Another WMF (Windows Major Foul-Up)

By Larry Seltzer  |  Posted 2005-12-29 Print this article Print

Opinion: How bad is the new WMF bug? Research suggests that the WMF format has been officially ruined.

Microsoft really has improved the security of its code over the last few years. The fact that every now and then a bug like the new WMF bug still comes along just goes to show how careless the old code is. The problem with the WMF (Windows Metafile) file format turns out to be one of those careless things Microsoft did years ago with little or no consideration for the security consequences. Almost all exploits you read about are buffer overflows of some kind, but not this one. WMF files are allowed to register a callback function, meaning that they are allowed to execute code, and this is what is being exploited in the WMF bug.
As a result, it is surprisingly easy to get hit with this attack, even if you are being careful. Ive heard stories of experienced researchers being hit while researching the attack.
One way this might have happened, and its a good example of how easy it is, is through Google Desktop. F-Secure has demonstrated that Google Desktop users can become infected simply by downloading an infected file. When Google Desktop indexes the file it launches the exploit. Adware sites appear to be going hog-wild with this attack. According to Sunbelt Software, over a thousand sites are spreading more than 50 variants of it, thanks to an underground adware infection network that acts something like the DoubleClick of adware. This appears to be another one of those attacks that will become a permanent part of the Internet landscape. Rather than try to keep the format useful for its customers, Microsoft ought to think of saving the rest of the world; WMF has become poisoned and its time for customers to move on. In fact, given how this exploit works, the situation could be worse. The vulnerability is related to a GDI32 feature whereby WMF files are allowed to register a callback function that will be executed in certain situations. Perhaps resident malicious code could traverse the system and network, infecting all WMF files it encounters by adding this callback to it. Before I get too hysterical about this, I should point out that an effective workaround exists to block the attack, albeit at the expense of some functionality in the system. See this story for instructions, which may also be found in an advisory from Microsoft (in the Suggested Actions/Workarounds/Un-register section). Its also true that anti-virus companies have been working hard to keep up with the attacks, although there are, as I said above, a large number of variants. This is, perhaps, where well separate the boys from the men with respect to heuristic detection (sorry for the sexist analogy, but it works): The better products should catch more of the variants through a generic detection of the exploit, but it may be impossible to detect all of them. We shall see. I tested one of the versions yesterday against the highly regarded Panda TruPrevent, which didnt stop it. For advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub. And as for users with no anti-virus protection, they were probably infected with other malware long ago, and are destined to get this too. The most likely way for someone to get this infection is to be shown a Web page with a malicious graphic, and most people will get those through pop-ups on systems that have been infected with adware. Im told that there is a debate going on in Microsoft over whether to disable WMF file support in Internet Explorer. The fact that theres a debate probably means that Microsoft has customers relying on this behavior, and thats worth considering. To me the answer is clear: Leave it in and disable it by default. Create group and local policies to turn it back on so that larger customers and ISVs can re-enable it easily. This behavior should be extended to any, or at least most, nonstandard formats for IE. Im hesitant at this point to go into details until there is a patch, but my own research confirms that the potential for spreading this attack far and wide is immense and that easier vectors than Web pages exist. Microsoft has already posted the workaround, but unless a real patch is imminent, the company needs to make a registry-based workaround and publish it through the Automatic Updates system so that users are quickly protected. Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. He can be reached at Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel