WMF hole still reverbrates with users

What a way to start the year! The now-well-known WMF vulnerability, which allows an infected image to silently take over your PC, was first publicized just before New Year’s Eve. It resulted in a frantic week for Microsoft and millions of Windows users who wanted to protect themselves.

I considered the risk of infection from hacked Windows metafiles (.wmf files) to be so dire that I published an unprecedented two news updates in the same week. (In the past 12 months, I’d felt the need to release only 5 news updates.)

My first news update, on Jan. 4, urged readers to protect themselves against infected images that were already in the wild. I recommended installing an unofficial patch by Belgian programmer Ilfak Guilfanov that was endorsed by F-Secure, the SANS Institute’s Internet Storm Center, and other security sites. At that time, Microsoft was saying it wouldn’t release a patch of its own until Jan. 10 or later.

Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!

PC Drive Maintenance (Excerpt)

Subscribe and get our monthly bonuses - free!

Your hard drives store photos, books, music and film libraries, letters, financial documents and so on. This ebook is aimed at helping you understand your hard drives, expand their capacities and length of life, and recover what you can from them when they fail. We're offering you a FREE Excerpt! Get this excerpt and other 4 bonuses if you subscribe FREE now!



Microsoft, fortunately, reversed itself and posted its official patch, MS06-001, on Jan. 5. With only about 10 days elapsing between the first signs of bad press and a released patch, this is said to be a record for the Redmond software giant.

In response to the unexpectedly rapid fix, I published my second news update on Jan. 6. In that alert, I recommended that Windows users should install the official patch. This would make it safe to then uninstall the unofficial patch, which can and should be removed after the protection provided by MS06-001 is in place. (A leaked version of MS06-001, which appeared on some Web sites prior to Jan. 5, must be uninstalled prior to attempting to install MS06-001, as I discuss below.)

Since all the excitement of that week, several readers have written to say they weren’t sure exactly how to uninstall Guilfanov’s patch. For this reason, I’m publishing step-by-step WMF protection instructions, below, with as much detail as possible.

Replacing unofficial patches with MS06-001

I’m grateful to the Internet Storm Center, which published some of the same instructions in its Jan. 6 blog that I show here. Take the following steps to remove unofficial patches and install Microsoft’s official patch to protect against the WMF hole:

Step 1. Reboot your system to clear any infected image files from memory.

Step 2. If you installed an early version of MS06-001 that was leaked via some Web sites, run the Add/Remove Programs applet from the Control Panel. Uninstall patch number 912919, which interferes with installation of the official patch.

Step 3. Use Microsoft Update or Windows Update to download and apply MS06-001 and any other patches you may need.

Step 4. Reboot.

Step 5. Uninstall the unofficial Guilfanov patch, by using one of the following methods:
  1. On individual PCs, run the Add/Remove Programs applet from the Control Panel. Uninstall the patch entitled “Windows WMF Metafile Vulnerability HotFix”;

  2. Or, at a command prompt, run the following command:

    “C:Program FilesWindowsMetafileFixunins000.exe” /SILENT

  3. Or, if you used a Microsoft Installer (.msi) file to install the patch on multiple machines, you can uninstall the unofficial patch using this command:

    msiexec.exe /X{E1CDC5B0-7AFB-11DA-8CD6-0800200C9A66} /qn
Step 6. Re-register the Shell Image View Control DLL if you previously deregistered it. (You might have deregistered the DLL using the same command as shown below, but with -u surrounded by spaces after regsvr32). The following command re-registers the DLL. From the Start menu, select Run and then type:

regsvr32 %windir%system32shimgvw.dll

Microsoft describes the regsvr32 command and the side-effects of deregistering Shimgvw.dll in the Workarounds portion of the Vulnerability Details section of MS06-001. As I mentioned in last week’s news  updates, deregistering this DLL was rather pointless, since Trojans can simply re-register it at any time themselves.

Step 7. Optionally, reboot one more time just for good measure. (The Internet Storm Center says this is not required, but doesn’t hurt.)

What about protection for Windows 98/Me?

The WMF vulnerability primarily affects Windows 2000, XP, and 2003, according to Microsoft. That’s because these operating systems have a default application associated with .wmf image files. To make things worse, these operating systems will also execute infected code even if a file’s extension is changed or the image is embedded in a document that contains images. (This is why filtering out files with a .wmf extension provides no protection.)

Microsoft doesn’t consider the WMF threat to be worthy of a "Critical" rating for Windows 95, 98, and Me. That’s because merely viewing infected images in a browser, for example, wouldn’t by itself infect a PC using those operating systems. Using this rationale, Microsoft says in its security bulletin that "non-critical security issues are not offered" for these OS versions, which are beyond their initial support periods.

I believe it’s true that Windows 95, 98, and Me have a low risk of being infected via the WMF route. Those operating systems will also be protected by up-to-date antivirus programs, which are being constantly revised to detect new WMF exploits.

For those who are concerned, Larry Seltzer’s security blog, published by eWeek Magazine, brings together many of the technical arguments over whether Windows 95, 98, and Me versions are or are not vulnerable to WMF attacks. In addition, EmailBattles.com, a security blog, reported on Jan. 6 that Steve Gibson of Gibson Research Corp. would soon release his own patch for Windows 95, 98, and Me. (No patch is available on Steve’s WMF page, however, as of this writing.)

Having said all that, it’s important for me to note that users of Windows 95, 98, and Me shouldn’t expect much support from Microsoft. The corporation announced last year that "extended support" for these OSes would expire on June 30, 2006. But that only means the company will issue patches until then for issues that are rated "Critical." After that, nothing is expected in the way of official updates. These platforms suffer from a variety of ills, and you’ll probably need to upgrade soon, if you haven’t already.

Onward, toward ‘Trusted Computing’

If the WMF situation changes in a significant way, I’ll bring you new information here in the Windows Secrets Newsletter. In addition, my contributing editors, Chris Mosby, Susan Bradley, and Ryan Russell, report to you today in detail on:

• Theoretical attacks that remain unpatched, exploiting WMF and other vectors.

• What Microsoft’s three January 2006 patches fix and don’t fix.

• How hackers are examining Microsoft’s flawed files to find new exploits.

These columns are located in the paid version of today’s newsletter, where our best information is always located. To get this info, plus 12 months of unlimited access to all of our old and new paid content, become a paying subscriber. All you do is make a financial contribution of any amount you choose. There’s no fixed fee. We want this information to be available to anyone who has the slightest interest. How to upgrade to the paid version

To send us more information about the WMF hole, or to send us a tip on any other subject, visit WindowsSecrets.com/contact. You’ll receive a gift certificate for a book, CD, or DVD of your choice if you send us a comment that we print.

Brian Livingston is editor of the Windows Secrets Newsletter and the coauthor of Windows 2000 Secrets, Windows Me Secrets, and eight other books.
 
= Paid content

All Windows Secrets articles posted on 2006-01-12: