WMF Exploits

The newest security issue for Windows is the WMF hole. First, a little history. WMF is the acronym for a Windows Meta File. That’s an old graphics format, vector style. Vector art is drawn by the computer, based on code in the file. (The other kind of graphics is a bitmap, like JPG.) Of course, vector art includes computer instructions, so of course code can hide in there.

However, in this case, it’s not the infamous buffer overrun. Not to get too techical, that’s what happens when you put 52 clowns in a clown car–the extra clowns get squeeeezzzzed out somewhere else, and goes into some other part of Windows, where it runs commands that aren’t so artistic.

So the WMF flaw isn’t an overrun. Turns out, it’s something much more basic. There is a feature in the WMF format that if the draw process has an error, it can run a program. Errors are easy. Now to be fair to Microsoft, WMF files date back to the eighties. They, like lots of other throwbacks to DOS, have been carried along for years as a tribute to compatibility with older versions of, well, just about everything.

There is a lot of bad reporting going on for this topic–the reliable source is the US Computer Emergency Readiness Team:
www.us-cert.gov/current/current_activity.html#0dayWMF

First, the antivirus companies are on top of this, although they are using their usual spell-check/dictionary approach to such things; they’ll catch what they recognize as evil by spelling out a few key letters from the code of anything that Windows tries to run, copy, or save. Anything truly new won’t be caught until hours or days have passed, so an actual patch or workaround is preferable.

Here’s the manual method of disabling WMF files, according to Microsoft; note that it will disable fax viewing and thumbnail views of graphics. (To catalog your clipart, including WMF files, SAFELY, visit www.graphcat.com.)

To un-register Shimgvw.dll, follow these steps:
1. Click Start, click Run, type “regsvr32 -u %windir%\system32\shimgvw.dll” (without the quotation marks), and then click OK.
2. A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

Microsoft has announced a patch for the WMF exploit will be out during January, after testing and localization (translation). But there are hackers, crackers, and bot farmers out there now with active viruses, worms, and spyware either in the wild or on the way, so a patch would be nice sooner than that.

Ilfak Guilfanov of hexblog.com has created a third-party hotfix, vulnerability checker, and a silent hotfix installer.

Automatic Nothing at All…

Today’s the day. It’s the second Tuesday of the month. That’s when Microsoft releases a month’s worth of patches, most months. Sometimes, they’ll skip a month. Now, many of the people reading this are thinking, “Why do I care? Automatic update is turned on.” Wrong. Nope. Gotcha–you’re now a target for the spyware of the month club.

The problem is two-fold. First, some spyware, and malware in general, disables the automatic update features of Windows. That keeps the early infectors from getting booted out of a computer when the patches arrive, because they won’t.

Second, Microsoft added a feature to Windows Update some months back that confirmed that the copy of Windows being updated was “genuine.” While I understand why–I’m a software publisher myself, after all–the Windows authentication program was designed to be politically correct, badly. It asks permission to check your Windows for authenticity, so the automatic update fails, and does so silently. To run it, you have to go to Windows Update (in the Tools menu of Internet Explorer), do an update run manually, and approve the installation and the running of the tool. Then go back to Windows Update and search for updates AGAIN, and you’ll probably find new patches that became available once Windows was validated as genuine.

So the moral of the story is to check Windows Update manually around once a month, after the second Tuesday, and see if the updates installed. More than half the machines I’ve checked manually in the last month needed manual patching, even though automatic updates were turned on.

While you’re checking software, check that antivirus programs and everything else are updating as designed. Don’t be a target–software, like people, does what you inspect, not what you expect.

Scoring Startupware

It should be possible to rate individual products as startupware. Not just good or evil–that’s not it. What’s needed is a measure of how invasive they are, and how hard to remove.

Remember that this stuff isn’t all spyware; it includes antivirus software, overly-ambitious print drivers, and it’s not all evil, although most of it is bad, all of it need managing.

What’s that? Antivirus is never bad? Wrong. If in doubt, install two of them on a clean system, and try to do some work. Be sure to refresh your memory on safe-mode cleanups first, as most combos of this type will turn a computer into a vibrating doorstop. Like all startupware, it’s a management task.

To help consumers decide what products may be allowed on their systems, a scoring method is helpful. Scores skip technobabble–that’s good. They also can cause a blanket reaction of “take out all of it, don’t bother me.” That’s usually OK, but I don’t want the phone call when that breaks the antivirus software.

The basis for using startupware as a management tool for software products and their accumulations of autoplays is that no judgement calls are allowed. Again, here is the definition:

stärt’-up-wãre, noun, any software that configures portions of itself to automatically start with the operating system of a computer, or to start with other previously-installed software.

Now, there are different ways to autostart, and it helps to know if a product cleans up its own mess on removal, so let’s find a way to score a program for startupware.

First, we need to keep track of how many programs are set to run on system startup, and if all of them are removed on uninstallation. If one program is installed, but results in two add/remove program entries, that’s backpackware, which is common in adware and spyware products, as well as simpler trojan horse programs.

Here’s a preliminary formula for Startupware scoring (version 0.1) .

Orphaned programs: 1000 x number of programs installed to autorun but not uninstalled by removing the product that was chosen to be installed. Note that one install program that results in two or more product installations will always result in a high score for deceptive behavior. Exception: One install that offers to run an additional OPTIONAL install program is counted as more than one install program, so that, for example, a camera driver install that offers to install a graphics program is counted and scored as two installations.

Orphaned settings and silent programs: 100 x number of settings changes made, but not uninstalled, and number of programs that run when product isn’t doing work for the user, such as displaying information or being on standby to do or prevent something.

Autorun count: 10 x number of programs installed to autorun.

Settings count: 1x Number of settings changes made.
comma, “version” and number of program, or “tested” and 6-digit date downloaded (yymmdd) if no version number is used.

So for some program categories, it’s impossible to have score of 0, which would be totally non-invasive and non-autoplaying; a screensaver would have a score of 11, minimum, and so would most system tray utilities, because it takes both a program and a setting change to have an autoplaying program. And some actions aren’t counted. There is no count of icons added to the desktop, the quicklaunch area, or to the menus. There is no count of file extensions modified to point to the new program.

Here are some examples: a toolbar program, with no version number, with one program running in the background while the toolbar was not on screen (100 points). It made 12 changes to system settings, and failed to uninstall 1 of them (12 + 100 points). Total 212 points.
Score: 212, tested 050825.

Example 2: a utility program, installs two programs that don’t autoplay and don’t run in the background, changes no settings, leaves no settings or programs behind, version number 2.1.
Score: 0, version 2.1.

Example 3: an application program, version 12.0. Installs 17 programs, 3 autoplaying. Uninstalls all of them. Makes 32 settings changes, removes 12 of them. (Typical big-product sloppyness, in short.) That’s 30 points for autoplays, 32 for settings, 2000 for orphaned settings, and no orphaned programs.
Score: 2062, version 12.0.

Note that spyware won’t always get the highest scores. Startupware is about invasive software that drags down system performance, and not about subtlety or theft.

Example 4: a screensaver, no version number, downloaded Sept 10, 2005. Installs one autoplay program, clean uninstall, one setting change that runs the screensaver.
Score: 11, tested 050910.

Example 5: printer driver, version 18.544. Installed 3 autoplays, left one behind on uninstall, 71 settings changes, 26 left behind. That’s 1000 + 2600 + 30 + 71
Score: 3701, version 18.544.

Example 6: anti-spyware program, bundled with toolbar with no option to install only one, installed with one program but resulting in two entries in add/remove list. That’s backpack startupware, and if no permission was asked first, it’s stealth startupware. Determining Stealth or Backpack isn’t needed–it depends on disclosures and agreements, and doesn’t affect product behavior, and so doesn’t affect scoring. There are 3 autoplays, and the uninstall that matches the downloaded product removes one of them. Settings changes: 15, 10 left behind. That’s 2000 points for orphaned programs, 1000 points for orphaned settings, 30 points for autoplays, and 15 points for settings.
Score: 3045, tested 050901.

Essentially, what we’re trying to achieve is a high score for programs that fail to uninstall themselves completely, or that massively invade the system. In other words, don’t install a program with a score above 50.

Comments? Additions? Modifications?