Windows Metafile vulnerability

This article documents a current event. Information may change rapidly as the event progresses, and initial news reports may be unreliable. The latest updates to this article may not reflect the most current information. Feel free to improve this article or discuss changes on the talk page, but please note that updates without valid and reliable references will be removed. (Learn how and when to remove this message)

The neutrality of this article is disputed. Relevant discussion may be found on the talk page. Please do not remove this message until conditions to do so are met. (Learn how and when to remove this message)

The 2005 WMF vulnerability is a flaw in the Windows operating system that was first disclosed on Bugtraq on 28 December 2005, and was subsequently used in a variety of exploits. The flaw, located in gdi32.dll, is based on the way Windows handles Windows Metafile vector images, and allows a well-crafted file to execute arbitary code without the user's permission. The flaw is known to affect Microsoft Windows versions from Windows 98 to Windows Server 2003 R2, and probably affects versions as old as Windows 3.0.

According to Secunia, "The vulnerability is caused due to an error in the handling of Windows Metafile files (".wmf") containing specially crafted SETABORTPROC "Escape" records. Such records allow arbitrary user-defined function to be executed when the rendering of a WMF file fails."

Exploits using this vulnerability may be triggered by viewing a malicious website in Internet Explorer (in which case the file may be automatically downloaded and opened), viewing such a website in any other browser and agreeing to open and download at the prompt, previewing an infected file in Windows Explorer, previewing infected emails in older versions of Outlook, and even indexing a hard disk containing an infected file with Google Desktop.

According to McAfee, by 31 December 2005 more than 6% of their customer base had been infected by the first generation of such exploits.

As of 2 January 2006 15:00 GMT, no official patch exists. Microsoft published advice on 28 December 2005 to deregister shimgvw.dll, a dynamic link library that invokes previewing of image files, and which is used by the majority of attacks. While unregistering shimgvw.dll may make the user less vulnerable, several attack scenarios exist where such a system can still be compromised through gdi32.dll. An unofficial patch by Ilfak Guilfanov exists which removes the flawed functionality in gdi32. The scope of this vulnerability is still growing. A defense-in-depth approach to mitigate this risk should also include:

• Making Data Execution Protection effective for all applications.
• Set the default WMF application to be something erroneous such as notepad.
• Turn off downloads in Internet Explorer by setting the default security settings to HIGH.
• Be vigilant in keeping all anti-virus products up-to-date. Consider frequent manual updates.
• Block all WMF files at your network perimeter.
• Utilize users accounts that are configured with as few user rights as necessary.

• History of the WMF Vulnerability and why we are on alert - F-Secure
• Windows Security Flaw Is 'Severe' - Washington Post
• Microsoft Windows WMF "SETABORTPROC" Arbitrary Code Execution - Secunia advisory
• Microsoft Security Advisory (912840)
• CERT advisory
• Summary of status as of 1 January
• New exploit released for the WMF vulnerability - Internet Storm Center
• Be careful with WMF files - F-Secure
• Unofficial Patch
• WMF FAQ - SANS Institute