Pavlov Scope

As more information has surfaced about this problem, the vulnerability has spread to other extensions. The reason for this is that an attacker can disguise these kinds of files as other image files (like JPG, GIF, BMP, etc.). Windows renders (opens/runs) the file based on its file header information, not as its extension (like the “old” days ;-)

Additionally, SANS has discovered an issue with spefically with Lotus Notes (a groupware / email system my organization, and thousands others use) that makes it more vulnerable to this exploit than Microsoft clients (in sharp contrast to the usual, opposite condition). The primary workaround, until Lotus and/or Microsoft fixes this problem is to filter all image file types from inbound Internet email.

However, since the virus vendors are staying on top of this, filtering the image files is probably too disruptive at this time.

However, this situation could change if a new attack method is released.

Hi all;

A new vulnerability has been found in a Windows application and it is now being exploited in the “wild.”

Background

WMF and EMF files are Windows-specific image (graphics) file types and are the underlying formats used for images in Office and Windows ( e.g. When you take a screenshot, this is saved “under the hood” as a WMF on the clipboard).

WMF stands for Windows MetaFile and EMF stands for Enhanced MetaFile. Unlike GIF, JPEG, TIF, etc., WMF graphics are generally not compatible with platforms other than Windows (UNIX, non-IE browsers, etc. cannot natively render them).

The Problem

A new, as-yet-unpatched vulnerability has been discovered in the way that the “Windows Picture and Fax viewer” application handles WMF (and potentially EMF) files.

Additionally, a new exploit against this flaw has been released that drops a Trojan, spyware, and other malicious software onto the machine when compromised.

Operating Systems currently affected: Windows XP Pro, XP Home, and 2003 Server (all versions).

This format has been particularly troublesome for Microsoft in the past since the company has had to patch this component 3 times in the past 2 years, most recently in the November monthly patch cycle.

Workarounds

Until a fix is released by Microsoft, there are some mitigating actions and workarounds to take in order to protect yourself from this problem.

1. I recommend configuring your personal (and company) email software to block WMF and EMF extension attachments.
2. Do NOT open any WMF files you encounter while surfing (WMF files are not Internet-compatible, so encountering them is rare – but stay alert).
   Use a broswer other than Internet Explorer (Opera, Firefox, etc. will not “automatically” open these WMF files but will instead prompt you – and respond NO or CANCEL if you do see any).
3. Trend Micro (an antivirus vendor) is already blocking the known variants of the Trojan currently using this exploit. Trend detects the Trojan as “TROJ_NASCENE.x” where x is the variant revision (as of this message there are four known variants of this trojan). Symantec lists it as Bloodhound.Exploit.56. McAfee is listing it as, quite simply, Exploit-WMF. Kaspersky has sent out updates. Sophos has multiple names for the variants, but has also released updates for these trojans.
   At any rate, the point here is that most AV vendors are protecting against the known attacks against this exploit, so UPDATE whatever antivirus software you use and, in general, make sure you set it to update daily (although I prefer hourly if it is available on your software).
4. “Divorce” the Windows Picture and Fax viewer from rendering WMF and EMF file types. Given 1) and 2) above, this fairly drastic and intrusive step is unnecessary to protect us at this time. Note, however, that if you have another graphics application (like infranview, Lview, iview, acdsee, etc.) set to open WMF and EMF files, then you are at much less risk since the vulnerability is in the built-in default Windows Picture and Fax view application.
   

Eventual Solution

Once Microsoft releases a patch for this flaw, we will deploy it using the usual Automatic Updates method.

An as-yet-unpatched vulnerability has been discovered in a file used by many different Symantec (Norton) products for scanning RAR archive compression files ( RAR is a competing file compression technique to highly successful ZIP).

The workaround suggested both by the researcher discovering the flaw and by the vendor is to configure the antivirus software to prevent scanning of RAR files and to setup a mail filter in email client or email server software to prevent the possibility of a vulnerable Symantec product from scanning a malicious RAR file.

Many people use Norton/Symantec antivirus products on their home or work computers, so I wanted to “get the word out” if you or those you know might be affected by this – especially considering the holiday season coming up which will provide hackers more time to craft attacks against the software. Feel free to forward this email to those you know that you feel might be affected by this problem.

No word yet on when a patch will be released to fix the problem, but I suggest that those that believe they are affected:

1. Disable the scanning of RAR files in the antivirus software configuration.
2. Create mail filter rules to delete incoming messages with RAR file attachments.
3. Watch the Symantec security advisories page for details
4. Download and install all new patches via the LiveUpdate utility included with Symantec products (watch for a forthcoming update).

As of this message, Symantec has not publicly acknowledged the issue on this aforementioned site, but it is no doubt being investigated and pending.