Windows Metafile vulnerability
The Windows Metafile vulnerability—also called the Metafile Image Code Execution and abbreviated MICE—is a security vulnerability in the way some versions of the Microsoft Windows operating system handled images in the Windows Metafile format. It permits arbitrary code to be executed on affected computers without the permission of their users. It was discovered on December 27, 2005, and the first reports of affected computers were announced within 24 hours. Microsoft released a high-priority update to eliminate this vulnerability via Windows Update on January 5, 2006. Attacks using this vulnerability are known as WMF exploits.
The vulnerability was located in gdi32.dll and existed in all versions of Microsoft Windows from Windows 3.0 to Windows Server 2003 R2. However, attack vectors only exist in NT-based versions of Windows (Windows NT, Windows 2000, Windows XP and Windows Server 2003). Exploits taking advantage of the vulnerability on Windows NT-based systems facilitated the propagation of various types of malware, typically through drive-by downloads.
Windows Metafiles are extensively supported by all versions of the Microsoft Windows operating system. All versions from Windows 3.0 to the then-latest Windows Server 2003 R2 contain this security flaw. However, versions from Windows XP onwards are more severely affected than earlier versions, since they have a handler and reader for the WMF file in their default installation.
According to Steve Gibson's M.I.C.E. analysis, Windows NT 4 may be affected by known exploits if it has an Image Preview Feature enabled. Computers not susceptible to known exploits of the flaw (but potentially susceptible to future versions or as-yet undiscovered exploits) include those running other versions of Windows, without Image Previewing enabled, or those with hardware-based Data Execution Prevention (DEP) effective for all applications.
Machines running non-Windows operating systems (e.g. Mac OS, Linux, etc.) are not directly affected. A scenario in which such computers might become vulnerable would be where a third-party program or library, designed to view WMF files on a non-Windows system, used the native Windows GDI DLL, or a clone which copied the design flaw leading to this bug, e.g. through a Windows emulator or compatibility layer.
According to assessments by F-Secure, the vulnerability is an inherent defect in the design of WMF files, because the underlying architecture of such files is from a previous era, and includes features which allow actual code to be executed whenever a WMF file opens. The original purpose of this was mainly to handle the cancellation of print jobs during spooling.
According to Secunia, "The vulnerability is caused due to an error in the handling of Windows Metafile files ('.wmf') containing specially crafted
SETABORTPROC 'Escape' records. Such records allow arbitrary user-defined function to be executed when the rendering of a WMF file fails." According to the Windows 3.1 SDK documentation, the
SETABORTPROC escape was obsoleted and replaced by the function of the same name in Windows 3.1, long before the WMF vulnerability was discovered. However the obsoleted escape code was retained for compatibility with 16 bit programs written for (or at least backwards compatible with) Windows 3.0. This change happened at approximately the same time as Microsoft was creating the 32 bit reimplementation of GDI for Windows NT, and it is likely that the vulnerability occurred during this effort.
The 'Escape' mechanism in question allows applications (not metafiles) to access output device features not yet abstracted by GDI, such as hardware accelerated Bézier curves, encapsulated postscript support, etc. This is done by passing an opcode, a size and a pointer to some data to the call, which will usually just pass it on to the driver. Because most Escape calls produce actual graphics, the general escape mechanism is allowed in metafiles with little thought originally given to the possibility of using it for things like SETABORTPROC, modern non-vulnerable metafile interpreters now checks the opcode against a blacklist or whitelist, while keeping the full set of opcodes available to regular code that calls the GDI escape functions directly (because such code is already running in the same way as the code it could make GDI call, there is no security risk in that case).
It is worth noting that 16 bit Windows (except the rarely used Real mode of Windows 3.0) was immune to the vulnerability because the pointer specified in the metafile can only point to data within the metafile, and 16 bit Windows always had a full no-execute-data enforcement mandated by Intel's design of the 80286 protected mode architecture. Windows NT for CPU architectures other than 32 bit x86 (such as MIPS, PowerPC, Alpha, Itanium and x86_64) had similar immunity because those architectures had the no-execute functionality missing from older x86 processors.
The vulnerability is CVE-2005-4560 in the Common Vulnerabilities and Exposures database, US-CERT reference VU#181038 and Microsoft Knowledge Base Article 912840. It was first observed in the wild by researchers at Sunbelt Software on December 28, 2005 and announced publicly by the company's president Alex Eckelberry.
Propagation and infection
- Viewing a website in a web browser that automatically opens WMF files, in which case any potential malicious code may be automatically downloaded and opened. Internet Explorer, the default Web browser for all versions of Microsoft Windows since 1996, does this.
- Previewing an infected file in Windows Explorer.
- Viewing an infected image file using some vulnerable image-viewing programs.
- Previewing or opening infected emails in older versions of Microsoft Outlook and Outlook Express.
- Indexing a hard disk containing an infected file with Google Desktop.
- Clicking on a link through an instant messaging program such as Windows Live Messenger, AOL Instant Messenger (AIM) or Yahoo! Messenger.
Other methods may also be used to propagate infection. Because the problem is within the operating system, using non-Microsoft browsers such as Firefox or Opera does not provide complete protection. Users are typically prompted to download and view a malicious file, infecting the computer. Infected files may be downloaded automatically, which opens the possibility for infection by disk indexing or accidental previewing.
According to assessments from the McAfee antivirus company, the vulnerability has been used to propagate the Bifrost backdoor trojan horse. Other forms of malware have also exploited the vulnerability to deliver various malicious payloads.
McAfee claims that the first generation of such exploits had been encountered by more than 6% of their customer base by 31 December 2005.
|Wikinews has related news: Microsoft releases emergency patch for WMF exploit|
The official patch is available for Windows 2000, Windows XP and Microsoft Windows Server 2003. Windows NT 4 and other older operating systems did not receive a patch as they were no longer supported by Microsoft by then. Steve Gibson stated in his Security Now! podcast #20, that his company Gibson Research Corporation would make a patch available for Windows 9x systems if Microsoft did not. After further research, Steve Gibson stated, in a laterSecurity Now! podcast #23, that Windows 9x and ME are not vulnerable and do not need patching. Windows 9x/ME users can run his Mouse Trap utility to see this for themselves.
A free downloadable patch for Windows NT  has been provided by Paolo Monti from Future Time, the Italian distributor of Eset's NOD32 anti-virus system. The patch works on older operating systems, but it is supplied without warranty.
There have been reports of the official patch being automatically installed even when Windows Automatic Update is configured to ask before installing automatically downloaded updates. This causes an automatic reboot, which can cause loss of data if the user has a program open with unsaved changes.
Other corrective measures
These measures are of historical interest only on systems updated on or after 5 January 2006.
As a workaround before a patch was available, on 28 December 2005 Microsoft advised Windows users to unregister the dynamic-link library file shimgvw.dll (which can be done by executing the command
regsvr32.exe /u shimgvw.dll from the Run menu or the command prompt) which invokes previewing of image files and is exploited by most of these attacks. The DLL can be re-registered after patching by running
regsvr32.exe shimgvw.dll. This workaround blocks a common attack vector but does not eliminate the vulnerability.
A third party patch was released by Ilfak Guilfanov on 31 December 2005 to temporarily disable the vulnerable function call in gdi32.dll. This unofficial patch received much publicity due to the unavailability of an official one from Microsoft, receiving the recommendation of SANS Institute Internet Storm Center and F-Secure. Because of the large amount of publicity, including being indirectly slashdotted, Guilfanov's website received more visitors than it could cope with, and was suspended on 3 January 2006; the patch was still available for download from a number of mirrors including the Internet Storm Center website
Guilfanov's website went back online on 4 January in a much-reduced state. No longer providing the patch on-site due to bandwidth issues, the homepage provided a list of mirrors where a user could download the patch and the associated vulnerability-checker, and the MD5 checksum for the file, so that it could be checked that a downloaded file was probably genuine.
After Microsoft released its patch, Guilfanov withdrew his.
Risk reduction techniques
Microsoft says its patch removes the flawed functionality in GDI32 that allowed the WMF vulnerability. For computers running an unpatched version of Windows, a defence in depth approach is recommended, to mitigate the risk of infection. Various sources have recommended mitigation efforts that include:
- Making use of hardware-enforced Data Execution Prevention effective for all applications.
- Set the default WMF application to be one not susceptible to infection, such as Notepad.
- Do not use Internet Explorer, or at least turn off downloads by setting the default security settings to high.
- Keep all anti-virus software up-to-date. Consider frequent manual updates.
- Block all WMF files on the network perimeter by file-header filtering.
- Making use of users accounts that are configured with only the user rights that are required.
- Disable image loading in Internet Explorer and all other browsers.
- Disable image loading in Outlook Express.
- Disable hyperlinks in MSN Messenger.
- Disable the Indexing Service on Windows 2000, Windows XP and Windows Server 2003.
- Disable Desktop Search applications such as Google Desktop or Windows Desktop Search until the problem is corrected.
According to this SANS Institute Internet Storm Center article, using a web browser other than Internet Explorer may offer additional protection against this vulnerability. Depending on settings, these browsers may ask the user before opening an image with the .wmf extension, but this only reduces the chance of opening the maliciously crafted Windows Metafile, and does not protect against the vulnerability being exploited as these browsers still open the metafile if it is masquerading as another format. It is better to entirely disable image loading in any browser used.
An independent examination of the vulnerability by Steve Gibson of Gibson Research had suggested that the peculiar nature of the 'bug' was an indication that the vulnerability was actually a backdoor engineered consciously into the system. Steve Gibson focused on this accusation in Security Now! podcast #22, "The Windows MetaFile Backdoor?". Some sources have questioned this conclusion. Steve Gibson has since clarified that his use of the term backdoor was never intended to imply anything done by malicious intent. He still maintains that the backdoor was intentional, though not necessarily intended by Microsoft (e.g. an employee may have put it in without Microsoft's knowledge).
- ^ Security Watch: Iniquitous Images Imperil the Internet!, Larry Seltzer, PC Magazine.
- ^ A Description of the Image Preview Feature in Windows Millennium Edition, Microsoft.
- ^ sunbeltblog.blogspot.com Microsoft clarifies DEP issue
- ^ Library for non-Windows operating systems to run WMF files.
- ^ Linux/BSD still exposed to WMF exploit through WINE, ZDNet.
- ^ It's not a bug, it's a feature, F-Secure.
- ^ Exploit-WMF, by McAfee
- ^ Does Windows Patch Without Permission?
- ^ Microsoft Security Advisory (912840) - Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution, Microsoft Official Advisory on the vulnerability.
- ^ http://www.hexblog.com/2005/12/wmf_vuln.html, unofficial patch by Ilfak Guilfanov.
- ^ Trustworthy Computing, SANS Institute Internet Storm Center.
- ^ Ilfak to the rescue!, F-Secure.
- ^ Trustworthy Computing, Slashdot. Linking to SANS Institute Internet Storm Center's article titled Trustworthy Computing (see above).
- ^ .MSI installer file for WMF flaw available, SANS Institute Internet Storm Center.
- ^ How to Configure Memory Protection in Windows XP SP2, software-enforced Data Execution Prevention (DEP) feature in Microsoft Windows XP SP 2.
- ^ How to improve browsing performance in Internet Explorer (KB153790), Microsoft.
- ^ Images are blocked when you open an e-mail message in Outlook Express on a Windows XP Service Pack 2-based computer (KB843018), Microsoft.
- ^ http://www.nod32.ch/en/download/tools.php Unofficial WMF patch by Paolo Monti distributed by ESET.
- ^ http://blogs.securiteam.com/index.php/archives/210 Unofficial Windows 98SE patch by Tom Walsh.
- Microsoft Security Bulletin MS06-001 - Critical
- Steve Gibson's M.I.C.E. analysis
- Downloadable patch for Windows NT by Paolo Monti
|Wikinews has related news: Microsoft Windows metafiles are a vector for computer viruses|
- GRC's M.I.C.E. Metafile Image Code Execution
- Microsoft Security Bulletin for novice Home Users
- Microsoft Security Bulletin MS08-021
- Microsoft Security Bulletin MS06-001
- WMF FAQ - SANS Institute Internet Storm Center
- Windows Security Flaw Is 'Severe' - Washington Post
- Microsoft Windows WMF "SETABORTPROC" Arbitrary Code Execution - Secunia advisory
- Summary of status as of 1 January
- Looking at the WMF issue, how did it get there? - Microsoft Security Response Center Blog
- New exploit released for the WMF vulnerability - SANS Institute Internet Storm Center
- Be careful with WMF files - F-Secure
- Lotus Notes Vulnerable to WMF 0-Day Exploit - SANS Institute Internet Storm Center
- Vulnerability Checker - Ilfak Guilfanov
- Example exploit - Metasploit Project
- Microsoft Developer Network pages for Escape and SetAbortProc
- Mark Russinovich's Technical Commentary on the Backdoor Controversy