January 1, 2005
The WMF exploit is made possible because of a design flaw. In other words, according to F-Secure, it's not a bug, it's a feature. And F-Secure says this design mistake may have been around since the days of Windows 3.0. As SANS says, "the Microsoft WMF vulnerability is bad. It is very, very bad." Here are five other facts about the WMF flaw that is leaving all of us Windows users very, very vulnerable.
Fact #1: You do not have to open the image file to be affected.. If you browse to a folder it's in, view a website it's on, receive it in email, click a link pointing to an exploited image in IM or email, select it with your mouse or keyboard, or if you use Google Desktop, the exploit will render.
Fact #2: This is not a browser problem. Using Firefox or Opera isn't going to help. This exploit is made possible because of a design flaw in the Windows operating system. The rendering of the exploit happens within Windows (gdi32.dll to be exact, and not from within and not because of the browser). As seen in Fact #1 above, you can also encounter an exploited image file in a variety of ways, not just by web surfing.
Fact #3: The .WMF extension is immaterial. Just because the image has a different extension, doesn't mean it's not a WMF file containing the exploit. The most recent version spotted in email was disguised as HappyNewYear.JPG. This wasn't some double extension ruse either. Windows doesn't care what extension the image file has, it will still recognize that it's a WMF file and the handling for it will be the same - thus the exploit will render.
Fact #4: The exploit is not restricted to Windows Fax and Picture Viewer. The vulnerable DLL is actually GDI32.DLL. The previously implicated SHIMGVW.DLL is guilty, but apparently only because it calls GDI32.DLL. However, you can not unregister GDI32.DLL - not if you want your system to function, that is. A patch for GDI32.DLL was created by IDA Pro genius Ilfak Guilfanov and it's backed up by SANS. You can read more about Iflak's patch, and how to download it, here.
Fact #5: The exploit impacts nearly all Windows users. Affected versions include: all versions of Windows XP (SP1 and SP2, Pro and Home, 32-bit and 64-bit), Windows Server 2003 (including SP1, 32-bit and 64-bit, and Itantium-based versions), Microsoft Windows 2000 Service Pack 4, as well as Windows 98 (including SE), and Windows ME. In short, if you use Windows, odds are you are one of the 'hundreds of millions' sitting ducks to this exploit.
Also see:
