Viruses now in jpg files? Gif files?

[shplink]

Those apps are free to Windows users too.




So long as they are not gamers that is fine. If you are then forget
Linux.

Both good points. I am not ashamed to admit I get a little misty when I
think back to my 3 months of unemployment, playing "Age Of Mythology"
until 5AM and going to sleep with the game's music echoing in my brain.

 

[Todd H.]

Then tell me which component of 98 (ie which dll, ocx, exe, etc) is
responsible for rendering or handling WMF files.

It's not that simple.

As I've said before, I have an application (ACDsee) that seems to
handle my WMF files (although they appear on my system with a corel
draw icon).

Except it's not that simple. The handler is not triggered by file
extension, file headers are analyzed.

Or is this a problem with ->mal-formed<- wmf files and how Win-NT
fails to check the parameters of wmf files and then trips over itself
trying to render the file (leading to some buffer over-run and then
running exploit code) -?

Yes. Now yer getting it.

And those malformed wmf files are being dropped all over the internet
and being foisted upon people via IM worms and spam.

If you think yer not vulnerable and you haven't done anything specific
to protect yourself, you're kidding yourself.

 

[Tim Smith]

Does this mean we shouldn't copy or dl image files from newsgroups or copy
jpgs from the net, or save web pages in html or mht format?

It's worse than that...just viewing one of the bad images on a web site is
sufficient. And that bad image could be on the site indirectly, via an
advertising network, so you can't assume that sites you know are safe, if
they carry outside advertising.

 

[Hoosier Daddy]

Yes. Now yer getting it.

And those malformed wmf files are being dropped all over the internet
and being foisted upon people via IM worms and spam.

That is not how I understand the situation. The problem is the extension
of the filetype to include the 'feature' which allows it to contain executable
code. As long as the OS supports this feature, it is vulnerable to future
exploit.

 

[Ron Lopshire]

From: "Default User" <[email protected]>

| No.
|
| Additional protection can be gained by enabling DEP on Windows XP SP2 or
| 2003 Server OS.
|
| http://support.microsoft.com/kb/875352#kb2
|
| Your best bet is to "turn on DEP for all programs".
|
| There is still no guarantees with DEP, but it is a far more proactive way
| of blocking zero_day_vulnerabilities than waiting for M$ to create a patch.


http://www.microsoft.com/technet/security/advisory/912840.mspx

Choose "Frequently Asked Questions"

Q: I have DEP enabled on my system, does this help mitigate the vulnerability?

A: Software based DEP does not mitigate the vulnerability. However, Hardware based DEP may
work when enabled: please consult with your hardware manufacturer for more information on
how to enable this and whether it can provide mitigation.

You can always tell who issues these press releases/alerts. Lawyers,
bean counters and marketing bozos use words like "mitigate". What the
public wants, and needs, to hear about this exploit are words, from
the engineers, like "eliminate" and "rectify".

Ron

 

[Todd H.]

That is not how I understand the situation. The problem is the extension
of the filetype to include the 'feature' which allows it to contain executable
code. As long as the OS supports this feature, it is vulnerable to future
exploit.

I'm not sure you and I disagree. I don't disagree with your
description of how the wmf vulnerability is triggered by the reading
of a maliciously created WMF file (be it named a .jpg, or .gif or a
..wmf file).

What I'm saying is that the possible ways you could have such a
malicious wmf file end up on your system are extremely varied. A MSN
messenger worm is spreading one via IM -- imagine being logged on,
and some random user (orsomeone you know) IM's you with a graphic in
it, and wham...you're owned.

Or you receive an email with a graphic in it that your mail reader
renders without asking you any questions....

Or you stumble onto a myspace site of a friend's band and some yahoo
includes a comment on the page that includes a link to a maliciously
crafted image....

This is why this is getting so much attention, cus it's so damned easy
to get.

 

[kurt wismer]

Virus Guy wrote:
[snip]

Again I ask which component of Win-9x is responsible for handling .WMF
files.

gdi... the dll everyone has been told to unregister is just the vector
which the current crop of exploits utilize to access the gdi design flaw...

http://www.f-secure.com/weblog/archives/archive-012006.html#00000761
http://www.fileformat.info/format/wmf/egff.htm

[snip]

Why the hell would I want to down-grade to a bloated and
over-complicate OS like XP? XP does NOTHING that I can't do in 98.
NOTHING!

nothing except allow you to apply the principle of least privileges...
on 9x everyone's an admin all the time...

 

[kurt wismer]

Then tell me which component of 98 (ie which dll, ocx, exe, etc) is
responsible for rendering or handling WMF files.

i suggested to you that you should go read more about the problem
instead of glossing over it because of your assumption that your OS
isn't vulnerable simply because it doesn't have the dll used by current
exploits...

but since you'd rather be hand fed the information, the component in
question is the graphical device interface (gdi - probably, but not
necessarily gdi32.dll)...

As I've said before, I have an application (ACDsee) that seems to
handle my WMF files (although they appear on my system with a corel
draw icon). When I click on the previously-mentioned test file
(browsercheck.wmf) I get a prompt to download the file. I do, then
double-click it, and ACDsee opens it - but complains about not being
able to load the standard plug-in "IDE_ACDStd.apl". I can't get all
the properties of that wmf file, but ACDSee says that it's 1020 x 1320
x 24 bits.

So again I ask what did Macro$haft ship with Win-3.x, or Win-9x, to
render or handle .wmf files?

a wmf file is essentially a collection of gdi calls
(http://www.fileformat.info/format/wmf/egff.htm)... microsoft shipped
the gdi...

What does Microsoft Office do with wmf files? Does office 2000 have a
native handler for wmf files?

a native handler would be rather pointless when the dll is shipped with
the OS...

And what exactly is the current problem?

Is it that WMF files include specifications for executable code?

essentially, yes...

 

[kurt wismer]

Ron Lopshire wrote:
[snip]

You can always tell who issues these press releases/alerts. Lawyers,
bean counters and marketing bozos use words like "mitigate". What the
public wants, and needs, to hear about this exploit are words, from the
engineers, like "eliminate" and "rectify".

not gonna happen... the problem is that microsoft thinks it's a good
idea to mix code with their data... they think it adds *value*...

 

[Offbreed]

kurt wismer wrote:

And what's wrong with that for your typical home computer?

Oh, it's fine.

So long as you stay off the net.

(I use several hard drives, in rotation, and check them against each
other. Sooner or later, out of luck.)

 

[Virus Guy]

gdi... the dll everyone has been told to unregister is just
the vector which the current crop of exploits utilize to
access the gdi design flaw...

You mean shimgvw.dll. I don't think you can un-register GDI32 and
still have a functional computer.

We already know that Win-9x doesn't have shimgvw.dll (so it's not
clear to me what 9X has that would be making the Escape() and
SetAbortProc calls to GDI32 in the context of handling a wmf file).

You know, I'll agree that Win-98 probably has the same flaw in it's
GDI library that XP has. What's not clear is that it fails in the
same way, leading to a heap or stack overflow, page fault, etc, and
thereby allowing rogue code to be executed in any coherent or planned
manner.

The difference between 98 and XP is that on a 98 system it will almost
always not know what to do with a wmf file, while practically any app
on XP will feed rogue WMF code to shimgvw.dll which in turn will trip
the flaw in GDI32.

Is there anything in PDF, PowerPoint, or PostScript that comes close
to forcing the OS to execute code-based function calls to GDI32?

Or are WMF files the most dangerous type of file (from an imbedded
code-vulnerability point of view?)

I thought XP and 98 were light-years apart in their code base. If the
API library is that similar between them that this exploit behaves the
same, then that's a real wake-up call that XP isin't as "modern" or
"new and improved" as MS purports it to be.

nothing except allow you to apply the principle of least
privileges... on 9x everyone's an admin all the time...

And what's wrong with that for your typical home computer?

 

[kurt wismer]

You mean shimgvw.dll. I don't think you can un-register GDI32 and
still have a functional computer.

probably not...

We already know that Win-9x doesn't have shimgvw.dll (so it's not
clear to me what 9X has that would be making the Escape() and
SetAbortProc calls to GDI32 in the context of handling a wmf file).

i'm reasonably certain those calls are encoded in the wmf file itself...
wmf files are essentially collections of gdi api calls... i'm not sure
why anything would need to call additional gdi methods when parsing a
wmf file...

You know, I'll agree that Win-98 probably has the same flaw in it's
GDI library that XP has. What's not clear is that it fails in the
same way, leading to a heap or stack overflow, page fault, etc, and
thereby allowing rogue code to be executed in any coherent or planned
manner.

it's a given that an overflow/fault/etc that does X on an nt based OS
will not do X on a 9x based OS...

but then, most people are *not* claiming that the current exploits work
on 98... entirely different exploits would likely need to be devised for
9x... it's still the same underlying vulnerability, however...

The difference between 98 and XP is that on a 98 system it will almost
always not know what to do with a wmf file, while practically any app
on XP will feed rogue WMF code to shimgvw.dll which in turn will trip
the flaw in GDI32.

presumably you use the most up to date version of IE on 98... try
renaming a wmf file to bmp and loading it in your browser... i have no
idea what would happen, but i suspect that IE will determine the right
thing to do based on the header...

Is there anything in PDF, PowerPoint, or PostScript that comes close
to forcing the OS to execute code-based function calls to GDI32?

easy to find out... load up a document and find out if gdi32 is loaded
by the viewer...

Or are WMF files the most dangerous type of file (from an imbedded
code-vulnerability point of view?)

it's a supposed image format whose data is actually binary encoded gdi
function calls - most dangerous? you be the judge...

[snip]

And what's wrong with that for your typical home computer?

well, if your typical home computer user never makes mistakes, never
connects to the net, and never gives anyone else access to his/her
computer, then i guess nothing is wrong...

somehow that doesn't sound very typical, though...

the principle of least privileges helps to protect users not just from
crackers but also from themselves...

 

[Bronx]

The difference between 98 and XP is that on a 98 system it will almost

presumably you use the most up to date version of IE on 98... try
renaming a wmf file to bmp and loading it in your browser... i have no
idea what would happen, but i suspect that IE will determine the right
thing to do based on the header...

IE had no idea what to do with it.
It kicked it to the default image viewer for BMPs,
which wouldn't open it: "Unknown File Format".
Firefox just generates an error message.

I'm running:
Windows98SE 4.10.2222A
Internet Explorer 6.0.2600.0000IS
Firefox 1.0.7
Image Eye 7.1 (default image viewer)

Is there anything in PDF, PowerPoint, or PostScript that comes close
to forcing the OS to execute code-based function calls to GDI32?

easy to find out... load up a document and find out if gdi32 is loaded
by the viewer...

Or are WMF files the most dangerous type of file (from an imbedded
code-vulnerability point of view?)

it's a supposed image format whose data is actually binary encoded gdi
function calls - most dangerous? you be the judge...

[snip]

And what's wrong with that for your typical home computer?

well, if your typical home computer user never makes mistakes, never
connects to the net, and never gives anyone else access to his/her
computer, then i guess nothing is wrong...

somehow that doesn't sound very typical, though...

the principle of least privileges helps to protect users not just from
crackers but also from themselves...

 

[Virus Guy]

i'm reasonably certain those calls are encoded in the wmf file
itself... wmf files are essentially collections of gdi api calls
... i'm not sure why anything would need to call additional gdi
methods when parsing a wmf file...

Files don't parse or render themselves - especially data files.

Something must read the header, parse the records, and then perform
the GDI calls.

presumably you use the most up to date version of IE on 98

Version 6.0.2800.1106

try renaming a wmf file to bmp and loading it in your browser

Using IE:
File -> Open -> Browse -> some_file.wmf

Dial box opens: Title bar = File Download
- Some files can harm your computer ...
- file name: some_file.wmf
- file type: Coreldraw 9.0 Graphic
- from: c:\what-ever
- would you like to open the file or save it?
- Open Save Cancel

Select Open
- flurry of disk activity for about 10 seconds
- IE window seems frozen (unresponsive)
- window declared dead
- close window

My_Computer -> C:\what-ever -> double-click some_file.wmf

- ACDSee V3.1b opens and renders the wmf image.
- Repeat above (My_computer -> C:\what-ever), except double-click
on browsercheck.wmf as the target
- ACDSee opens browsercheck.wmf without any fuss
- displays what looks like a blank page.

- Open browsercheck.wmf with CorelDraw 9.0
- Corel renders a screen full of boxes of various sizes
- looks like modern art
- 162 boxes to be precise

Rename some_file.wmf -> some_file.bmp
- double-click on some_file.bmp
- Paint dialog box opens
- c:\some_file.bmp
- Paint cannot read this file
- This is not a valid bitmap file, or it's format is
not currently supported

Use IE to open some_file.bmp
- Paint dialog box opens with same message as above

Rename some_file.bmp -> some_file.gif
- file now has Corel PhotoPaint Icon
- double-click some_file.gif
- Corel Photopaint starts, opens the file - and renders it
properly (!)
- Use IE to open some_file.gif
- Corel Photo-paint starts and renders the file

Rename some_file.gif -> some_file.htm
- double-click some_file.htm
- IE starts, displays pages of random text

Funny think is that directory listings of wmf files show up with
CorelDraw icons in the Name column but have "ACDSee WMF Image" in the
Type column.

This test will have to be performed on a Win98 system where no other
image-processing software has been installed in order to see how IE
handles WMF files (if it handles them at all).

i have no idea what would happen, but i suspect that IE will
determine the right thing to do based on the header...

Well, I can see no evidence that IE can (all by itself) open a WMF
file on a Win-98 system no matter how you try to trick it.

well, if your typical home computer user never makes mistakes,
never connects to the net,

Um, you're saying that Win-XP is more able to protect itself from the
big-bad internet than Win-98 is?

the principle of least privileges helps to protect users not
just from crackers but also from themselves...

XP was designed for corporate desktops where sys-admins could control
what end-users could and couldn't do with their machine. XP was also
designed for remote admin, easy deployment, remote config, etc. None
of that stuff makes it inherently "better" for home users, and
arguable all of that stuff makes it more vulnerable when connected to
the internet via your typical home cable or DSL modem.

Funny how XP needs third party protection like AdAware, Spybot, etc,
even though it's got all that nifty privledge-based user accounts.

 

[Hoosier Daddy]

This test will have to be performed on a Win98 system where no other
image-processing software has been installed in order to see how IE
handles WMF files (if it handles them at all).

My Win98 registry shows an entry for .wmf files associated with a classid
and the classid shows data of "TridentImageExtractor". This may be the
"image preview" feature of the "View as Web page" feature of "Explorer"
as other picture formats have also the same association.

I didn't find any other .wmf associations in my registry. This installation
came with "Kodak Imager" so I can't say if it is a virgin Win98 setup.

 

[Ant]

i'm reasonably certain those calls are encoded in the wmf file itself...
wmf files are essentially collections of gdi api calls... i'm not sure
why anything would need to call additional gdi methods when parsing a
wmf file...

Anyone who writes code to draw WMFs would only have to call the
built-in "playmetafile", or whatever the API routine is called, in
order to display it for the required device context (which may be a
printer).

What I don't understand about this is how the exploit code is run,
because there's no talk of buffer overflows with this exploit. The
problematic routine is the escape("setabortproc") function, which
tells the GDI what user-supplied function to call in the event of a
print cancellation. In other words, the address of the "abortproc"
code in the WMF is passed to the GDI, but why is it being run? In
the exploit code I've seen, there's no subsequent call to trigger it.

 

[Jim]

Does this mean we shouldn't copy or dl image files from newsgroups or
copy jpgs from the net, or save web pages in html or mht format?
Will the MS patch cover it all?

http://news.ft.com/cms/s/0d644d5e-7bb3-11da-ab8e-0000779e2340.html

It has been known for a long time that people put malware in images. This
is especially true for compressed formats like jpg or gif.
I suppose that it would be possible to imbed malware in almost any type of
image if a person were determined enough.
It has also been known that one should never open an image from anybody
unless some friend tells you that the image is coming.
There is nothing new about the potential for getting infected via image
files.
Jim

 

[Virus Guy]

Here's something I came across in my registry:

HKEY_Classes_root\quickview\.WMF
In that key is a sub-key (CSLID?) with a data
value of "SCC Quick Viewer"

A search for SCC Quick Viewer gives this:

http://www.windowsitlibrary.com/Content/368/07/2.html (see below).

Also, I see that WMF files are also associated with wmfimp32.flt:

"The Windows Metafile graphics filter (Wmfimp32.flt) supports the
Windows Metafile format. You must have the Windows Metafile filter
installed to insert a Windows Metafile into a Microsoft Excel workbook
as a Microsoft Clip Gallery object. However, to insert a Windows
Metafile directly into a Microsoft Excel workbook, you don't need the
Windows Metafile filter."

-------

VIEWING FILES WITH QUICK VIEW

Quick View is a utility that provides a way to look at a file without
opening the software that created that file. In fact, you don’t even
have to have the software associated with the file on your computer.

It’s a complicated feature and is dependent upon the registry in order
to work. When you right-click a document file in Explorer or My
Computer, the shortcut menu offers the Quick View command if the file
type is supported by Quick View.

How Quick View Works
Quick View works by launching QUIKVIEW.EXE, which is not the viewer
but a software application that locates and launches an appropriate
viewer. In Windows NT QUIKVIEW.EXE is usually found in
\%SystemRoot%\System32\Viewers. In Windows 95 and 98, it is usually
located in \%SystemRoot%\System\Viewers.

A separate instance of a viewer is opened for each file selected by
the user. If you select multiple files and choose Quick View, the
shell starts QUIKVIEW.EXE for each selected file (using the Win32
CreateProcess or WinExec function) and a viewer will open for each
file type that is supported.

QUIKVIEW.EXE checks the registry to locate the viewer that should be
used with a particular file type. It starts the search at
HKEY_CLASSES_ROOT\QuickView\* to locate all registered viewers (see
Figure 7-8). You’ll usually find that the viewer is SCC Quick Viewer.

QUIKVIEW.EXE checks the file extension for the selected file and finds
the viewer for that file type.

If there is only one registered viewer, all the file extension subkeys
will display the default viewer (see Figure 7-9).

If the file type has no viewer installed, Quick View displays a
message saying that there is no viewer attached to this file type and
asking if you want to try the default viewers. If you say No, all
processing stops. If you respond affirmatively, the filename is passed
to the default viewers, one at a time. (If a file viewer is able to
handle the file, it may be a hex dump of the data). If none of the
default viewers displays the file, Quick View displays an error
message indicating there was an error opening or reading the file.
-------

 

[Tim Smith]

What I don't understand about this is how the exploit code is run,
because there's no talk of buffer overflows with this exploit. The
problematic routine is the escape("setabortproc") function, which
tells the GDI what user-supplied function to call in the event of a
print cancellation. In other words, the address of the "abortproc"
code in the WMF is passed to the GDI, but why is it being run? In
the exploit code I've seen, there's no subsequent call to trigger it.

It's called on errors, not just print cancels. If you examine the calls
in the file, you should find something wrong that would cause an error,
and hence execute the abort proc.

 

[kurt wismer]

kurt wismer wrote:




Files don't parse or render themselves - especially data files.

Something must read the header, parse the records, and then perform
the GDI calls.

lets restore context, shall we?

win9x doesn't need to have anything that would be making escape() and
setabortproc() calls to the gdi, those calls are part of the wmf file
itself - win9x simply has to parse the wmf file in the proper way (which
involves passing the gdi calls encoded in the wmf file to the gdi api)...

*anything* that displays wmf files should be doing this unless it has
it's own gdi implementation...

[snip]

Well, I can see no evidence that IE can (all by itself) open a WMF
file on a Win-98 system no matter how you try to trick it.

apparently not...

Um, you're saying that Win-XP is more able to protect itself from the
big-bad internet than Win-98 is?

you're now showing a rather troubling ignorance of the principle of
least privileges... it's not winxp that is more able to protect itself,
it's running as a limited user that limits the damage things on the
big-bad internet can cause...

XP was designed for corporate desktops where sys-admins could control
what end-users could and couldn't do with their machine. XP was also
designed for remote admin, easy deployment, remote config, etc. None
of that stuff makes it inherently "better" for home users, and
arguable all of that stuff makes it more vulnerable when connected to
the internet via your typical home cable or DSL modem.

Funny how XP needs third party protection like AdAware, Spybot, etc,
even though it's got all that nifty privledge-based user accounts.

it needs those things in part because people don't use less privileged
accounts... they've still got their heads stuck in the win9x days...