Archive for December, 2005

Indexing and the WMF exploit (plus some extra information)

Saturday, December 31st, 2005

It seems that indexing programs (that is, programs that index your hard drives to make searching faster, such as [tag]Google Desktop[/tag]) can, if they come across an infected [tag]WMF[/tag] file, run the file and trigger the exploit.  As such, SANS and F-Secure now recommend disabling (or removing) all such indexing programs.

Also, I need to point out that if you unregister the [tag]shimgvw.dll[/tag] file (Start > Run type - without the quotes - "regsvr32 /u shimgvw.dll" and click OK followed by OK) then you are still at risk from infested WMF if you open them in applications such as Microsoft Paint.  I have no precise details of what image editors are affected so it might be a good idea to avoid working with image files that aren't yours for a while.

(By the way, you can undo the unregistering of by typing "regsvr32 shimgvw.dll" in the Run dialog box and clicking OK followed by OK).

This vulnerability exists in all main versions of [tag]Windows[/tag] - Windows ME, Windows 2000, Windows XP and Windows 2003.

There's also a fix for the problem - this from F-Secure:

Here's an alternative way to fix the WMF vulnerability.

Ilfak Guilfanov has published a temporary fix which does not remove any functionality from the system (all pictures and thumbnails continue to work normally).

The fix works by injecting itself to all processes loading USER32.DLL. It patches the Escape() function in [tag]GDI32.DLL[/tag], revoking WMF's SETABORT escape sequence that is the root of the problem.

Now, we wouldn't normally blog about a security patch that is not coming from the original vendor. But [tag]Ilfak Guilfanov[/tag] isn't just anybody. He's the main author of IDA (Interactive Disassembler Pro) and is arguably one of the best low-level Windows experts in the world.

More details from Ilfak's blog: http://www.hexblog.com.

Ilfak recommends you to uninstall this fix and use the official patch from Microsoft as soon as it is available.

Weekend Fun! – Gadgets Quiz!

Saturday, December 31st, 2005

Take the BBC News gadgets quiz and test your knowledge of popular gadgets.

It seems that I know way too much trivia about gadgets, scoring 10/10!

More on WMF and DEP

Saturday, December 31st, 2005

OK, a little more information on DEP and the [tag]WMF[/tag] exploit.

Firstly, you need to have hardware-enforced DEP enabled.  This information from a Microsoft spokesperson:

Microsoft has continued to investigate the use of software-enforced Data Execution Prevention (DEP) to mitigate the Windows Meta File vulnerability for Windows XP Service Pack 2 users.  As a result of this investigation, we have updated our guidance regarding DEP to say that some hardware-based DEP, when enabled, can mitigate this vulnerability; however, software-based DEP does not mitigate this vulnerability. This information has been included in our revisions to the security advisory today, which is now available at this location: Microsoft.

To be able to use hardware-enforced DEP you need to have a CPU that supports it. 

To check out to see if you have hardware-enforced DEP or software-enforced DEP right-click on My Computer and choose Properties followed by Advanced.  Then, in the Performance section choose Settings.  Now click on the tab labeled Data Execution Prevention.  If your system is only protected by software-enforced DEP then you will see a message on the dialog box that says:

Your computer's processor does not support hardware-based DEP.  However, Windows can use DEP software to help prevent some types of attacks.

It is also advisable to switch DEP to protect all programs and services, select the option in the DEP windows and click OK.

Enabling DEP for all programs and serivces

Remember, software-enforced [tag]DEP[/tag] will NOT protect you!

Another good idea it to try to filter out common picture files before they get into your system.

File extensions that need filtering include BMP, DIB, EMF, GIF, ICO, JFIF, JPE, JPEG, JPG, PNG, RLE, TIF, TIFF and WMF, because Microsoft Windows handles picture files by information of the file header information, not by file extension used so a WMF file containing exploit code could be renamed as any one of the other files and still work (a core Windows feature that could do with improving on).

Also, bad news for Lotus Notes users - unregistering shimgvw.dll (detailed here) does not protect Notes users!

Finally, a few links:

DEP confusion

Friday, December 30th, 2005

OK, now I'm confused  Does [tag]hardware-enforced DEP[/tag] ([tag]Data Execution Prevention[/tag]) protect against the latest [tag]WMF[/tag] exploit.  In testing in VMware I found that the default settings for [tag]DEP[/tag] DID protect (similar to findings by Alex Eckelberry) but others are reporting that it doesn't offer protection unless it is applied to all files.

At the root of this is poor DEP documentation by Microsoft.  Even the wording that Microsoft uses is vague:

Data Execution Prevention (DEP) helps prevent damage from viruses and other security threats that attack by running (executing) malicious code from memory locations that only [tag]Windows[/tag] and other programs should use. This type of threat causes damage by taking over one or more memory locations in use by a program. Then it spreads and harms other programs, files, and even your e-mail contacts.

While I believe that DEP does have benefits, they aren't clearly defined and it's impossible to use it effectively because the limits of DEP are unknown.  DEP isn't exactly snake oil but it's darn hard to put any faith in it. Microsoft also claims that software-enforced DEP will protect users from this exploit but this seems to be false. It also appears that some people (such as George Ou) have had to set hardware-enabled DEP to "all programs and services".

Also, it looks like unregistering the DLL might not provide protection is Lotus Notes (it must use it's own processor for WMF which must be affected too - this makes me wonder how many other applications are affected).

I still recommending unregistering the DLL and also downloading and installing Sunbelt Kerio Firewall and applying the Snort rule.

Take care out there!

New logo and tagline for Intel

Friday, December 30th, 2005

[tag]Intel[/tag] is changing it's 37-year old logo as part of a major re-branding to shift away from core PC image into consumer electronics.

The original [tag]Intel logo[/tag] featuring the lowered "e" will be replaced with an oval swirl surrounding the company's name. Also gone is the tagline "[tag]Intel Inside[/tag]", this is to be replaced by "Leap ahead".

New Intel logo

I think I'll miss the old logo and the jingle on TV!