Coastalan, Inc.
Riding the Technology Wave...

In This Site

WMF Exploit: Should we or shouldn’t we…

On December 27th, an exploit concerning the opening of WMF files appeared on the web. This exploit is an old Trojan that was first reported in March of 2005 and has since been updated to a new variant which was released on the 27th. Since that time, it appears that this exploit has been multiplying across the web and has reached the point that we recommend that our clients take a proactive approach to dealing with this exploit.

The WMF exploit concerns the download and opening of WMF picture files which are Microsoft picture files. These files are not overly prevalent on the web. However, these files can be found on most PCs which have installed Microsoft Office products. Therefore, anyone who has installed a copy of Microsoft Office on his or her PC can be affected by this exploit.

The exploit involves the use of the Internet Explorer browser along with the Windows Picture and Fax viewer which means that a malicious website containing the image with the exploit will infect a PC when viewed in a web browser. The WMF vulnerability uses images to execute arbitrary code. It will execute just by viewing the image. In most cases, you don't have to click anything. Even images stored on your system may cause the exploit to be triggered if it is indexed by indexing software. Viewing a directory in Explorer with 'Icon size' images will cause the exploit to be triggered as well.

Finally the exploit can be triggered by viewing the images in the Outlook view pane window. The specific exploit is reportedly being sent via email in which an image is attached and labeled as a JPG image. However, the image is a WMF image which has been relabeled as a JPG image.

A question has come up whether this exploit can be circumvented by viewing malicious images in another browser such as Opera and Firefox. Because the exploit requires that the Windows Picture and Fax viewer be used to view the image and is called to view the image, NONE of the browsers on the market are effective against this exploit.

Another question has come up regarding use of the older operating systems such as Windows 95 and Windows 98. It does appear that these operating systems are not affected by this exploit. However that is because neither operating system will open WMF files by default. That is to say, you have to set the system up to open these types of files with the Windows Picture and Fax viewer which is not done when the system is initially installed. As is our experience in resolving virii and spam issues on customer PCs, nearly every PC will probably have this association enabled and is therefore most likely vulnerable to this exploit.

Since virii and spam exploits arrive everyday via the web, we at Coastalan realize that reporting each and every one of these issues would place us in the position of Chicken Little proclaiming the sky is falling and nothing much happens. Over time, we would tend to lose credibility with our customers. In an effort to weed through the field of information and report credible timely information to our customers, we subscribe to several services in which we receive daily bulletins which detail new software vulnerabilities and exploits. For instance, today we received nearly 25 new bulletins of vulnerabilities and exploits, not to mention a rehash of the WMF exploit.

We take the approach that by following the four rules of safe computing on the Internet (install a firewall, install a virus scanner and keep it up to date, install a spam scanner keeping that up to date, and finally keeping up to date on operating system and application patches), nearly all of these exploits can be mitigated. In addition, Microsoft, the Windows security community, and the Linux community has been very good about being responsive to resolving any issues related to these day-to-day exploits.

In this case, Microsoft and the Windows security community was caught unaware by the zero-day exploit and has been working for the past week on a resolution on this issue. There have been rumors that Microsoft has developed a patch that is currently in testing, but no definitive word on release of the patch has come from Microsoft. Microsoft has only stated that a patch for this issue will come on the next monthly patching date which is January 10th and there is NO GUARANTEE that the needed patch will be included in the series of patches released on that date. In addition, we have only today seen any reports from the security community as to whether they have updated their software to detect this vulnerability in their scanning software.

The holiday period is no excuse for Microsoft or the Windows security community to take time off from their stated positions that they are the defenders of security on the Internet. Taking responsibility for security is a 24 hour, 7 day a week, 365 days per year job. If that is the stated position of Microsoft and the Windows security community, then they have fallen flat on their faces considering the timing of this exploit.

There is, however, a patch that has been released to the Internet by an individual that mitigates the WMF exploit. All information about this patch, and confirmed by individuals and organizations such as CERT and SANs, state that this patch is effective against the WMF exploit.

In nearly all cases, it is the policy of Coastalan that you wait for vendor-released patches as independent patches are usually questionable as to their intent and most of these patches can damage PC systems if the patch is not compatible with the vendor-released patch. In this case, the independent patch has been reported as compatible with a "leaked Microsoft patch" which addresses this issue. Because of the speed at which this exploit has been spreading and the fact that Microsoft and the security community has been slow to respond to this problem, we recommend that customers apply this patch until Microsoft issues their official patch. More details on the vulnerability itself can be found at the SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System and at Steve Gibson’s website Security Now! Notes for Episode #20.

Coastalan, Inc. 04 January 2006





In This Section


What's New in this Site


 Guidance on XP SP3


VOIP now available