Windows WMF Vulnerability
Wednesday, January 04, 2006 (12:45:02)

Posted by Tessil

A serious new remotely exploitable vulnerability has been discovered in Microsoft Windows' image processing code.

UNTIL THE PATCH IS APPLIED, ANY ATTEMPT TO DISPLAY A MALICIOUS IMAGE IN WINDOWS COULD INSTALL MALICIOUS SOFTWARE INTO THE COMPUTER.

This exploit can be triggered by a malicious Windows Metafile (WMF) image, regardless of the image extension (e.g. .gif, .jpg, .png etc) in any program (e.g. Firefox, Opera, MSN Messenger, IrfanView, MS Office, previewing the image in Windows, indexing by Google Desktop - everything is affected).

All versions of Windows from Windows 98 through ME, NT, 2000, XP, and 2003 are known to be vulnerable, and a large and rapidly growing number of malicious exploits (57 at last count) are already circulating in the wild. They are being actively used to install malware and Trojans into user's machines. Viruses and worms are expected to appear shortly.

Although NOT a complete solution, Microsoft has recommended temporarily disabling the automatic display of some images by the operating system and web browser. This can be done, as detailed below, by "unregistering" the "SHIMGVW.DLL" Windows DLL. THIS IS NOT A COMPLETE SOLUTION, but it significantly lowers the risk from this vulnerability from web surfing.

Steve Gibson has provided additional details and a fix on his security blog at www.grc.com/sn/notes-020.htm. Note that Ilfak Guilfanov's WMF patch has been superceeded by the release of the official Microsoft patch via Windows Update on January 5th (ahead of the scheduled date of January 10th).

There is a Microsoft Security Advisory, Slashdot Article, and an article on Google News discussing the vulnerability.

UPDATE: Currently no patch is available for Windows 95, 98, and ME; however, GRC has committed to providing a solution for those users should Microsoft fail to provide one. Users of those operating systems should check Steve Gibson's blog at the link provided above.

UPDATE2: Two new Metafile bugs have been found, just a week after the patching of previous critical WMF issues. These bugs are not addressed by MS06-001. Microsoft is currently classing the new problems as "performance issues" and that they do not allow an attacker to run code or crash the operating system (but may cause the WMF application to crash).

Content received from: The Clenched Fist, http://www.theclenchedfist.com