My Personal version of a WMF FAQ


My Personal version of the WMF Vulnerability FAQ…

I’ve had some people ask me different questions about this new vulnerability. Some of them have been answered in other FAQ’s (http://isc.sans.org/diary.php?storyid=994), but others haven’t been answered. I’m going to do my best to answer the questions, however I strongly urge you to check out the security FAQ’s for an ‘official’ answer. Mainly the answers I’ll provide are my opinion based on what I’ve seen and read.

So, here we go….

My local news had an article about the HappyNewYear.jpg and MerryChristmas.jpg virus. Are these the only .jpg’s that I should be watching for?

No. The HappyNewYear and MerryChristmas.jpg’s are only the two that are currently being used. The file could just as easily be named MyKids.jpg or AuntSally.jpg or even DCP_001.jpg. The creators of these specific variants of the exploit are using those names (HappyNewYear and MerryChristmas) as ‘social engineering’ tools to trick you into opening the e-mails. If you’re not expecting a picture from someone, VERIFY with them that they really sent it, before you open the e-mail. Or, delete it and send them an e-mail asking them to resend it. Better to upset the sender then to risk getting hit with a nasty.

UPDATE

Along the same lines as the first question, what file types (extensions) should I be worried about?

Quoted from the SANS ISC Diary (1-1-06) “The following file extensions are recommended: BMP, DIB, EMF, GIF, ICO, JFIF, JPE, JPEG, JPG, PNG, RLE, TIF, TIFF and WMF, because Microsoft Windows handles picture files by information of the file header information, not by file extension used.” Their exact quote was about what extensions security admins should be filtering at their Network Perimeter. But, for home users and “end-users”, this is a list of attachments that you should be wary about.

How are the viruses able to infect my computer?

The virus(es) use a security hole inside of a program in Windows to take advantage of your computer. This specific hole is in how Windows deals with WMF (Windows MetaFile), which is a type of Graphic Image header. While you may see .jpg, .gif, .tif, .png, or another ‘image file extension’, Windows looks at a header that is embedded inside of the image to determine what type of file it is (and subsequently what program to open for it). That’s why it doesn’t matter what extension the file is, it can still infect your computer.

The virus(es) are using an ‘exploit’ that was recently published. The exploit is actual source code for a program, which is able to take advantage of this security hole. So, all of the viruses will have some form of this exploit code written into them.

Why would someone publish an exploit?

(My Opinion only) There are numerous reasons why someone would publish the exploit (or Proof Of Concept) code to a security hole. Some of the people are doing it so that you can determine if your computer is vulnerable. Others are doing it so that people can write viruses that use their exploit. Still others are doing it just to show that they can find these holes.

Normally (I stress NORMALLY) the process goes like this… Researcher discovers the hole, and writes a program that uses it. Researcher contacts Vendor and gives them what he/she has. Vendor fixes the hole. Vendor releases a patch or updated version of the program. Researcher releases “Proof of Concept” which is his original program, so that people can make sure they’re not vulnerable to the hole.

The “Gentleman’s Agreement” between Security researchers and Vendors is usually about 60 days from when the researcher informs the vendor to when a patch is issued. Microsoft though, tends to take anywhere from 10 days to 6 months to release their patches.

The irony in the release of the Proof of Concept is this.. It’s released so that people can determine if they’re vulnerable. Everyone can get and compile the code. So, virus writers get it, and create viruses. At the same time, Anti-virus firms get the exploit, and write signatures that say “If unknown program uses these lines, it’s using this exploit.” And they name the viruses. Meanwhile, you find out that you’re either vulnerable or not in one of three ways. You download and compile the code, and it shows you. Or, you catch a virus before your Antivirus releases the signature for it. Or, you download the virus, and your antivirus alerts you (which doesn’t necessarily mean you’re vulnerable, but does mean you are at risk).

What is a 0-Day exploit?

A 0-Day (Zero-Day) exploit is one that is released before a patch is issued. Possibly, it’s released before the vendor is even aware of the hole. People may choose to release their exploit before the vendor can issue a patch for a few reasons. They may be outraged that the vendor likes to drag their heels with fixing the issues. They may also be worried that while the vendor is working on a fix, someone else is creating the viruses. So, the release of the 0-day exploit is meant to be a wake-up call for the vendor (or an incentive for the vendor to not drag their heels).

What should I do about this vulnerability?

If you read the Microsoft Security Bulletin, they tell you “Customers who follow safe browsing best practices are not likely to be compromised by any exploitation of the WMF vulnerability. Users should take care not to visit unfamiliar or un-trusted Web sites that could potentially host the malicious code.” And they tell you to view e-mails in Plain Text, not HTML.

However, if you go to SANS Internet Storm Center (http://isc.sans.org/) they recommend that you unregister the .dll file that is involved in this, and applying an ‘unofficial’ patch. Microsoft, however, tells you not to apply this patch, but wait and see if they will release their patch on January 10.

Personally, I’ve unregistered the .dll file, and applied the ‘unofficial’ patch as well. But, the choice ends up being yours. The way I view this, if a Security-based organization is recommending that I apply a patch, I’m going to put my trust in them, more so then I will the company whose product is at fault.

Think about it like this. Let’s say for example that this hole was in the original version of the file, and hasn’t been fixed in any subsequent versions. In this case, that means this hole has been on your computer for 5 to 7 years, if not longer. You’re lucky that someone found this now, and not earlier. See why people may be upset with Microsoft over this now? How long does it take to fix your own bugs? One thing to realize is that the person who actually wrote that original piece of code is probably not even looking at it anymore. They’re probably working on another piece of code for another product (or even another company). So, someone else, who isn’t necessarily familiar with the code, is the one trying to fix it.

The final word on this (IMHO) is simply this. Research.. It’s your computer. If you end up infected or worse, you have to pay to fix it. Does Microsoft have to pay you back? Only about $5.00, if you win a lawsuit. It’s in their End User License Agreement that you agreed to when you installed Windows. So, read everything that you can on this issue, and make a wise decision. If you have questions, ASK.

And, if you’re reading this, and think I’m way off base, please comment. Tell me what part is wrong, and point me in the right direction. Please.

Good luck everyone.
Patrick.

Leave a comment

Your email address will not be published. Required fields are marked *