Film-Tech Cinema Systems
Film-Tech Forum ARCHIVE


  
my profile | my password | search | faq & rules | forum home
  next oldest topic   next newest topic
» Film-Tech Forum ARCHIVE   » Community   » Film-Yak   » Big security hole in .WMF file format

   
Author Topic: Big security hole in .WMF file format
Bobby Henderson
"Ask me about Trajan."

Posts: 10973
From: Lawton, OK, USA
Registered: Apr 2001


 - posted 12-30-2005 11:54 AM      Profile for Bobby Henderson   Email Bobby Henderson   Send New Private Message       Edit/Delete Post 
Apparently some really big security hole has been uncovered in the Windows Metafile format, a graphics format able to hold both vector-based and bitmap-based artwork.

Microsoft products like Word and Publisher are the main movers of images in this file format, although professional level graphics programs like Adobe Illustrator and CorelDRAW can open and export in .WMF as well. Lots of other applications can index and preview .WMF files, including Internet Explorer, Outlook Express and Google Desktop.

Simply previewing the image can launch malicious code deliberately hidden within a .WMF file. Some applications apparently bring up a dialog box asking the user to hit OK to allow the malware to install. In the case of Internet Explorer and Outlook Express, the malware is immediately installed with no dialog box displayed.

Professional level graphics file management programs like Adobe Bridge can preview and index .WMF images as well. I'm trying to get some word from Adobe's tech support on how vulnerable Bridge is to allowing malware to install.

This exploit apparently works on fully patched Windows systems. In addition to working on XP Home and XP Pro, it also can affect variants of Windows2003 Server Edition.

The problem allowing this exploit: when Microsoft created the .WMF format they wrote in the capability for the file to make a "callback" to the system. I guess that's for file indexing purposes or some other technical stuff like that. But that feature is also the hole malware writers are exploiting with glee. More than 50 adware and spyware variants have been spotted. Viruses may be soon to follow.

E-Week calls the .WMF hole a "zero day exploit," meaning it is about as bad as any alert can get. One opinion writer on the site said the .WMF format is now officially ruined.

Most computer users are only going to get hit by this bug from viewing malicious web pages or clicking on links that take them to harmful web pages.

People who deal with graphics files on a constant basis (such as me) can be vulnerable. I handle lots of customer submitted art files all the time. Very often customers have the .WMF format as their only vector-based option for sending logos from applications like MS Pubisher. I can just see some virus writer being able to make a worm that infects every .WMF on a user's system. Then when I get their logo to use on a sign my system could potentially get infected.

I've already banned .ZIP files from being used for customer submitted artwork. Now it looks like I have to refuse any .WMF files that come my way as well.
[Mad]

 |  IP: Logged

David Stambaugh
Film God

Posts: 4021
From: Eugene, Oregon
Registered: Jan 2002


 - posted 12-30-2005 02:01 PM      Profile for David Stambaugh   Author's Homepage   Email David Stambaugh   Send New Private Message       Edit/Delete Post 
quote: Bobby Henderson
This exploit apparently works on fully patched Windows systems.

Can you post a link to a source for that info? Was that statement made prior to Microsoft releasing an update (in November) that fixes the problem? Security Bulletin MS05-053

 |  IP: Logged

Bobby Henderson
"Ask me about Trajan."

Posts: 10973
From: Lawton, OK, USA
Registered: Apr 2001


 - posted 12-30-2005 02:08 PM      Profile for Bobby Henderson   Email Bobby Henderson   Send New Private Message       Edit/Delete Post 
Yep, a link probably would have helped:

Critical Impact: Windows Metafile Flaw a 'Zero-Day Exploit'

Article lead in:
quote:
Code for what Secunia is deeming an "extremely critical flaw" in Windows Metafile Format files is being exploited on fully patched systems. Researchers are currently tracking thousands of sites distributing the exploit code.

 |  IP: Logged

David Stambaugh
Film God

Posts: 4021
From: Eugene, Oregon
Registered: Jan 2002


 - posted 12-30-2005 07:05 PM      Profile for David Stambaugh   Author's Homepage   Email David Stambaugh   Send New Private Message       Edit/Delete Post 
More info at the links. Seems that this is still playing out and there's no 100% fix yet. However, it looks like enabling DEP (Data Execution Prevention) in XP, for all programs (especially the hardware variety of DEP; see links) and unregistering a dll file (regsvr32 /u shimgvw.dll) are effective in the short term, although the latter will break Windows Picture & Fax Viewer.

http://www.microsoft.com/technet/security/advisory/912840.mspx

http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=385

http://www.eweek.com/article2/0,1895,1906177,00.asp

http://blogs.zdnet.com/Ou/?p=143

http://www.microsoft.com/technet/security/prodtech/windowsxp/depcnfxp.mspx

 |  IP: Logged



All times are Central (GMT -6:00)  
   Close Topic    Move Topic    Delete Topic    next oldest topic   next newest topic
 - Printer-friendly view of this topic
Hop To:



Powered by Infopop Corporation
UBB.classicTM 6.3.1.2

The Film-Tech Forums are designed for various members related to the cinema industry to express their opinions, viewpoints and testimonials on various products, services and events based upon speculation, personal knowledge and factual information through use, therefore all views represented here allow no liability upon the publishers of this web site and the owners of said views assume no liability for any ill will resulting from these postings. The posts made here are for educational as well as entertainment purposes and as such anyone viewing this portion of the website must accept these views as statements of the author of that opinion and agrees to release the authors from any and all liability.

© 1999-2020 Film-Tech Cinema Systems, LLC. All rights reserved.