Monday, January 2, 2006

WMF bug (bad design)

An exploit has been released onto the web to take advantage of Windows Meta Format (wmf) files. Microsoft awhile back decided to allow executable code in their image files, so crackers are exploiting it by installing trojans inside wmf files. This problem is bad in a few different ways. First, it doesn't require user intervention to get hit by this. Using IE to view an malicious file will automatically execute the code. If you have Google Desktop installed and simply download the malicious file it will also execute automatically when Google indexes the file. Even Firefox can potentially be affected by this if it automatically execute the file type, but fortunate it defaults to prompting users first before it executes. Still, this is a very bad design on Microsoft's part and they don't have a patch for it. However, there is a temporary work around which is to disable the Windows Picture and Fax Viewer.

Here is the Microsoft security advisory.

The work around is to:

Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK.
...
After a security update has been released and deployed, you can undo this change and re-register Shimgvw.dll by following the above steps. Replace the text in Step 1 with “regsvr32 %windir%\system32\shimgvw.dll�? (without the quotation marks).



This doesn't eliminate the problem since opening up a bad file with MS Paint will execute the malicious code but this would help somewhat against getting hit by a trojan accidentally as an user surfs the web.

F-secure has a good blog with updates on the situation.

Update: Microsoft released their patch here.

No comments:

Post a Comment