WMF exploit can infect XP SP2 machines (0-day virus)

[Paul Adams]

Microsoft Security Advisory

F-Secure's weblog has some details of a "0-day" exploit involving the handling of WMF (Windows metafiles) files that can allow remote code execution on fully-patched Windows XP SP2 machines.

There have been a handful of detected variants of this type of exploit already, I would recommend NOT visiting the sites mentioned on F-Secure "out of curiosity", and bear in mind that it is typical for XXX, warez, cracks & serials sites to be teeming with viruses, trojans, malicious javascript and a host of remote code execution attempting code.

I think so far it looks like this has been used to drop spyware on machines, but it could be used to deploy viruses, trojans or rootkits.

Don't be logged in as an administrator when using your machine.
Don't go browsing "those kinds of sites".
Keep your eyes peeled for a patch (I'll update as I get more information).


Edit:
Updated to add MS advisory

[XA04]

They also list the REGSVR32 workaround. It's a good idea to use this while waiting for a patch. To quote Microsoft's bulletin:

Un-register the Windows Picture and Fax Viewer (Shimgvw.dll)

1. Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll"
(without the quotation marks), and then click OK.

2. A dialog box appears to confirm that the un-registration process has succeeded.
Click OK to close the dialog box.

Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started
when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.

To undo this change, re-register Shimgvw.dll by following the above steps.
Replace the text in Step 1 with “regsvr32 %windir%\system32\shimgvw.dll” (without the quotation marks).

Isn't it IE that just uses that?

[RedPutty]

This page lists mozilla as being affected.

http://www.kb.cert.org/vuls/id/181038

Its windows itself that is vulnerable I guess.

[Bob Crabtree]

Note, too, that US-CERT (http://www.kb.cert.org/vuls/id/181038) says the following:

Remapping Windows Metafile files to open a program other than the default Windows Picture and Fax Viewer may prevent exploitation via some attack vectors.


Trouble is, the site also says:

Please be aware we have confirmed that filtering based just on the WMF or EMF file extensions or MIME type application/x-msMetafile will not block all known attack vectors for this vulnerability. Filter mechanisms should be looking for any file that Microsoft Windows recognizes as a Windows Metafile by virtue of its file header.



Bob

[divinemadness]

I had one of these try and download last night whilst 'perusing' google images

[XA04]

So if by default you told Windows to open all image files with Photoshop for example - it would be less of a risk?

[Tobeman]

x64 machines at risk?

[Paul Adams]

Not sure what else (if anything) uses Windows metafile data, so using another graphics product might not make any difference.
Probably best to unregister that DLL for now.

Unsure if XP x64 is affected, I don't have my 64-bit machine here to test it inside a virtual machine unfortunately.
AFAIK there aren't any 64-bit rootkits so that's one less risk (maybe keyloggers too), but WOW64 means that the other types of autorunning crap and desktop/search/homepage altering junk would still be a risk.

Seriously, not running as an administrator is one of the best ways to avoid most of these kinds of issues (that don't involve escalation of privileges through a hole).
You can still easily use "Run As" to launch a specific app (or installer) to perform admin tasks when you need, but the risk associated with running a console session as Administrator is way too high.

[Paul Adams]

Microsoft Security Advisory