Be wise. Be brave. Be tricky. (slithytove) wrote,
Be wise. Be brave. Be tricky.

  • Mood:

WMF exploit, WTF

I hate spreading FUD about Windows security risks, and I don't do it often, but this looks serious.

limyaael blogged about this a couple of days ago, but it deserves repeating. Also, some of the comments to the first post that limyaael links to appear to contain wrong information.

There is a newish vulnerability in Windows, apparently all versions since at least Win 98. Windows Metafiles (wmf) can be constructed to force Windows to run code. I.e., to install a virus/worm/trojan on your machine. This happens if you view the wmf. For example, if you visit a website that contains the wmf as an image. It also happens if your PC evaluates the wmf IN ANY WAY. For example if you run Google Desktop, Google's indexing service will activate the malicious code as it deals with the infected wmf.

A file does not have to have a .wmf extension. An infected wmf file can have a false extension -- .txt, .doc, .avi, whatever -- and if the Windows subsystem in charge of wmf's evaluates that file, you're hosed.

This exploit is worse than most previous exploits, because the user does not have to take any action beyond visiting the wrong website. Doesn't have to click on a file, doesn't have to accept a EULA. Antivirus software won't detect the bad wmf. (It *may* detect the payload virus/trojan/worm once it's in your PC.) A firewall or router won't help.

Note that the 'wrong website' might be LJ. If I'm understanding correctly, if an LJ user embedded a malicious wmf image in their LJ, everyone who viewed that LJ entry would be infected, if they're running IE.

Firefox seems to give you a little protection: it asks if you want to view the file before activating the Win subsystem that mediates the malicious code. But if you tell Firefox you want to view the file, you're still hosed.

What to do?

First, you can tell Win not to load the code that evaluates wmf's. Go to Start, Run, and run this:

regsvr32 -u %windir%\system32\shimgvw.dll

Then reboot.
This is the Microsoft recommendation. This is the *least* you must do.

There have been concerns that there are ways around that, though. There's a link to a third-party patch here. Normally, there's no way in flaming hell I would touch an operating system patch that didn't come from the vendor. But it looks like Microsoft isn't going to have its own patch ready for a week, and a bunch of spyware, a bunch of trojans, and the first worm that use the exploit have already surfaced. The patch was written by Ilfak Guilfanov, said to be one of the most knowledgeable people in the world about low-level Windows internals. The patch has been vetted by Steve Gibson. This was good enough for me, and I installed it. Use your own judgment.

Metafilter thread on the subject. With links to appropriate sites for more details.

This sort of thing makes me very unhappy. I'm risk averse. I run behind a router. I don't click on email attachments random people send me. I don't run pirated software. I've never had a virus/worm/trojan on my home PC. But it appears that just by reading someone's LJ, I could get infected by malware, if I don't use a third-party patch within a very narrow time window of opportunity. That just sucks.

I'm not ready to move to Mac yet. And I have no reason to think Macs are safer; they're just less popular. I've tried Linux many times over the years, but never stuck with it, and I strongly suspect Linux seems 'safe' only for the same reason Macs do.

BeOS. That's the ticket. NO one is writing trojans for BeOS.
  • Post a new comment


    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.