The company recommends that users deregister the shimgvw.dll library until the official patch is installed. Microsoft says the release version will not be available until Jan. A prerelease version was briefly posted on a developers' discussion board, probably in error (see "Pre-release Microsoft patch for WMF flaw leaked"). Microsoft is, of course, working on a patch. Hexblog's fix works on Win2000, XP, XP64 and Win2003 systems. After running the patch, a user should also deregister the shimgvw.dll library. What do the patches do? According to Ilfak Guilfanov, the patch writer, the unofficial Hexblog patch blocks access to the Escape() function in gdi32.dll, making the vulnerable SETABORTPROC subfunction unreachable. The patch issued for the earlier vulnerability doesn't correct the newer problem. For those keeping track, the earlier vulnerabilities were profiled in Microsoft Security Bulletin MS05-053 the newer problem is covered in Microsoft Security Advisory 912840. Symantec reports that one exploit, dubbed, carried a password-stealing Trojan horse that also attempted to open a proxy server on a random TCP port.ĭid I hear something about this back in November? No, that was a different problem, affecting both WMF and EMF (Extended Metafile) formats. Some versions attempt to "recruit" machines into zombie armies, presumably to be deployed for nefarious purposes at a later date. What's the payload? It can be any kind of executable file, but payloads so far appear to be mainly of the adware and spyware type. SETABORTPROC provides compatibility between newer versions of Windows and the older 16-bit versions, making this a so-called backward-compatible or "regression" bug.The Escape() function translates certain calls from the GDI library to the driver for a particular device - for instance, a scanner or a printer.GDI can be used in all Windows-based applications." Microsoft Windows-based applications do not access the graphics hardware directly instead, GDI interacts with device drivers on behalf of applications. As described by Microsoft, the GDI (Windows Graphic Display Interface) "enables applications to use graphics and formatted text on both the video display and the printer.Other applications, including Mozilla, rely on this DLL as well. Shimgvw is used by Windows Picture and Fax Viewer, which is Windows' default program, for a variety of file formats.It causes a buffer overflow and thus allows the targeted computer to run malicious code in the WMF file, whatever it may be. Escape() has a subfunction called SETABORTPROC, which lets users cancel a print job during spooling from within various applications. What's the launch sequence? When a user clicks on a WMF file, the application calls the shimgvw.dll library, which in turn can call the Escape() function in the gdi32.dll library. That program is believed to have been used in the first wave of exploits. Antivirus firms have discovered instances of a stand-alone utility called WMFMaker that quickly constructs a malicious WMF. How are the exploits traveling? Infection vectors will be familiar to anyone who follows the malware scene: graphics or executables opened from within e-mail or instant messages, malicious or compromised sites, fake e-cards, fake system messages and the like.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |