Windows vulernability in graphics rendering engine

[vixendrop]

The Microsoft Security Advisory here .

This is apparently a very serious problem. Several forums I go to have already disabled all graphics on the site until an official patch for the exploit is found. Any images a user places in a post could potentially be an exploit file.

I'm suggesting that until an official patch is found that all images be turned off on the forums and site. It's a PITA, but better than exposing everyone to a very potentially hazardous exploit.

[vixendrop]

Oh, and I'd also suggest maybe posting an alert about this in the forums as well.

Here is some more information:

If you are running Windows (and the overwhelming majority of you are doing so), take this very, very seriously. There have been few, if any vulnerabilities of this magnitude in the past. Allow me to explain.

The vulnerability takes advantage of a flaw in WMF (Windows Metafile) handling by shimgvw.dll. This allows injection of any code the exploit author wishes, and there are new tools available to not only automate the creation of new exploits, but to do so in a way that completely bypasses antivirus scanners, at least for a few hours. ANY image format can be hijacked -- JPG, GIF, and PNG included -- and the graphics have been found on Wikipedia entries and eBay auctions.

A brief list of FAQs:
* What versions of Windows are affected?
Apparently, every single version, from Windows 95 to Windows 2003.

* Are any other operating systems affected by this?
Linux, BSD, and Macintosh are not affected by this.

* I use Firefox or Opera for browsing. Am I considered safe?
No. While Firefox will prompt to download a WMF file (even if renamed as a JPG, GIF, or other extension) and Opera may follow a similar path, merely saving the file to your hard drive may be enough to infect you. Google Desktop Search and Microsoft Desktop Search both can index media, and WMF files are often included. This indexing requires the file to be opened, and thus opens the path for exploitation.

In addition, the file may reach you by way of an e-mail or a file included on a floppy, USB drive, CD/DVD, or other method, in which case you can become infected.

* Is there an official patch for this?
Not yet. No word from Microsoft on when it will be available, either.

* Are there workarounds for this?
There are two global work-arounds for this.

* Unregister the DLL (official workaround from Microsoft)
Click on Start, then Run. Enter the following line:
regsvr32 -u %windir%\system32\shimgvw.dll
Click OK

However, some of the attackers are finding ways of re-registering the DLL to allow the exploit to occur.
* Apply the temporary, unofficial, third-party patch located here
This patch is vouched for by the SANS Internet Storm Center. Believe me, this is something that I virtually never advise, and you do so at your own risk, but at this time, I believe that the risk of getting infected is higher than the risk of damage from this patch. YMMV.

* Are there other workarounds for this?
Those with hardware support for DEP (Data Execution Prevention) and with it enabled (available only on Windows XP SP2 and Windows 2003) appear to be immune from the exploit. CPUs that include DEP are the Athlon64 line, most Opterons, and some recent CPUs from Intel. To see if you have it available as hardware, follow these instructions:

* Open the Control Panel
* If in Category View, select Performance and Maintenance, then open System.
* If in Classic View, open System.
* Click on the Advanced tab.
* Click on the Settings button in the Performance section.
* You should see three tabs: Visual Effects, Advanced, and Data Execution Prevention. Click on Data Execution Prevention.
* Look at the bottom of the window. If it says, "Your computer does not support hardware-based DEP," then your CPU either does not support it, or it has been disabled in the BIOS.


BTW, the ideal option is the second one, where DEP is used on everything unless you say not to. I run it this way, and so far, only one very minor application does not work well with DEP. Everything else -- games, IM programs, AV, firewalls, etc, works fine.

Also, those who run as a non-Administrator account are less impacted than those who run as Administrator-level accounts, but this merely slows the attacker, and does not by any means stop it.

* Can this be blocked by antivirus or firewall software?
Some of it can, but it's mutating too rapidly for most AV vendors to be able to keep up with it any more often than a few hours. However, AV will block known variants, which provides some protection.

If you don't have antivirus, GET IT. I don't care what you think of AV. Chances are, your firewall setup WILL NOT STOP THIS. The place I work has a much more serious firewall setup than you will ever have at your home, and we're concerned about how it's going to affect us, because exploits are being crafted specifically to avoid firewalls and IDS. Here are some free AV programs:
Avast
AVG
AntiVir

Even with the above, I'm also going to recommend getting a firewall, becasue some of them do provide some additional chances to see activity once you've been infected, and possibly help prevent further infection. The list of major free firewalls has dropped to basically [url=http://www.zonelabs.com/[/url], but new firewalls (including ZA) don't just block traffic. They also monitor applications for odd behavior, like launching other applications.

* Again, I don't care what you think of firewalls. Some of you proudly run without them (and without AV). Some of you are, frankly, stupid when it comes to this kind of thing. Get something that will monitor what your applications are doing, and if you see something that looks suspicious, block it. (A friend once had some application that looked like 0hl1mLEPhlaChoAj.exe trying to access the internet. He'd been infected with something newer than his AV signatures, and that was the only thing that told him.) You can always ask questions later to verify the activity, and unblock it if necessary.

Also, if you're using an e-mail program that allows images to be blocked from downloading, USE THAT FEATURE. Outlook 2003 allows this (Tools | Options | Security | Change Automatic Download Settings | [check] Don't download pictures or other content automatically in HTML e-mail), as does Mozilla Thunderbird (Tools | Options | Privacy | [check] Block loading of remote images in mail messages).


Summary:

* Use one or (preferably) all of the workarounds. Unregister the DLL, apply the patch, and use DEP.

* Do not click on links on IMs from ANYONE. You do so at your own risk.

* Do not download ANY images from HTML mail. You do so at your own risk.

* Be aware of even trusted sites. Any site where someone can upload their own files -- Wikipedia, eBay, MySpace, etc -- should be viewed with extreme caution. (I have disabled avatar uploads for the time being, BTW.) You go to such pages at your own risk.

* If you're running IE, STRONGLY consider switching to Firefox. It's not a panacea, but you might at least get some warning.

* If you're not running AV and/or a firewall, GET IT. If you are running them, make sure they're updated.