At the same time, further testing confirms that a workaround issued by third parties and endorsed by Microsoft Corp. is effective in most regards, and in the most important circumstances, but not in all. Also, the workaround has side effects that could prove troublesome.
AV-Test, which tests anti-malware products, has been tracking the situation closely and has, so far, analyzed 73 variants of malicious WMF files. Products from the following companies have identified all 73:
- Alwil Software (Avast)
- Softwin (BitDefender)
- F-Secure Inc.
- Fortinet Inc.
- McAfee Inc.
- ESET (Nod32)
- Panda Software
- Sophos Plc
- Symantec Corp.
- Trend Micro Inc.
These products detected fewer variants:
- 62 — eTrust-VET
- 62 — QuickHeal
- 61 — AntiVir
- 61 — Dr Web
- 61 — Kaspersky
- 60 — AVG
- 19 — Command
- 19 — F-Prot
- 11 — Ewido
- 7 — eSafe
- 7 — eTrust-INO
- 6 — Ikarus
- 6 — VBA32
- 0 — Norman
The difference for the more effective products is likely to be heuristic detection, tracking the threat by identifying the basic techniques of the exploit, rather than looking for specific patterns for specific exploits.
The latter technique leaves users vulnerable to threats that the vendor has not yet identified and protected against. Mikko Hypponen of F-Secure, when asked about the matter, said, “Heuristic detection rocks.”
After some concern was expressed about the efficacy of the workaround proposed by third parties and endorsed by Microsoft, it appears that it is basically effective at preventing exploitation in the most common circumstances, but not in all.
The registry fix discussed in a previous article does not work effectively, however, and users who have been relying on it will need to switch to other measures.
The effective fix de-registers a DLL from the system relied on by the Windows Picture and Fax Viewer program. To effect the change, click Start, then Run, then enter the following command:
To re-enable the same DLL, click Start, then Run, then enter the following command:
This fix prevents exploitation when a WMF file is loaded from Windows Explorer or Internet Explorer.
Enterprises looking for a more manageable solution may want to investigate using an Active Directory Software Restriction Policy to set a path restriction, blocking all execution of the shimgvw.dll file. Click here for background and instructions on Software Restriction Policies on Windows Server 2003.
Some sources are recommending this, although nobody will admit to actually having tested it with the WMF vulnerability.
Problems with the Windows
If a WMF file is attached to an e-mail message, the default action for Outlook and Outlook Express (the default action is performed when the user double-clicks on the icon) is to launch it with the Windows Picture and Fax Viewer.
Since that program is disabled by this fix, nothing will happen when the user double-clicks on the attachment or on the icon for such a file in a Windows Explorer window or the desktop.
A user might then choose to open the file with another program, such as Windows Paint, and in this case a malicious WMF file would still be able to execute its exploit.
Paint and some other programs are not affected by the fix to Windows Picture and Fax Viewer.
Many other graphics programs, some of which are bundled with scanners and digital cameras, set themselves to be the default action for graphics such as WMF. These would not be affected by the workaround, but they may still be vulnerable.
Finally, there have been conflicting reports as to the effectiveness of DEP (data execution protection), both hardware and software, for the WMF issue. This exploit, not being a typical overflow in which programs are executed out of a data area, would not normally lend itself to protection by DEP.
Microsoft has made no statements about hardware DEP in its advisory, but it did state that “Windows XP Service Pack 2 also includes software-enforced DEP that is designed to reduce exploits of exception-handling mechanisms in Windows. By default software-enforced DEP applies to core operating system components and services. This vulnerability can be mitigated by enabling DEP for all programs on your computer.”
However, Symantec states that they have found software DEP to be ineffective against this vulnerability.
Editors Note: This story was updated to include more information about blocking the WMF flaw.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.