WMF Exploits

Field Reports

The newest security issue for Windows is the WMF hole. First, a little history. WMF is the acronym for a Windows Meta File. That’s an old graphics format, vector style. Vector art is drawn by the computer, based on code in the file. (The other kind of graphics is a bitmap, like JPG.) Of course, vector art includes computer instructions, so of course code can hide in there.

However, in this case, it’s not the infamous buffer overrun. Not to get too techical, that’s what happens when you put 52 clowns in a clown car–the extra clowns get squeeeezzzzed out somewhere else, and goes into some other part of Windows, where it runs commands that aren’t so artistic.

So the WMF flaw isn’t an overrun. Turns out, it’s something much more basic. There is a feature in the WMF format that if the draw process has an error, it can run a program. Errors are easy. Now to be fair to Microsoft, WMF files date back to the eighties. They, like lots of other throwbacks to DOS, have been carried along for years as a tribute to compatibility with older versions of, well, just about everything.

There is a lot of bad reporting going on for this topic–the reliable source is the US Computer Emergency Readiness Team:
www.us-cert.gov/current/current_activity.html#0dayWMF

First, the antivirus companies are on top of this, although they are using their usual spell-check/dictionary approach to such things; they’ll catch what they recognize as evil by spelling out a few key letters from the code of anything that Windows tries to run, copy, or save. Anything truly new won’t be caught until hours or days have passed, so an actual patch or workaround is preferable.

Here’s the manual method of disabling WMF files, according to Microsoft; note that it will disable fax viewing and thumbnail views of graphics. (To catalog your clipart, including WMF files, SAFELY, visit www.graphcat.com.)

To un-register Shimgvw.dll, follow these steps:
1. Click Start, click Run, type “regsvr32 -u %windir%\system32\shimgvw.dll” (without the quotation marks), and then click OK.
2. A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

Microsoft has announced a patch for the WMF exploit will be out during January, after testing and localization (translation). But there are hackers, crackers, and bot farmers out there now with active viruses, worms, and spyware either in the wild or on the way, so a patch would be nice sooner than that.

Ilfak Guilfanov of hexblog.com has created a third-party hotfix, vulnerability checker, and a silent hotfix installer.