Threat Level: green Handler on Duty: Rick Wanner

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Back to Green

Published: 2005-12-30
Last Updated: 2005-12-30 07:57:23 UTC
by Scott Fendley (Version: 3)
0 comment(s)
As it has been 24 hours since we elevated the Infocon to yellow in response to the WMF 0-day exploit, we will be lowering the Infocon level to Green

An advisory has been released by Microsoft, working snort signatures are available and as a result of raising the Infocon to yellow yesterday, awareness of the issue has been raised appropriately.

Moving to green signifies that no -new- significant threats are currently being tracked and is not intended to imply that the threat level today is any less than it was yesterday. See Infocon Levels for more information.  Administrators and others responsible for system security are encouraged to act appropriately if no action or incomplete actions have been taken at this time.


We just got this very nicely done set of snort rules from Chris Ries at Vigilantminds:

The HTTP check is a slight performance booster for this rule.  
The issue we had with it, though, is that in cases where we don't
perform server-side stream reassembly for performance reasons,
the sig would occassionally false-negative.

We broke this out into 4 rules:

# This Rule
alert tcp any $HTTP_PORTS -> any any (sid:1006182; flow:from_server,
established; content:"HTTP|2F|1|2E|"; nocase; depth: 0;
content:"200 OK"; nocase; within:8;
flowbits: set,HTTPSTREAM;flowbits:noalert; classtype:VM;)

# Identifies the HTTP stream for these rules
alert tcp any $HTTP_PORTS -> any any (sid:1006183;
flowbits: isset, HTTPSTREAM;
flowbits:isnotset, WMF; content:"HTTP|2F|1|2E|"; nocase; depth: 0;
content:"200 OK"; nocase; within:8; content:"|0D 0A 0D 0A|";

0 comment(s)

Resolution(s) For The New Year

Published: 2005-12-29
Last Updated: 2005-12-29 22:20:01 UTC
by Chris Carboni (Version: 1)
0 comment(s)
As the end of the year is often a time of reflection, let me take a moment to put aside the technical nature of what we all do and offer some of my recent thoughts.

I'll be the first to admit, there are things I can do much better than I have been and I'd wager that most people reading this believe there is at least one security related thing that they can do better as well.

If you have not already done so, take a few moments to think about what you could do better.  We all understand the realities of budgets, office politics and the other factors we often complain about daily and lay blame on for an inability to do [insert whatever here], and we understand that many things will not change despite how much we wish them to.

Think of one thing that you can (realistically) do better next year to make the systems you are responsible for safer, more secure and just as usable and then make a plan to make it happen.

You don't have to send your resolutions in to us, but at some point next year, I'll put the question to you as to whether you kept your resolution or not.

If you insist on sharing, or want to send your resolution to someone thinking that you might be more inclined to keep it if someone else knows, send them to me at isc dot chris at gee mail dot com.  If I have enough and see any patterns emerge I'll write about it when I am again on duty next month.

0 comment(s)

Microsoft Advisory

Published: 2005-12-30
Last Updated: 2005-12-30 07:59:43 UTC
by Scott Fendley (Version: 2)
0 comment(s)
Microsoft has issued a security advisory on the WMF vulnerability.

Details are available here

Update by Scott Fendley:
Microsoft has updated their security advisory tonight(December 30 UTC) with more information
and frequently asked questions with answers.

Some noteable things that I read in it.

** Windows Metafile (WMF) images can be embedded in other files such as Word documents. Am I vulnerable to an attack from this vector?

No. While we are investigating the public postings which seek to utilize specially crafted WMF files through IE, we are looking thoroughly at all instances of WMF handling as part of our investigation. While we're not
aware of any attempts to embed specially crafted WMF files in, for example Microsoft Word documents, our advice is to accept files only from trusted source would apply to any such attempts.

** It has been reported that malicious files indexed by MSN Desktop Search could lead to exploitation of the vulnerability. Is this true?

We have received reports and are investigating them thoroughly as part of our ongoing investigation. We are not aware at this time of issues around the MSN Desktop Indexer, but we are continuing to investigate.

** Is this issue related to Microsoft Security Bulletin MS05-053 - Vulnerabilities in Graphics Rendering Engine Could Allow Code Execution (896424) which was released in November?*

No, these are different and separate issues.

** Are there any third party Intrusion Detection Systems (IDS) that would help protect against attempts to exploit this vulnerability?

While we don't know of specific products or services that currently scan or detect for attempts to render specially crafted WMF files, we are working with our partners through industry programs like VIA to provide information as we have it. . Customers should contact their IDS provider to determine if it offers protection from this vulnerability.

Scott Fendley
Handler on Duty

0 comment(s)

Bleeding Snort Sigs Available

Published: 2005-12-29
Last Updated: 2005-12-29 11:24:43 UTC
by Chris Carboni (Version: 1)
0 comment(s)
Snort sigs to detect the WMF exploit are available at Bleeding-Edge Snort

Thanks Matt, Frank and everyone else who has submitted signatures!
0 comment(s)

* Update on Windows WMF 0-day

Published: 2005-12-29
Last Updated: 2005-12-29 11:23:53 UTC
by Chris Carboni (Version: 1)
0 comment(s)
From Daniel's diary entry yesterday ...

Update 19:07 UTC
: We are moving to Infocon Yellow for a bit. There has been some debate among the handlers about this step, but considering that a lot of people are on holidays and might otherwise miss the WMF 0-day problem, we have decided to raise the alert level.

The folks at Websense Labs have a nice movie on how it looks like if a system gets exploited by this WMF 0-day, see . Don't go to any of the URLs visible in the movie unless you know what you are doing (or feel like spending the next hours reinstalling your PC).

The orignal exploit site ( is no longer up. But the exploit is being served from various sites all over by now, see the F-Secure Blog on for an update on the versions of the exploit found in the wild.

Working exploit code is widely available, and has also been published by FRSIRT and the Metasploit Framework.

Regarding DEP (Data Execution Protection) of XPSP2, the default settings of DEP will not prevent this exploit from working. Comments we have received in the meantime suggest that if you enable DEP to cover all programs (as documented on Microsoft Technet ), the WMF exploit attempt will result in a warning and not run on its own. Don't feel too safe though, we have also received comments stating that a fully enabled DEP did not do anything good in their case.

While the original exploit only refered to the Microsoft Picture and Fax Viewer, current information is that any application which automatically displays or renders WMF files is vulnerable to the problem. This includes Google Desktop, if the indexing function finds one of the exploit WMFs on the local hard drive - see the F-Secure Weblog mentioned above for details.

Update 23:00 UTC:  The vulnerability seems to be within SHIMGVW.DLL.  Unregistering this DLL  (type REGSVR32 /U SHIMGVW.DLL at the command prompt or in the "Start->Run" Window, then reboot) will resolve most of the vulnerability, but will also break your Windows "Picture and Fax Viewer", as well as any ability of programs like "Paint" and "Explorer" to display thumbnails of any picture and real (benign) WMF files.

Update 23:19 UTC: Not that we didn't have enough "good" news already, but if you are relying on perimeter filters to block files with WMF extension from reaching your browser, you might have a surprise waiting for you. Windows XP will detect and process a WMF file based on its content ("magic bytes") and not rely on the extension alone, which means that a WMF sailing in disguise with a different extension might still be able to get you.

0 comment(s)

* Windows WMF 0-day exploit in the wild

Published: 2005-12-29
Last Updated: 2005-12-29 11:22:44 UTC
by Chris Carboni (Version: 1)
0 comment(s)

From Daniel's diary entry yesterday ...

Just when we thought that this will be another slow day, a link to a working unpatched exploit in, what looks like Windows Graphics Rendering Engine, has been posted to Bugtraq.

The posted URL is   [ uni on seek. com/   d/t    1/  wmf_exp.  htm ]
(DON'T GO HERE UNLESS YOU KNOW WHAT YOU'RE DOING. Added spaces to avoid accidental clicking. See Firefox note below!!)

The HTML file runs another WMF (Windows Meta File) which executes a trojan dropper on a fully patched Windows XP SP2 machine. The dropper will then download Winhound, a fake anti-spyware/virus program which asks user to purchase a registered version of software in order to remove the reported threats.

During the test Johannes ran, it was interesting that the DEP (Data Execution Prevention) on his system stopped this from working. However, as this was tested on a AMD64 machine, we still have to confirm whether (or not) the software DEP also stops this - let us know if you tested this.

Internet Explorer will automatically launch the "Windows Picture and Fax Viewer".  Note that Firefox users are not totally imune either. In my install of Firefox, a dialog box will ask me if I would like to load the image in "Windows Picture and Fax Viewer". If I allow this to happen ("pictures are safe after all" NOT!), the exploit will execute.

UPDATE - According to F-Secure's blog "Firefox users can get infected if they decide to run or download the image file."

For more information, see also and

0 comment(s)
Diary Archives