploits for a good few months without acting.
As far as "no piece of software is secure" goes, that's true.
However MS are targeted more often than the smaller companies, meaning any MS exploit is likely to be spread quicker and used more often.
This exploit is already "out there".
MS needs to act quicker than their usual few months response times.

By the way MS asskissers like you really annoy me. Damn retard.

Score: 0

By fewt

posted Dec 30, 2005 - 8:42 AM

"which by the way has shown to have problems in the past few months"

What problems?

Score: 0

By athome

edited Dec 30, 2005 - 9:55 AM

you must be in denial, because there were a few exploits even mentioned right here in BN. And if you are telling me that Linux has never had the need to be updated in the past few months, there is no reason to even respond to your comments. You obviously just like to attack.

http://www.betanews.com/...ox_for_Linux/1127316878

http://www.betanews.com/...sers_at_Risk/1127927698

http://www.betanews.com/...inux_Attacks/1118708809

Score: 0

By fewt

posted Dec 30, 2005 - 10:06 AM

Hmm

Firefox problem, Realplayer problem, and "protential" problem prevention.

How about something substantial now.

Score: 0

By mjm01010101

edited Dec 30, 2005 - 2:13 PM

http://secunia.com/product/2719/

look through 2.5 and 2.4 if you'd like. I'd say on average there are 4-6 linux kernel vulns a month. We're not even talking individual dists, software, etc.

I love linux, but it's not the security solution that everyone thinks. On the bright side, many of those vulns can be patched with the kernel up and running and no to little downtime. Also, linux is more modular than windows and therefore there are always workarounds in these situations.

Score: 0

By fewt

posted Dec 30, 2005 - 4:07 PM

This is absolutely true. Fortunately it's not all that bad.

http://secunia.com/graph...eriod=all&prod=2719

Score: 0

By GoodThings2Life

posted Jan 1, 2006 - 11:37 PM

fewt, as much as that graph may show evidence to the contrary, how many Linux users do you suspect run as root more often than not? Because those who do are likely to experience those issues in greater number if they do not update.

Even so, I admit that generally, only tech savvy users run Linux. This helps immensely. The difficulties presently experienced in learning Linux prevent average users from using it in a meaningful way. As that fact changes, and I know it will, I expect those figures in your graph to change.

Score: 0

By fewt

edited Jan 2, 2006 - 8:32 AM

Hopefully not many run as root. Newer distributions like Ubuntu don't even set a root password by default increasing security. You are absolutely correct that tech savvy users running Linux does help immensely. Linux can be very difficult to get off the ground.

Score: 0

By athome

edited Dec 30, 2005 - 10:42 AM

Come on, logon to Linux.com and do the math yourself. You are taking my point to the depths of idiocy, and I will not follow you. I am sure you know of them, but are playing dumb. Let's forego these tactics. Just as there are many versions of Linux that have varying degrees of vulnerabilites, so does Windows. Concede the point and move on! The mindless argument that you wish to take upon in this forum will end with this comment from me. You may argue with yourself if need be.

Whether the vulnerability is from another company/program or not, MS is accussed in many cases and often the one left to fix it. Both systems were designed for a purpose and have done so, well. It is only sad to see people put down the company for the misdoings of people whom have too much time on their hand and in need of a labotomy.

Score: 0

By wincement

edited Dec 30, 2005 - 10:47 PM

Wow. I actually agree with you on this athome.

Well said.

Score: 0

By fewt

posted Dec 30, 2005 - 4:06 PM

There isn't anything to concede, you made a comment that you obviously can't back up.

Score: 0

By bourgeoisdude

posted Dec 30, 2005 - 5:47 PM

Speak for yourself...

Score: 0

By fewt

edited Dec 30, 2005 - 7:25 PM

Excuse me?

I didn't post a comment declaring:

"which by the way has shown to have problems in the past few months"

Which you'll note he has since edited out.

You are just angry because I expect y'all to substantiate your hateful comments and not a single one of you has been able to do so.

I'm still waiting for you to substantiate every single one of yours, where are those posts at bubba?

Score: 0

By bourgeoisdude

edited Dec 31, 2005 - 10:33 AM

If you are unwilling to be proven wrong there is nothing I can say or show that would change your mind. I'm sure you'll disagree with me--you may think you can change your mind, but fact is you are so sure of yourself nothing I say or point out will. That's why I'm outa here. He did backup his point and you made a point that his claims were not "substantial". How do you back that up...nevermind you don't have to answer that--I probably wouldn't read it anyway.

Score: 0

By GoodThings2Life

posted Jan 1, 2006 - 11:28 PM

I, too, am unwilling to admit error when it is not proven or known that I am in error. That is because I take time to verify my facts before opening my mouth, or typing my posts as the case may be.

Many here do not share such competence in their posts. Some here post onlybased on emotion and uninformed opinion.

Score: 0

By fewt

edited Dec 31, 2005 - 11:52 AM

How do I back that up? Well if his claims were against Linux and he provided evidence to support the claim then they would have been validated, however they were made against applications that run on Linux which did not validate his claim at all.

I'll gladly admit being wrong if one of you can actually prove it but you can't so you have to make wild claims just like you've done elsewhere.

You continue to attack me without being able to provide any evidence what so ever to support anything that you've said.

You are outa here because you have nothing. You never have and likely never will.

Lets look at some of the facts about Bourgeoisdude, found this while researching why you don't like me. It really cleared things up and brought things into perspective. Yes I do research, and lots of it. I tend to do it as I am responding to comments so I can respond with an informed opinion.

"15. I'm still living at home with my parents ..
..
3. I have never been on a date, mostly because of my big mouth; I have a horrible case of OMIF (Open Mouth, Insert Foot)." -Bourgeoisdude

That right there says a lot, doesn't it? I'll gladly substantiate it with a link but I don't think you'll want me to do that.

Lets go back in time.

"We're sorry, but this profile cannot be displayed.

This profile page is hidden because the community has blocked this user. "

Sure wish Betanews had a block button.

Now, I'm asking you to stop attacking me. I suggest that you take it into consideration.

Score: 0

By GoodThings2Life

posted Jan 1, 2006 - 11:24 PM

"Sure wish Betanews had a block button."

But fewt, if we had a block option we wouldn't have anyone to laugh at when they post ignorant remarks. :)

Score: 0

By fewt

posted Jan 2, 2006 - 7:59 AM

True that!

Score: 0

By bourgeoisdude

edited Dec 29, 2005 - 5:16 PM

This is not good timing by any account. Little staff, lots of problems. This is NOT IE related, but is definately a Microsoft problem. I almost feel sorry for them--they had a relatively good year and even some MS bashers have acknowledged that Microsoft is trying harder as of late to get their act together as far as security is concerned. This will destroy the MS "success stories" and end the year on a bad note for MS. 2005: the year MS tried to revamp their security, but failed in the end.

"...toolbarbiz.biz, toolbarsite.biz, toolbartraff.biz,
toolbarurl.biz, buytoolbar.biz, buytraff.biz, iframebiz.biz, iframecash.biz, iframesite.biz, iframetraff.biz and iframeurl.biz."

I just found it interesting that only .biz domains seem to have the exploit so far.

Score: 0

By GoodThings2Life

posted Dec 29, 2005 - 5:28 PM

"I just found it interesting that only .biz domains seem to have the exploit so far."
Exactly.

Furthermore, other than clipart , I don't recall any valid use of WMF files.

Anyway, as I understand it, leave or raise Internet Zone security to High, and don't d*** on links that look retarded.

*moves on*

Score: 0

By fewt

posted Dec 30, 2005 - 4:09 PM

I think I used WMF once in 1994. (haha)

Score: 0

By giwo

posted Dec 29, 2005 - 5:09 PM

"It's a holiday week, where the company might not be running full staff,"

Well I would hate for this extremely critical flaw to hamper the MS company ski trip.

Score: 0

By GoodThings2Life

posted Dec 29, 2005 - 5:30 PM

No one would really know... the same is true of most businesses this time of year.

Score: 0

By mjm01010101

posted Dec 29, 2005 - 4:50 PM

"The company estimates the amount of computers infected by the flaw at 1.48 percent."

Give us some context here guys.

Score: 0

By Kramy

posted Dec 29, 2005 - 5:06 PM

Computers connected to the internet that have visitted a site?

Score: 0

By pjlasl

posted Dec 29, 2005 - 4:40 PM

"[The fix] will include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs,"

Very vague...i guess when nobody can even update their machines that is where the 'depending on customer's needs' will come in

Score: 0

By Sarg

edited Dec 31, 2005 - 11:55 AM

There's an unofficial patch for XP-SP2 available by following the link from http://www.f-secure.com/weblog/

Score: 0

By Aristo216

edited Jan 1, 2006 - 5:48 PM

I honestly don't think that's too vague. They're being honest. They'll put it in the next monthly update if it's ready. OR if we as consumers need it before then we will probably get it... If the number given is close to acurate, we probably wont need it for a longer period of time.

I feel its more and understanding of the web and how things work that get us snared into these little pitfalls. I know from experience that I don't go to certain sites if I want my computer to continue to work the way I want it to. This is OS independant advice.

Score: 0

Dec 1 - 4:58 PM ET Blockbuster downloads headed for more devices via Live Mesh

Dec 1 - 4:55 PM ET AOL's PlaySavvy speaks to game-shy parental units

Dec 1 - 4:41 PM ET Less bad news than anticipated for the semiconductor industry in 2008

Dec 1 - 3:51 PM ET 'Xohm' makes way for 'Clear,' as Sprint/Clearwire merger moves ahead

Dec 1 - 2:01 PM ET Chasing down the latest Cyber Monday tech deals

Dec 1 - 12:50 PM ET Will 'Cyber Monday' fare better than a weak 'Black Friday?'

Dec 1 - 12:38 PM ET Microsoft Cashback goes offline to Black Friday shoppers

Dec 1 - 11:19 AM ET DTV broadcasters could make another transition to mobile next year

Nov 29 - 1:41 PM ET Teacher must still surrender license in bizarre 'exposure to porn' suit

Nov 26 - 9:19 PM ET Spambots edge back online post-McColo