Threat Analysis

Exploit Code Released for Unpatched WMF Vulnerability

Several websites are distributing a malicious WMF (Windows Meta File) which exploits an unpatched vulnerability in Microsoft Windows.

WMF and other image file format exploits are fairly common - the reason this threat is of more concern is because there is currently no patch available from Microsoft.

Other groups have started to adapt the exploit for their own purposes, so although the initial threat was from spyware, we may see more insidious threats from this bug in the near future.

Currently the exploit affects all Windows versions from Windows 98 up to Windows XP SP2 fully patched. The exploit works by embedding a hostile WMF file in a web page, then getting users to view the page. It is reported that Microsoft Internet Explorer allows for automatic execution of the exploit code, while Firefox, Opera and possibly other browsers on Windows will prompt the user to open the file in the default file viewer. If the user clicks OK, they can be infected.

There is a workaround to prevent execution of the code in the malicious file. It is possible to unregister the vulnerable DLL, using the command "regsvr32 -u %windir%\system32\shimgvw.dll". Note that doing this may affect thumbnail views of other image types in Windows Explorer.

Blocking WMF file extensions at the HTTP and SMTP gateways may be done as a stopgap measure, however this is not a foolproof solution. The file extension can be changed to another type (such as GIF) and the Windows image loader will handle the file based on the header found in the file, leading to execution of the vulnerable code.

Although Windows 98 and Windows 2000 have the ability to be exploited due to the presence of the vulnerable DLL, by default these operating systems have no default handler for WMF files and the built-in image viewers do not understand the file format and will not render it. Unless the WMF file is processed by a newer program (Word 2003, for example), exploitation on these platforms is unlikely. Therefore Windows XP/Windows 2003 are the primary platforms at risk from this vulnerability.

Microsoft is reportedly looking to release a patch on January 10 that will address the vulnerability.


ABOUT THE AUTHOR
COUNTER THREAT UNIT RESEARCH TEAM

The Secureworks Counter Threat Unit™ (CTU) is a dedicated threat research team that analyzes threat data across our global customer base and actively monitors the threat landscape.
Back to more Threat Analyses and Advisories

GET THE LATEST SECURITY UPDATES

Thank you for your submission.

Talk with an Expert

Thank you for submitting the form! We have received your request. A Secureworks team member will contact you within one business day.