Windows Metafile Crib Sheet

[ page last updated: Jan. 06, 2006. ]

[ update: Microsoft has finally released it's Security update for WMF vulnerability. To apply the patch, simply visit the Windows Update web site, automatically scan for updates and install. ] Thanks Fuzzie for bringing this to my attention.

The purpose of this article is to clearly lay out all the information i could find on the recent Windows exploit, namely the WMF (Windows Metafile) vulnerability. Instead of adding to the current state of panic, my hope is that this post will help to clear up some of the apparent contradictions surrounding this issue and provide a kind of reference in the decision making process (ie: overall severity and what actions to take).

I’ll begin with a brief overview of the current state of affairs:

A Windows Metafile (WMF) – is a 16-bit metafile that can be used by all versions of Windows to display a picture. Similar to a .jpeg, .gif or bitmap.

A Metafile – is simply a list of commands that can be executed to draw a graphic. Normally, these commands are used to style objects such as lines, polygon and text. In this case, the WMF is being used to trigger potentially malicious code (ex: trojans).

For more background on Windows Metafile you can read the Wikipedia definition here.

i was also planning on quickly going over the events that have unfolded in reaction to the news about the widespread potential of this type of exploit. However, it turns out that the Wikipedia, once again, has done this job for me (and probably better than i could have done). If you’re late on the scene for this whole thing, i recommend you spend a few minutes reviewing that page as well.

Still, here’s a short list of the key points related to the most recent Windows Metafile Vulnerability:

  • First reports of affected computers: December 28, 2005. [more info here and here]
  • List of Vulnerable Systems: All versions of Windows. [ see full list here ]
  • How it spreads: via email attachments [ although Microsoft is now saying otherwise ] or even just loading a website with WMF graphics. Read more here.

There seems to be some uncertainty surrounding the list of vulnerable systems. Some sources believe that older systems like Win95/98 and even WinME/2K can not easily be exploited in this manner. Read here, here and here for more info.

Protection against this exploit -

  • The Workaround according to Microsoft: unregistering the dll [ type: "regsvr32.exe /u shimgvw.dll" in the command prompt ]
  • The Unofficial Patch: by Ilfak Guilfanov version1.4 can be found here.
  • The Unofficial Patch: based on the fix by Ilfak Guilfanov can be found here. [ .msi installer version 1.4 ]
  • The Unofficial Patch: developed by ESET version1.1 can be found here. [ updated: Jan. 05, 2006. ( source: eWEEK.com ) ]

The best description of what these fixes actually do to your system can be found here [.pdf format]

Additional Notes -

  • This is not an actual virus outbreak [it is an exploit, meaning just leaving your pc online but unpatched does not guarantee that you will be attacked].
  • Some people have reported minor “issues” related to installing this patch such as printing problems.
  • There is already a Microsoft patch available that is a pre-release which leaked onto the internet this morning and is said to be tested on Winxp/2k3 systems, but every link i’ve found was broken and had the file taken offline. For those interested, the file was named WindowsXP-KB912919-x86-ENU.exe and i’m sure it will surface again sooner or later.
  • McAfee has added WMF exploit detection to its latest DAT file, which can detect exploits created by this tool.
  • ESET claims its NOD32 anti-virus stops hackers from using all 206/206 tested WMF vulnerability exploits. They offer a 30-day trial version of their software which would protect you from this exploit “without having to take any special actions”, according to ESET (presumably until Microsoft releases an official fix). [ updated: Jan. 05, 2006. ]

That’s all i could find at this time. Hope it helps in some way.

Comments 24

  1. Fuzzie wrote:

    http://www.microsoft.com/athome/security/update/bulletins/200601_WMF.mspx
    Looks like there is a patch avaible now….

    Linux is looking so much better every day!

    Posted 06 Jan 2006 at 9:22 am
  2. admin wrote:

    Thanks Fuzzy,

    i’ll add the link to the body of the post so everyone can find it.

    Posted 06 Jan 2006 at 1:04 pm
  3. Ward Durossette wrote:

    After installing the patch and rebooting, my machine locks up tighter than a drum on the “Loading XP” black background startup screen. I have reverted to my Last Known Good Configuration to keep working.

    Posted 06 Jan 2006 at 4:23 pm
  4. admin wrote:

    Ward,

    which patch did you install?

    - Microsoft Official Update
    - Ilfak Guilfanov version1.4
    - SANS .msi installer
    - ESET version1.1

    Posted 06 Jan 2006 at 5:33 pm
  5. Eric wrote:

    I installed the patch and it caused a kernel panic after booted into windows, it seems the patch installs a system service. This servic actually appears to do some type of scan since the I/O activity of it is somewhat high, for me it caused a kernel panic every single reboot and caused an infinite loop that I could only resolve by uninstalling the patch. I was infected with this exploit which BiteDefender 9 found on a scan, it is possible that the path does not operate correctly. Windows update just downloaded it again, im going to run it again and see what happens. Perhaps I got an early version and there has been a silent revision. Wishful thanking I guess!!

    Posted 06 Jan 2006 at 8:23 pm
  6. admin wrote:

    Eric,

    i’m going to assume you’re refering to the patch issued by Microsoft.

    i’d be interested to know how the second trial run goes. though i’m not sure why you’re machine was infected.. if you got the patch direct from Windows Update.

    Posted 06 Jan 2006 at 9:02 pm
  7. babaganoosh wrote:

    I have yet to find someone that can give me a straigt answer on this:

    Most non-techies haven’t gone through the genuine software validation. But lets assume they have SP2 and automatic updates are turned on… what are they missing by not doing the validation and manually updating?

    Everyone says to go to WU and get this patch. If non-techs don’t read this blog and elsewhere, but again, have SP2 and automatic updates, would they get the patch tonight or tomorrow night? and what else from the express list of updates would they be missing by not manually updating / walking through the validation?

    I would think if they are msising anything, MSFT should be really promoting the validation and telling people the HAVE to do it to keep their machine safe? Thanks!

    Posted 07 Jan 2006 at 8:34 am
  8. admin wrote:

    hi baba,

    sounds to me like you’ve cut right to the heart of the matter here..

    security is about more than getting that zero-day patch that everyone’s talking about and applying it before the sky falls on your head.

    the fact of the matter is (and i have seen this personally on dozens of windows machines):

    1. tons of people have auto updates “on” but set to download and not install. (great, but they never click install)
    2. i have seen machines with “download and install” set but at a crazy time like 3am (the machine is turned off and thus updates are never applied)
    3. without validating windows xp you’re not getting any updates. nothing.
    4. even after validating, if you don’t manually go to WU Site and download the New Version of the Windows Update Client, you’re not getting any updates past a certain point (the old client doesn’t find new updates).

    so, to make a long story short (or offer a straight answer):

    -the people in your scenario will not be getting any updates from microsoft not tonight or tomorrow or ever.

    and

    -yes, you’d think that microsoft would promote the importance of validating windows xp a little more (at least as an aspect of ensuring greater overall security) but then again, they also tried to keep the WMF thing as low profile as possible by holding off a few days for testing before releasing a patch to the public.

    at the very least, Microsoft needs to smooth out the whole update process. it’s just screwy, broken, and way too complicated. maybe they need to give everyone a lesson on how to “manually” use their “automatic” updates and all the quirks that surround it.. [ apply sarcastic patch here ]

    Posted 07 Jan 2006 at 1:04 pm
  9. babaganoosh wrote:

    wow : (

    Posted 07 Jan 2006 at 2:56 pm
  10. babaganoosh wrote:

    I just looked at a Win XP SP2 machine that hadn’t been validated. It had a folder from this AM in windows which talked of the 912919 patch. I validated it and did express updates. It said there were none. looking in the update history, I see the most recent patch that was installled was 912919 – so yeah, they may download but not install, and the PC may not be on at night. but when those issues are handled correctly, a machine that hasn’t been validated seems to do OK with patches?

    Posted 07 Jan 2006 at 10:49 pm
  11. admin wrote:

    not sure if i’m following you on that last one..

    are we talking about automatic updates or manually applying patches?

    Posted 08 Jan 2006 at 12:56 am
  12. babaganoosh wrote:

    on a machine that wasn’t validated and did have auto updates turned on and this machine stays on all the time, when I manually validated and then did a windows update, a) there were no patches it wanted to apply, and b) there was a $ntuninstall912929 folder from the earlier in the day in the windows directory (meaning it had applied the latest patch and (all?0 others before that one?! all before being validated? So under the right conditions, auto update does work without being validated first?

    Posted 08 Jan 2006 at 12:38 pm
  13. admin wrote:

    well, then..

    i guess there is no consistency across this type of issue either. my experience (and this would make sense from microsoft’s perspective) has generally been, no validaton = no updates (after a certain point).

    the only other things i can think of are:

    - maybe windows update is messed up on your system and reporting no updates when there are still updates (i’ve seen this before, a bug in some old update causes inaccurate reading of new updates resulting in always seeming up to day. the only solution i could think of at the time was to confirm each update was applied by comparing in “add/remove programs” and the non-express windows update page)

    - different builds of windows xp, and xp service pack 2 itself, seem to have different criteria for receiving updates (some machines with sp2 installed still required 20+ updates while others need only 2-3 updates)

    - for some systems (although i’ve only seen this with xp sp1 and earlier versions of windows) if you don’t manually go to the WU homepage and install Windows Update v6 (the new windows update agent/client) you’ll get “no new updates to install” every time.

    that being said, patches and updates can be manually downloaded and installed without validating and maybe certain security patches (ie: WMF) do still get installed via WU. just not always. feel safe yet?

    Posted 08 Jan 2006 at 3:53 pm
  14. Anonymous wrote:

    I am sure this paragraph has touched all the internet people,
    its really really good post on building up new weblog.

    Posted 30 Oct 2013 at 6:43 pm
  15. Anonymous wrote:

    Heya i am for the first time here. I came across this board and I find
    It really useful & it helped me out a lot. I hope
    to give something back and aid others like you helped me.

    Posted 02 Nov 2013 at 9:38 pm
  16. Anonymous wrote:

    It is appropriate time to make some plans for the future and it is time to be
    happy. I’ve read this post and if I could I desire to suggest you few interesting things or advice.
    Perhaps you can write next articles referring to this article.

    I want to read even more things about it!

    Posted 20 Nov 2013 at 6:43 am
  17. Anonymous wrote:

    Greetings from Colorado! I’m bored to tears at work so I decided
    to check out your site on my iphone during lunch
    break. I enjoy the information you provide here and can’t wait to take a look when I get home.

    I’m surprised at how fast your blog loaded on my phone
    .. I’m not even using WIFI, just 3G .. Anyhow, superb site!

    Posted 29 Nov 2013 at 7:45 am
  18. Anonymous wrote:

    Hey there! I simply would like to offer you a huge thumbs up for the
    great info you’ve got right here on this post.
    I will be coming back to your website for more soon.

    Posted 07 Dec 2013 at 12:33 am
  19. Alejandrina wrote:

    I’ll right away clutch your rss feed as I can’t to find your email subscription link or newsletter
    service. Do you have any? Please let me recognize so
    that I may subscribe. Thanks.

    Posted 17 Dec 2013 at 4:10 am
  20. Anonymous wrote:

    I just could not go away your site before suggesting that I really
    enjoyed the standard info an individual supply for your visitors?

    Is going to be back frequently in order to investigate cross-check new posts

    Posted 08 Jan 2014 at 9:52 pm
  21. Anonymous wrote:

    What’s up, I read your blog regularly. Your humoristic style is witty, keep it up!

    Posted 11 Jul 2014 at 11:36 am
  22. las vegas computer wrote:

    For most up-to-date information you have to go to see world-wide-web and on the web I found this web page as a best web site
    for newest updates.

    Posted 18 Jul 2015 at 1:39 am
  23. ig wrote:

    If some one wants to be updated with most recent technologies afterward he must be pay a
    visit this web site and be up to date daily.

    Posted 24 Feb 2017 at 3:17 pm
  24. tinystoun wrote:

    click here for more info

    Posted 10 Sep 2017 at 3:37 pm

Post a Comment

Your email is never published nor shared. Required fields are marked *