Anti-Virus Protection for WMF Flaw Still Inconsistent

charlesvar · 2006/01/01

Days after the revelation of a flaw in Windows' handling of WMF graphics files, dozens of exploits are being spread from thousands of adware sites. But good protection is available.

At the same time, further testing confirms that a workaround issued by third parties and endorsed by Microsoft Corp. is effective in most regards, and in the most important circumstances, but not in all. Also, the workaround has side effects that could prove troublesome.

AV-Test, which tests anti-malware products, has been tracking the situation closely and has, so far, analyzed 73 variants of malicious WMF files. Products from the following companies have identified all 73:

Alwil Software (Avast)
Softwin (BitDefender)
ClamAV
F-Secure Inc.
Fortinet Inc.
McAfee Inc.
ESET (Nod32)
Panda Software
Sophos Plc
Symantec Corp.
Trend Micro Inc.
VirusBuster

These products detected fewer variants:
62 — eTrust-VET
62 — QuickHeal
61 — AntiVir
61 — Dr Web
61 — Kaspersky
60 — AVG
19 — Command
19 — F-Prot
11 — Ewido
7 — eSafe
7 — eTrust-INO
6 — Ikarus
6 — VBA32
0 — Norman
Click to expand...

http://www.eweek.com/article2/0,1895,1907102,00.asp

I did run into one instance of this with NAV2005, it did catch it in IE's TIF.

Haven't had any instances with NOD.

Regards - Charles

Welshjim · 2006/01/01

charlesvar--Are you using MS' Data Execution Prevention settings to affect all programs
http://blogs.zdnet.com/Ou/?p=143
http://www.microsoft.com/technet/security/prodtech/windowsxp/depcnfxp.mspx
I am. and so far see no effect on other programs.

charlesvar · 2006/01/01

Hi Jim,

Are you using MS' Data Execution Prevention settings to affect all programs

No I'm not, I'll enable on this OS and see what effect it has. I just read your post about it in my thread a few minutes ago.

Ok, turned it on. So far no performance diferences. Up to now had the "essential" option turned on.

Regards - Charles

SpywareDr · 2006/01/02

WMF Exploit: Temporary Patch Available!

http://windowsbbs.com/showthread.php?p=271554

Arie · 2006/01/04

Windows DEP works as it should on my (64-bit AMD) machine:

Welshjim · 2006/01/04

The way I interpret the FAQ's from the following MSKB, DEP is not effective against the software aspects of this malware.
http://www.microsoft.com/technet/security/advisory/912840.mspx
However, most people seem to agree that Ilfak's patch does the job.
http://www.grc.com/sn/notes-020.htm
But note that things are moving very quickly and MS's own patch (earlier announced to be released Jan. 10) may already be available (though I cannot find the link and there is nothing on Windows Update).

Arie--I cannot understand the significance of your attachment. Does it mean that DEP is blocking the use of Ilfak's patch? I have not seen this message on WinXP Pro SP2.

Arie · 2006/01/04

From MS:

I have DEP enabled on my system, does this help mitigate the vulnerability?
Software based DEP does not mitigate the vulnerability. However, Hardware based DEP may work when enabled. Please consult with your hardware manufacturer for more information on how to enable this feature and whether it can provide mitigation.
Click to expand...

Since I have a 64-bit AMD CPU I have hardware DEP.

http://support.microsoft.com/kb/875352

Hardware-enforced DEP relies on processor hardware to mark memory with an attribute that indicates that code should not be executed from that memory. DEP functions on a per-virtual memory page basis, and DEP typically changes a bit in the page table entry (PTE) to mark the memory page.

Processor architecture determines how DEP is implemented in hardware and how DEP marks the virtual memory page. However, processors that support hardware-enforced DEP can raise an exception when code is executed from a page that is marked with the appropriate attribute set.

Advanced Micro Devices (AMD) and Intel have defined and shipped Windows-compatible architectures that are compatible with DEP.
Click to expand...

Arie · 2006/01/04

Welshjim said:

Arie--I cannot understand the significance of your attachment. Does it mean that DEP is blocking the use of Ilfak's patch? I have not seen this message on WinXP Pro SP2.
Click to expand...

No, I haven't installed the patch. I would never install a 3rd party patch for my OS.

It is blocking the buffer overflow that is used to test (by his test program) for the vulnerability.

SpywareDr · 2006/01/05

FWIW

Both the Internet Storm Center and F-Secure have endorsed Ilfak Guilfanov's unofficial patch (posted above).
MSNBC: Windows PCs face 'huge' virus threat
http://msnbc.msn.com/id/10684853/

The patch is reversable by removing it in Add/Remove Programs, "Windows WMF Metafile Vulnerability Hotfix ".

http://www.grc.com/sn/notes-020.htm

BREAKING NEWS!

Microsoft's OFFICIAL SECURITY UPDATE leaked onto the Internet early (and it works great!)

It would seem that we can be pretty certain that Microsoft will have this WMF vulnerability mess cleaned up shortly. Microsoft's cryptographically signed and authentic (though perhaps not final), security update addressing this vulnerability has prematurely leaked onto the Internet.

As expected, Ilfak's WMF vulnerability suppression patch, and his WMF vulnerability testing utility, both interact smoothly and seamlessly with Microsoft's forthcoming official security update. Ilfak's code can be left running while installing Microsoft's security update, then safely removed forever once the system has rebooted from the update.

Also, Ilfak's vulnerability tester properly recognizes the system's true WMF vulnerability condition under every combination of patch installations (either Ilfak's, Microsoft's, both, or neither). So, you may use Ilfak's solutions with confidence while Microsoft completes their extensive compatibility and regression testing for this forthcoming security update. Once the update is ready, install Microsoft's update, then safely remove Ilfak's patcher.

Note: The updated GDI32.DLL file contained in this patch, was built in the evening of December 28th, LAST WEDNESDAY. It is clear that Microsoft jumped on this problem "” and had it resolved "” almost immediately. But the nature of the installed base of Windows systems, and Microsoft's understandable need to be absolutely certain they don't break anything else with this new replacement GDI32.DLL, requires that they take the time to thoroughly test anything they change.
Click to expand...

Ilfak Guilfanov is the main author of Interactive Disassembler Pro and arguably one of the best low-level Windows experts in the world.

charlesvar · 2006/01/05

When I hit the test site for WMF - got warnings from ZAP, NOD and NAV and SSM. So haven't installed the patch either, I'll wait for MS's fix.

With DEP turned on, not a peep with the test for this flaw, so I just turned it back to the default setting.

For those that run ZA Pro v6.X - below is what the warning looks like:

Regards - Charles

PeteC · 2006/01/05

MS have/will release a MFT patch today - Thursday Jan 5, earlier than planned and ahead of several other security updates next Tuesday.

The security update will be available at 2:00 pm PT as MS06-001

PeteC · 2006/01/05

Dowload Security Update for Windows XP (KB912919) ....

http://www.microsoft.com/downloads/...96-57AE-499E-B89B-215B7BB4D8E9&displaylang=en

Log in or Sign up

Anti-Virus Protection for WMF Flaw Still Inconsistent

charlesvar Inactive Alumni Thread Starter

Welshjim Inactive

charlesvar Inactive Alumni Thread Starter

SpywareDr SuperGeek WindowsBBS Team Member

Arie Administrator Administrator Staff

Welshjim Inactive

Arie Administrator Administrator Staff

Arie Administrator Administrator Staff

SpywareDr SuperGeek WindowsBBS Team Member

charlesvar Inactive Alumni Thread Starter

PeteC SuperGeek Staff

PeteC SuperGeek Staff

Share This Page

Log in or Sign up

Anti-Virus Protection for WMF Flaw Still Inconsistent

charlesvar Inactive Alumni Thread Starter

Welshjim Inactive

charlesvar Inactive Alumni Thread Starter

SpywareDr SuperGeek WindowsBBS Team Member

Arie Administrator Administrator Staff

Welshjim Inactive

Arie Administrator Administrator Staff

Arie Administrator Administrator Staff

SpywareDr SuperGeek WindowsBBS Team Member

charlesvar Inactive Alumni Thread Starter

PeteC SuperGeek Staff

PeteC SuperGeek Staff

Share This Page

Useful Searches