Critical Impact: Windows Metafile Flaw a Zero-Day Exploit

Updated: Code for what Secunia is deeming an "extremely critical flaw" in Windows Metafile Format files is being exploited on fully patched systems. Researchers are currently tracking thousands of si

Microsoft Corp. has issued a security advisory for what Secunia is deeming an "extremely critical flaw" in Windows Metafile Format (.wmf) that is now being exploited on fully patched systems by malicious attackers.

Websense Security Labs is tracking thousands of sites distributing the exploit code from a site called iFrameCASH BUSINESS.

That site and numerous others are distributing spyware and other unwanted software, replacing users desktop backgrounds with a message that warns of spyware infection and which prompts the user to enter credit card information to pay for a "spyware cleaning" application to remove the detected spyware.

Vulnerable operating systems include a slew of Windows Server 2003 editions: Datacenter Edition, Enterprise Edition, Standard Edition and Web Edition. Also at risk are Windows XP Home Edition and Windows XP Professional, making both home users and businesses open to attack.

In this fluid attack, researchers have kept up a steady stream of new details about the extent of the exploits reach, with Google Desktop being the latest reported vector.

F-Secure reported on Wednesday that Google Desktop tries to index image files with the exploit, executing it in the process. F-Secure reports that this exploitation-via-indexing may wind up occurring with other desktop search engines as well.

Google had no immediate comment. To avoid the problem, security experts suggest disabling the features indexing of media files, or to remove Google Desktop altogether.

A workaround called REGSVR32 has been posted and was included in Microsofts advisory. However, it should be noted that as of Thursday evening, some security researchers were reporting that the workaround is not fully successful.

The workaround is as follows, as quoted from the advisory:

Un-register the Windows Picture and Fax Viewer (Shimgvw.dll)

1. Click Start and then click Run. Type the following command: REGSVR32 /U SHIMGVW.DLL. Click OK.

2. A dialog box appears to confirm that the un-registration process has succeeded.

  • Click OK to close the dialog box.

Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.

To undo this change, re-register Shimgvw.dll by following the above steps. Replace the text in Step 1 with "regsvr32 %windir%\system32\shimgvw.dll" (without the quotation marks).

F-Secure notes that this workaround beats filtering .wmf files, given that files with other image extensions—such as BMP, GIF, JPG, JPEG, TIFF, etc.—can be used to exploit machines.

F-Secure also recommends filtering domains at corporate firewalls. These sites should be listed as off-limits: toolbarbiz[dot]business

  • toolbarsite[dot]biz
  • toolbartraff[dot]biz
  • toolbarurl[dot]biz
  • buytoolbar[dot]biz
  • buytraff[dot]biz
  • iframebiz[dot]biz
  • iframecash[dot]biz
  • iframesite[dot]biz
  • iframetraff[dot]biz
  • iframeurl[dot]business

F-Secure notes that its seen 57 versions of this malicious .wmf file exploit as of Thursday, detected as PFV-Exploit. The security firm is predicting that, even though the exploit has only been used to install spyware or fake antispyware/antivirus software thus far, it anticipates that real viruses will start to spread soon.

According to the Sunbelt Software blog, "any application that automatically displays a WMF image" can be a vector for infection, including older versions of Firefox, current versions of Opera, Outlook and all current versions of Internet Explorer on all Windows versions.

"This is a zero-day exploit, the kind that give security researchers cold chills," according to Sunbelts blog. "You can get infected by simply viewing an infected WMF image."

According to F-Secure, Trojan downloaders are taking advantage of the vulnerability to install Trojan-Downloader.Win32.Agent.abs, Trojan-Dropper.Win32.Small.zp, and Trojan.Win32.Small.ev. F-Secure also reports that some of the Trojans install hoax anti-malware programs such as Avgold.

Next Page: Researchers trace exploit to Russia.