Although many Kossacks may not consider this to be an appropriate forum for such news, this problem is certain to affect about 80% of us and it is a
very serious problem that affected users must deal with
right now.
Please pay attention to this. It may help to save you from a lot of computer grief. Also, please RECOMMEND so that this stays up for more than a few minutes. I will attempt to UPDATE as new information becomes available. Also, please be aware that if your Internet connection seems slow today, it's likely a measure of how much traffic is being generated by the explosion of compromised, virus-laden WMF files that are being released onto the network by virus writers and further propagated by already infected systems. Yes, it's that bad.
Yes, I am aware that there have already been at least a couple of other diaries on this issue and I understand that many of you have already researched this situation on your own and taken appropriate action. For the rest, please understand that this situation is still evolving and that I am herein attempting to summarize the current state of affairs and to correct some false impressions that some users evidently have as indicated in the comments to those previous diaries.
I am a professional computer technician/system and network administrator and have been dealing with and explaining these things to non-technical users for about a decade. Although what I've written here does get somewhat technical, I've attempted to translate as much as possible from "geekspeak" and still convey accurate information. If you take the time to read all the way through, I believe you'll understand not only why this situation is uniquely dangerous, but also what you need to do to protect your PC.
As most of you already understand, this is not a hoax.
This is also not a virus, per se. It is a vulnerability in the Microsoft Windows PC operating system, a hole through which all types of viruses (worms, backdoors, trojan horses, rootkits, etc.) can invade a PC system - and undoubtedly will for quite awhile even after Microsoft issues an official patch for the hole. Microsoft announced this morning that it will be making a patch available on 10 January. Windows users who have Microsoft Update activated should receive this patch automatically (assuming that some virus contained in a compromised WMF file does not disable or destroy this functionality in the meantime).
Meanwhile, all Windows users will experience an extremely elevated risk of having their systems compromised with a virus as a result of this Windows operating system security hole.
THE PROBLEM:
There may be numerous ways for virus-writers to exploit this hole. Each of these exploits will present new program code, new patterns of bits (the ones and zeroes) and behaviors (the "signatures") that antivirus software uses to detect and defeat malicious stuff. Thus, for perhaps as much as a few weeks, there will be some lag time between the release of a new exploit and antivirus updates that can protect a PC against it. Although, as always, all Windows PC users should make absolutely certain that their antivirus software is up-to-date and working at all times, there is a "worst-case scenario" that is likely to make such efforts moot, at least for the near term. In this scenario, an evil virus writer embeds commands in a WMF file instructing Windows to first disable all antivirus software. If the pattern of those commands is new enough that antivirus software can't detect it, the commands will succeed. At that point, another set of commands could install an automatic downloader that would connect with some website or FTP source and download/install any other malicious programs the virus writer desired. If this DOES happen to your system, you're pretty much screwed. You will need to engage the services of a professional technician who is able to backup your data offline, restore your system from scratch and apply the security measures I've listed below.
HOW THIS WORKS:
This vulnerability involves files in the "WMF" format - Windows Metafile, sometimes called Windows Media File. WMF is an image file format developed by Microsoft exclusively for Windows. Unlike other common and universal image file formats (e.g., JPG) that typically present only content-descriptive data ("this pixel is blue and it goes over here"), WMF files can also contain "active content" or program code that can command Windows to take certain actions (almost any action, as it turns out).
This vulnerability also involves a core Windows operating system file - GDI32.DLL. This file essentially enables the Windows GUI (Graphical User Interface) - all the icons, backgrounds, dialog boxes, etc. - even Windows Explorer itself. Without it, Windows simply will not load or run. This GDI32.DLL will readily accept those commands embedded within a WMF file and execute them automatically in the background without the user's knowledge and without the user having to do anything. This is BY DESIGN, courtesy of Microsoft, to provide the user with "features" exclusive to Windows and other Microsoft products - features that no PC user outside of some airless conference room in Redmond would ever have requested.
The above should make it clear why other operating systems such as the various versions of Linux, Unix and the Mac OSX are not vulnerable. However, Microsoft WORD encapsulates embedded images in a file format - WMZ - that is related to the WMF format (essentially a "zipped" WMF file). Thus there is a very slight chance that users of Mac OSX version of WORD could, at some point in the future, experience some minor problems limited to that application.
This GDI32.DLL core Windows system file, is present in all versions of Windows since Windows 95. Thus, many computer security experts fear that all versions of Windows may be afflicted with this vulnerability. HOWEVER, there are differences between the GDI32.DLL used by Windows 95, Windows 98 and Windows ME on the one hand, and the file of the same name (but different properties) used by Windows NT, Windows 2000, Windows XP and Windows Server 2003. These differences may be significant. It may be more difficult for virus-writers to exploit this vulnerability in Windows 95/98/ME. The vulnerability may not exist at all in those Windows versions. (see below)
There is another Windows file - the SHIMGVW.DLL - that was originally thought to be the sole point of vulnerability. This file is present exclusively on Windows 2000, Windows XP and Windows Server 2003. This is what enables Windows XP to display thumbnail previews of image files in folders and also runs the Windows Fax Viewer. It turns out, however, that this file is only related to the core vulnerability in the same way that any program or application running on Windows that deals with image files would be. This is important to understand. All programs or applications that view, preview or "index" (i.e., create a "library" of) image files on Windows uses the GDI32.DLL at some point, thereby potentially activating the core vulnerability if the image file in question is a WMF file with embedded malicious "active content". Such programs/applications would include, Photoshop, ACDSee, Internet Explorer, Firefox, Outlook, Outlook Express, Windows Media Player, the Google Desktop, Paint, etc.
A Windows PC user could encounter a WMF file with malicious embedded code in the following ways:
- an email attachment
- a compromised web page (at least one legit website so far has been found to contain a amicious WMF file)
- through an Instant Message
- in a shared file on a P2P network
- in a folder on another computer viewed across a local network (since it's actually the GDI32.DLL on one's own PC that displays the content of the folder on that other computer).
Because of the way that Windows deals with WMF files - that is, Windows reads the file "header" (the ones-and-xeroes at the start of the file) rather than the file name and extension that the user sees, a corrupt WMF file could use virtually ANY filename ("HappyNewYear.jpg", "benign.txt", "schedule.xls" for example) and Windows will still process it as a WMF file and accept commands from it. Thus, it won't be safe for awhile to view or preview ANY email attachment or P2P file, regardless of what it's named.
What users can (and should) do to protect themselves:
PLEASE NOTE - if you do not feel completely confident that you understand the following actions or feel completely comfortable in making such changes to your system yourself, please engage the services of a local professional computer technician to do this for you. It will be worth the money you spend. It might even be a good idea to print this out and present it to whatever technician would be performing this work for you.
1) The latest version (now v1.4) of the extremely "unofficial" patch from Ilfak Guilfanov for the Windows GDI32.DLL file is available HERE.
This patch has been tested and vetted by people I know and trust at the SANS Institute. This appears to block at least one specific exploit of the GDI32.DLL vulnerability on Windows XP-SP1 and SP2, XP 64-bit Edition, Windows Server 2003 and Windows 2000 through SP4. And, so far, it doesn't appear to "break" any other Windows functions. Users should install this patch for now and uninstall it (through ADD/REMOVE PROGRAMS in the Control Panel) when Microsoft issues an official patch.
PLEASE NOTE: Guilfanov's patch WILL NOT INSTALL on Windows 95/98/ME.
Guilfanov has also released a small program with which a user can test their system for the vulnerability. It's available HERE.
I ran this test on a Windows 98 laptop and it indicated that this system WAS NOT VULNERABLE to the specific exploit that was being tested. This is one of the reasons that I personally speculate that Windows 95/98/ME might not be afflicted with this vulnerability (more below).
The Internet Storm Center at the SANS Institute also has a link to a couple of vulnerability checks crafted by Kevin Gennuso and Reik Bohne. The first of these tests (from Kevin) involves downloading a specially crafted WMF file that is intended to instruct Windows to open the Calculator and kill Explorer. I downloaded this file using Internet Explorer running on a Windows 98 system and ran it both from within IE and simply by double-clicking the file after saving it to the hard drive. It failed to exploit the system in both cases.
The second of these tests (from Reik) checks the currently-running BROWSER by running a test exploit that also instructs Windows to open the Calculator. I ran this check using Firefox v1.5 on Windows 98. On this particular system, the WMF file extension is associated with Paint Shop Pro version 5 (WMF files open in PSP by default). Firefox asked what I wanted to do with the file (instead of opening it automatically). I selected "OPEN IT". The attempted exploit then opened PSP with an error message, BUT DID NOT OPEN the Calculator. This could be good news for both users of Win98 and Firefox v1.5.
Reik also offers several email checks beginning HERE.
Please note that this site is in German and may be difficult for most non-readers of German to follow (although it's possible to "tease out" the meaning of the links and buttons). Evidently, a "successful" test will also open the Calculator. Using Mozilla Thunderbird on Windows 98, it did NOT.
The best way to use these tests would be to run them both before and after you have applied Guilfanov's patch in order to know if your system was vulnerable to begin with and whether or not the patch is working.
2) Users should also disable the Windows SHIMGVW.DLL file by "unregistering" it as follows:
Open a COMMAND PROMPT: Click START, click RUN, type CMD, Click OK.
Type: REGSVR32 /U SHIMGVW.DLL
Hit ENTER.
A dialog box will appear confirming that the unregistration process has succeeded. Click OK.
REBOOT.
This is the Windows automatic image preview mechanism that loads on Windows startup and runs all the time. Disabling this will cut off at least one avenue through which WMF code could automatically be activated. NOTE: unregistering this DLL alone will not protect a Windows system. Beyond the fact that a typical consumer system is likely to have other image viewing/previewing/indexing software running all the time, there's always the posssibility that some malicious code in a WMF file that is activated by other means could simply re-register the file.
3) By the same token, users should temporarily disable all other image viewing/previewing indexing programs from loading on Windows Startup through the MSCONFIG utility:
Click START, click RUN, type MSCONFIG, click OK.
In this MSCONFIG window, you will see several "tabs". Click on the STARTUP tab. This will display a list of all the programs that Windows is instructed to load and run every time Windows starts, each with a "checkbox" next to it. If the box next to an entry is "checked", it will load. If the box is empty, it will not. The status of the box changes when one cliskc on it. Many of the entries in this list will be obscure. Don't alter (check or uncheck) any entry that you're not absolutely certain you know what it is. However, it's safe (and probably advisable in this situation) to uncheck anything that clearly refers to Adobe, RealPlayer or any other program that obviously has anything to do with viewing, previewing or indexing image or media files.
Once you have made any changes, click APPLY, then click CLOSE. You will see a message stating that you need to REBOOT in order for the changes to take effect. I.e., the programs in question have already loaded and are running. All you have just done is to instruct Windows NOT to load them on the NEXT startup. By rebooting, you will shutdown all those programs and they won't be loaded when Windows comes back up. BTW - it's highly unlikely that you'll ever miss them.
- Disable or uninstall the GOOGLE DESKTOP or any other file-indexing or automated "local disk" search utility you may have running.
- Set your web browser security settings to the highest level so that it at least asks you before opening any file with embedded active content. Also do the same for your email program - set it so that it reads email in "plain-text only" rather than HTML and so that it does not automatically open or preview ANY attachments.
- Set your IM client so that it does not display HTML or images and so that it does not accept file attachments - EVEN FROM PEOPLE YOU KNOW.
- Avoid using P2P sources, including BitTorrent, at least until an official patch has been issued by Microsoft and your antivirus vendor has had a couple of weeks to get a handle on this.
- By all means, manually update your antivirus software AT LEAST once per day. Check frequently to make sure that its automatic detection mechanism is running and run a full system scan nightly.
- It may also help if users make sure that they are using their system ONLY through a "Limited Account" (non-Administrator) login. At this point, it appears that commands embedded in a malicious WMF can only execute within the limitations of the rights of the currently logged-in user. What this means is that, if a user is logged in under a Limited Account, a compromised WMF may not be able to install a virus payload, whereas, since a user logged-in as an Administrator has full rights to the whole system, such malicious code would be able to execute virutally any command. However, once a malicious WMF file is on the system, even if it came in under a Limited Account, once a user logs into that system under an Administrator account, that file may then have to opportunity to do its worst.
NOTE: The DEP (Data Execution Prevention) system that Microsoft introduced with Windows XP that was intended to prevent just such problems as this one is NOT EFFECTIVE in this situation. The software part of the DEP system requires support from the computer's hardware (CPU and chipset). This hardware support is only available on the most recent, high-end processors and chipsets such as AMD's 64-bit versions.
As I've said, I will try, as I have time, to UPDATE as more info becomes available and to answer any questions or concerns in the comments. Please be patient though. At our shop, we've already got a couple of DOZEN PCs with virus problems either on the bench or on the way in - just today.
From the always circumspect technical experts at the SANS Institute INTERNET STORM CENTER:
Oxy-morons (NEW)
Published: 2006-01-03,
Last Updated: 2006-01-03 18:17:57 UTC by Tom Liston (Version: 1)
"Although the issue is serious and malicious attacks are being attempted, Microsoft's intelligence sources indicate that the scope of the attacks are not widespread."
- Microsoft Security Advisory (912840)
"...Microsoft's intelligence sources..."?!?
Go ahead and laugh. I'll wait.
Through? O.K.
While all of the rest of us were sleeping, it appears that the propeller-heads working on Billy Wonka's Official Microsoft Research and Development Team have been hard at work creating a crystal ball capable of foretelling the future. The only problem: it appears that they made it from rose-colored crystal.
In their rosy vision of the future, over the next seven days, nothing bad is going to happen. The fact that there are point-n-click toolz to build malicious WMFs chock full o' whatever badness the kiddiez can cook up doesn't exist in that future. The merry, lil' Redmond Oompa Loompas are chanting "Our patch isn't ready / you have to wait / so keep antivirus / up-to-date" which makes perfectly accurate, current AV signatures appear on every Windows computer - even those with no antivirus software.
The future, according to Microsoft, is a wonderful, safe, chocolaty place.
And why not? Everything just seems to work out for them!
Imagine! You have tons and tons of work to do! Even now, the Oompa Loompas are hard at work out in Redmond, simultaneously regression-testing and translating Microsoft's WMF patch into Swahili and Urdu. And, somehow, as if by magic, all of this work will wind down at precisely the right moment so that the WMF patch doesn't have to be released "out of cycle." How convenient! Especially if you're wanting to avoid all of that nasty "Microsoft Releases Emergency Patch" publicity.
And remember, if something bad does happen to you during the next seven days, Billy Wonka and his Magic Metafiles aren't to blame. You are!
"Customers who follow safe browsing best practices are not likely to be compromised by any exploitation of the WMF vulnerability. Users should take care not to visit unfamiliar or un-trusted Web sites that could potentially host the malicious code."
Why are you visiting places on the web you've never been before? Restrict your browsing to safe places, and everything will be just fine. 'Cause no one could ever put a bad graphic file on a place you trust.
Sorry (tee-hee)! I just HAD to (snicker)!