my profile | my password | search | faq & rules | forum home

» Film-Tech Forum ARCHIVE   » Community   » Film-Yak   » Big security hole in .WMF file format

Author Topic: Big security hole in .WMF file format Bobby Henderson "Ask me about Trajan." Posts: 10973 From: Lawton, OK, USA Registered: Apr 2001 posted 12-30-2005 11:54 AM                     Apparently some really big security hole has been uncovered in the Windows Metafile format, a graphics format able to hold both vector-based and bitmap-based artwork. Microsoft products like Word and Publisher are the main movers of images in this file format, although professional level graphics programs like Adobe Illustrator and CorelDRAW can open and export in .WMF as well. Lots of other applications can index and preview .WMF files, including Internet Explorer, Outlook Express and Google Desktop. Simply previewing the image can launch malicious code deliberately hidden within a .WMF file. Some applications apparently bring up a dialog box asking the user to hit OK to allow the malware to install. In the case of Internet Explorer and Outlook Express, the malware is immediately installed with no dialog box displayed. Professional level graphics file management programs like Adobe Bridge can preview and index .WMF images as well. I'm trying to get some word from Adobe's tech support on how vulnerable Bridge is to allowing malware to install. This exploit apparently works on fully patched Windows systems. In addition to working on XP Home and XP Pro, it also can affect variants of Windows2003 Server Edition. The problem allowing this exploit: when Microsoft created the .WMF format they wrote in the capability for the file to make a "callback" to the system. I guess that's for file indexing purposes or some other technical stuff like that. But that feature is also the hole malware writers are exploiting with glee. More than 50 adware and spyware variants have been spotted. Viruses may be soon to follow. E-Week calls the .WMF hole a "zero day exploit," meaning it is about as bad as any alert can get. One opinion writer on the site said the .WMF format is now officially ruined. Most computer users are only going to get hit by this bug from viewing malicious web pages or clicking on links that take them to harmful web pages. People who deal with graphics files on a constant basis (such as me) can be vulnerable. I handle lots of customer submitted art files all the time. Very often customers have the .WMF format as their only vector-based option for sending logos from applications like MS Pubisher. I can just see some virus writer being able to make a worm that infects every .WMF on a user's system. Then when I get their logo to use on a sign my system could potentially get infected. I've already banned .ZIP files from being used for customer submitted artwork. Now it looks like I have to refuse any .WMF files that come my way as well.  |  IP: Logged David Stambaugh Film God Posts: 4021 From: Eugene, Oregon Registered: Jan 2002 posted 12-30-2005 02:01 PM                        quote: Bobby Henderson This exploit apparently works on fully patched Windows systems. Can you post a link to a source for that info? Was that statement made prior to Microsoft releasing an update (in November) that fixes the problem? Security Bulletin MS05-053  |  IP: Logged Bobby Henderson "Ask me about Trajan." Posts: 10973 From: Lawton, OK, USA Registered: Apr 2001 posted 12-30-2005 02:08 PM                     Yep, a link probably would have helped: Critical Impact: Windows Metafile Flaw a 'Zero-Day Exploit' Article lead in: quote: Code for what Secunia is deeming an "extremely critical flaw" in Windows Metafile Format files is being exploited on fully patched systems. Researchers are currently tracking thousands of sites distributing the exploit code.  |  IP: Logged David Stambaugh Film God Posts: 4021 From: Eugene, Oregon Registered: Jan 2002 posted 12-30-2005 07:05 PM                        More info at the links. Seems that this is still playing out and there's no 100% fix yet. However, it looks like enabling DEP (Data Execution Prevention) in XP, for all programs (especially the hardware variety of DEP; see links) and unregistering a dll file (regsvr32 /u shimgvw.dll) are effective in the short term, although the latter will break Windows Picture & Fax Viewer. http://www.microsoft.com/technet/security/advisory/912840.mspx http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=385 http://www.eweek.com/article2/0,1895,1906177,00.asp http://blogs.zdnet.com/Ou/?p=143 http://www.microsoft.com/technet/security/prodtech/windowsxp/depcnfxp.mspx  |  IP: Logged

All times are Central (GMT -6:00)

Printer-friendly view of this topic

Hop To: Select a Forum: Category: Operations -------------------- Digital Cinema Forum Film Handlers' Forum Large Format Forum Ground Level Feature Info, Trailer Attachments & REAL Credit Offsets Category: Community -------------------- Film-Yak Film Handlers' Movie Reviews The Afterlife Bob Maar's Joke-A-Thon Category: Classified -------------------- Equipment and Supplies Wanted/For Sale Help Wanted/Seeking Employment Category: System -------------------- Software Beta Testing Forum

The Film-Tech Forums are designed for various members related to the cinema industry to express their opinions, viewpoints and testimonials on various products, services and events based upon speculation, personal knowledge and factual information through use, therefore all views represented here allow no liability upon the publishers of this web site and the owners of said views assume no liability for any ill will resulting from these postings. The posts made here are for educational as well as entertainment purposes and as such anyone viewing this portion of the website must accept these views as statements of the author of that opinion and agrees to release the authors from any and all liability.