The Windows Metafile vulnerability is a security vulnerability in Microsoft Windows NT-based operating systems which has been used in a variety of exploits since late December 2005. The vulnerability was first discussed in the computer security community around 26 and December 27, 2005, with the first reports of affected computers subsequently announced within 24 hours. As of January 5, 2006, a high priority update to fix this vulnerability is available via Windows Update (see announcement). No patches are needed for Windows 98, Windows 98 Second Edition or Windows Millennium Edition, as they are unaffected by this vulnerability.
The vulnerability, located in gdi32.dll, arises from the way in which Windows operating systems handle Windows Metafile (WMF) vector images, and permits arbitrary code to be executed on affected computers without the knowledge or permission of their users. The vulnerability therefore facilitates the propagation of various types of malware, typically through drive-by downloads.
Affected systems
Windows Metafiles are extensively supported by all versions of the Microsoft Windows operating system. All versions from Windows 3.0 to the latest Windows Server 2003 R2 contain this security flaw. However, versions from Windows XP onwards are more severely affected than earlier versions, since they have a handler and reader for the WMF file in their default installation.
According to Steve Gibson's M.I.C.E. analysis, Windows NT 4 may be affected by known exploits if it has an Image Preview Feature enabled. Computers not susceptible to known exploits of the flaw (but potentially susceptible to future versions or as-yet undiscovered exploits) include those running other versions of Windows, without Image Previewing enabled, or those with hardware-based Data Execution Prevention (DEP) effective for all applications.
Machines running non-Windows operating systems (e.g. Mac OS, Linux, etc.) are not directly affected. A scenario in which such computers might become vulnerable would be where a third-party program or library, designed to view WMF files on a non-Windows system, used the native Windows GDI DLL, or a clone which copied the design flaw leading to this bug, e.g. through a Windows emulator or compatibility layer.
Steve Gibson stated that the vulnerability could be exploited in Wine, and has provided a tool called MouseTrap to detect this on all Windows and Windows emulator systems.
The vulnerability
According to assessments by F-Secure, the vulnerability is an inherent defect in the design of WMF files, because the underlying architecture of such files is from a previous era, and includes features which allow actual code to be executed whenever a WMF file opens. The original purpose of this was mainly to handle the cancellation of print jobs during spooling.
According to Secunia, “The vulnerability is caused due to an error in the handling of Windows Metafile files (‘.wmf’) containing specially crafted SETABORTPROC ‘Escape’ records. Such records allow arbitrary user-defined function to be executed when the rendering of a WMF file fails.” According to the Windows 3.1 SDK docs, the SETABORTPROC escape was obsoleted and replaced by the function of the same name in Windows 3.1, long before the WMF vulnerability was discovered.
The vulnerability is CVE-2005-4560 in the Common Vulnerabilities and Exposures database, US-CERT reference VU#181038 and Microsoft Knowledge Base Article 912840.
Propagation and infection
Computers can be affected via the spread of infected e-mails which may carry the hacked WMF file as an attachment. Infection may also result from:
- Viewing a website in a web browser that automatically opens malicious WMF files, in which case any potential malicious code may be automatically downloaded and opened. This includes Internet Explorer, the default Web browser for all versions of Microsoft Windows since 1996.
- Previewing an infected file in Windows Explorer.
- Viewing an infected image file using some vulnerable image viewing programs.
- Previewing infected emails in older versions of Microsoft Outlook and Outlook Express.
- Indexing a hard disk containing an infected file with Google Desktop.
- Clicking on a link through an instant messaging program such as Windows Live Messenger, AOL Instant Messenger (AIM) or Yahoo! Messenger.
Other methods may also be used to propagate infection. Because the problem is within the operating system, using different browsers like Firefox or Opera would not provide complete protection. Users will commonly be prompted to download and view the file, upon which infection would occur. Infected files may be downloaded automatically which opens the possibility for infection by disk indexing or accidental previewing.
According to assessments from the McAfee antivirus company, the vulnerability has been used to propagate the Bifrost backdoor trojan horse. Other forms of malware have also exploited the vulnerability to deliver various malicious payloads.
McAfee claims that the first generation of such exploits had been encountered by more than 6% of their customer base by 31 December 2005.
Official patch
Microsoft released an official patch (available here) to address the problem on 5 January 2006, five days earlier than originally stated. This patch may be applied in lieu of other corrective measures.
The official patch is available for Windows 2000, Windows XP and Microsoft Windows Server 2003. A patch has not been released for Windows 9x/Me, as the vulnerability is non-existent on these operating systems. Windows NT 4 and other affected operating systems will not receive a patch as they are no longer supported by Microsoft. Steve Gibson stated here, in his Security Now! podcast #20, that his company Gibson Research Corporation would make a patch available for Windows 9x systems if Microsoft did not. After further research, Steve Gibson stated here, in the more recent Security Now! podcast #23, that Windows 9x and Me users are not vulnerable, and that these systems do not need to be patched. Windows 9x users can run his Mouse Trap utility to see this for themselves.
Users of Windows NT who are seeking a patch should install Paolo Monti's patch from Future Time , the Italian distributor of Eset's NOD32 anti-virus system. The patch is free, and works on older operating systems, but it is supplied without warranty. It is available for download from its official server.
There have been reports of the official patch being automatically installed even when Windows Automatic Update is configured to download the updates automatically but ask before applying them. This results in an automatic reboot, which can cause loss of data (particularly if the user has a program open with unsaved changes).
Other corrective measures
Workaround
As a workaround, on 28 December 2005 Microsoft advised Windows users to unregister the dynamic-link library file shimgvw.dll (which can be done by executing the command
regsvr32.exe /u shimgvw.dllfrom the Run menu or the command prompt) which invokes previewing of image files and is exploited by most of these attacks. The DLL can be re-registered once the flaw is fixed by runningregsvr32.exe shimgvw.dll. This workaround does not eliminate the vulnerability, it only blocks a common attack vector.Third party patch
A third party patch was released by Ilfak Guilfanov on 31 December 2005 to temporarily disable the vulnerable function call in gdi32.dll. This unofficial patch received much publicity due to the unavailability of an official one from Microsoft, receiving the recommendation of SANS Institute Internet Storm Center and F-Secure. Because of the large amount of publicity, including being indirectly slashdotted, Guilfanov's website was overrun with more visitors than it could have coped with, causing it to be suspended on 3 January 2006. During the downtime, the patch was available for download from a number of mirrors including the Internet Storm Center website
Guilfanov's website went back online on 4 January in a much reduced state. No longer providing the patch on site due to bandwidth issues, the homepage provides a list of mirrors where a user can download the patch and the associated vulnerability checker. Also available is the MD5 checksum for the original file, so that a user can check the file they downloaded is an unmodified version.
After Microsoft released its patch, Guilfanov took his offline and urged visitors to install the official patch, as his intention was always to spur the release of a supported and tested patch.
Risk reduction techniques
Microsoft says its patch removes the flawed functionality in gdi32 that allowed the WMF vulnerability. For computers running a version of Windows that Microsoft has not patched, a defence in depth approach is recommended, to mitigate the risk of infection. Various sources have recommended mitigation efforts that include:
- Making use of hardware-enforced Data Execution Prevention effective for all applications.
- Set the default WMF application to be something innocuous such as Notepad.
- Do not use Internet Explorer or at least turn off downloads by setting the default security settings to HIGH.
- Be vigilant in keeping all anti-virus software up-to-date. Consider frequent manual updates.