Windows metafile security holes

To the last the answer is 'so far, not really', but let's start with the first. The Windows Metafile is a graphic file, for images and pictures. It was originally designed in the early 1990s, but after GIF and JPEG came out, WMF took a back seat, and wasn't used by many programs except certain CAD programs. One of the major benefits of this file format was the ability to use Vector as well as Raster graphic types in the same file. Essentially, a WMF file stores a list of function calls (programmic instructions) issued to the Windows graphics layer (GDI) in order to restore the image. Which is a very cool idea since it keeps the file sizes down; however it is exactly the security problem being faced by the format.

In December of 2005 the problem was made known to the security community, and on the 26th and 27th the first reports came in regarding affected computers. Microsoft moved fast to get a fix out for the vulnerability, and posted the first on Jan 5, 06, but this was only for the recent versions of Windows. Windows 98 (SE as well), and ME do not have an update, as Microsoft did not deem the vulnerability critical to those versions.

What does this vulnerability do? According to assessments by F-Secure, the vulnerability is an inherent defect in the design of WMF files, because the underlying architecture of such files is from a previous era, and includes features which allow actual code to be executed whenever a WMF file opens. The original purpose of this was mainly to handle the cancellation of print jobs during spooling. However with the ability to execute "any code" when ever the file is viewed, a malicious WMF file can do anything it wants to on your computer, even if you do not have permission to do it because of your user privileges. That last part is as bad as it gets. Many vulnerabilities in the past can execute(run) malicious programs, but most of the time what those programs could do on your computer was limited by what you could do on the computer.

Computers can be affected via infected e-mails which carry hacked WMF file as an attachment. Infection may also result from Viewing a website using the IE browser on a computer running Windows. If the website has a malicious WMF file on the page, then the system is going to run it, and you will probably have no real clue what has happened until it is too late. Of course you don't have to be on a web page for this to happen. Opening a malicious WMF file using the Windows Explorer or Outlook (including Outlook Express) can execute the file as well, again with no warning or outward sign that anything other than a picture being viewed as occurred.

If the file is on your system and the Google Desktop indexes it, this will cause the file to execute as well. So will clicking on a link in MSN instant messenger, leading to the WMF file.

Other methods may also be used to propagate infection. Because the problem is within the operating system, using different browsers like Firefox or Opera would not provide complete protection. Users will commonly be prompted to download and view the file, upon which infection would occur. Infected files may be downloaded automatically, which opens the possibility for infection by disk indexing or accidental previewing.

According to assessments from the McAfee antivirus company, the vulnerability has been used to propagate the Bifrose backdoor trojan horse. Other forms of malware have also exploited the vulnerability to deliver various malicious payloads.

So, what can we do here? Last I heard, a few more vunerabilities were discovered in this file format. The first thing we want to do is keep up with any fixes Microsoft comes out with regarding this problem. You can find those fixes on this page : Microsoft Security Bulletin MS06-001

There is also a work around which was published by Microsoft in December. Microsoft advised Windows users to unregister the dynamic-link library file shimgvw.dll (which can be done by executing the command regsvr32.exe /u shimgvw.dll from the Run menu or the command prompt) which invokes previewing of image files and is exploited by most of these attacks. The DLL can be re-registered once the flaw is fixed by running regsvr32.exe shimgvw.dll.

Microsoft says its patch removes the flawed functionality in gdi32 that allowed the WMF vulnerability. For computers running a version of Windows that Microsoft has not patched, a defense in depth approach is recommended, to mitigate the risk of infection. Various sources have recommended mitigation efforts that include:

• Making use of hardware-enforced Data Execution Prevention [15] effective for all applications.


• Set the default WMF application to be something innocuous such as Notepad.



• Do not use Internet Explorer or at least turn off downloads by setting the default security settings to HIGH.



• Be vigilant in keeping all anti-virus software up-to-date. Consider frequent manual updates.



• Block all WMF files at your network perimeter by file header filtering.



• Making use of users accounts that are configured with as few user rights as necessary.



• Disable image loading in Internet Explorer, and all other browsers.


• Disable image loading in Outlook Express.


• Disable hyperlinks in MSN Messenger.



• Disable the Microsoft Indexing Service on Windows 2000, Windows XP and Windows Server 2003.



• Disable Google Desktop indexing until the problem is corrected.



• Use a different operating system such as Linux or Mac OS X, especially for high risk activities such as instant messaging or browsing online forums which permit avatars or IMG tags.

According to this SANS Institute Internet Storm Center article, using a web browser other than Internet Explorer may offer additional protection against this vulnerability. Depending on settings, these browsers may ask the user before opening an image with the .wmf extension, but this only reduces the chance of opening the maliciously crafted Windows Metafile and does not protect against the vulnerability being exploited, as these browsers still open the metafile if it is masquerading as another format (ie has the JPG or GIF extension instead of the WMF extension). It is better to entirely disable image loading in the browser you choose to use.

Keep up to date on this one.