Pavlov Scope

Hi all;

A new vulnerability has been found in a Windows application and it is now being exploited in the “wild.”

Background

WMF and EMF files are Windows-specific image (graphics) file types and are the underlying formats used for images in Office and Windows ( e.g. When you take a screenshot, this is saved “under the hood” as a WMF on the clipboard).

WMF stands for Windows MetaFile and EMF stands for Enhanced MetaFile. Unlike GIF, JPEG, TIF, etc., WMF graphics are generally not compatible with platforms other than Windows (UNIX, non-IE browsers, etc. cannot natively render them).

The Problem

A new, as-yet-unpatched vulnerability has been discovered in the way that the “Windows Picture and Fax viewer” application handles WMF (and potentially EMF) files.

Additionally, a new exploit against this flaw has been released that drops a Trojan, spyware, and other malicious software onto the machine when compromised.

Operating Systems currently affected: Windows XP Pro, XP Home, and 2003 Server (all versions).

This format has been particularly troublesome for Microsoft in the past since the company has had to patch this component 3 times in the past 2 years, most recently in the November monthly patch cycle.

Workarounds

Until a fix is released by Microsoft, there are some mitigating actions and workarounds to take in order to protect yourself from this problem.

1. I recommend configuring your personal (and company) email software to block WMF and EMF extension attachments.
2. Do NOT open any WMF files you encounter while surfing (WMF files are not Internet-compatible, so encountering them is rare – but stay alert).
   Use a broswer other than Internet Explorer (Opera, Firefox, etc. will not “automatically” open these WMF files but will instead prompt you – and respond NO or CANCEL if you do see any).
3. Trend Micro (an antivirus vendor) is already blocking the known variants of the Trojan currently using this exploit. Trend detects the Trojan as “TROJ_NASCENE.x” where x is the variant revision (as of this message there are four known variants of this trojan). Symantec lists it as Bloodhound.Exploit.56. McAfee is listing it as, quite simply, Exploit-WMF. Kaspersky has sent out updates. Sophos has multiple names for the variants, but has also released updates for these trojans.
   At any rate, the point here is that most AV vendors are protecting against the known attacks against this exploit, so UPDATE whatever antivirus software you use and, in general, make sure you set it to update daily (although I prefer hourly if it is available on your software).
4. “Divorce” the Windows Picture and Fax viewer from rendering WMF and EMF file types. Given 1) and 2) above, this fairly drastic and intrusive step is unnecessary to protect us at this time. Note, however, that if you have another graphics application (like infranview, Lview, iview, acdsee, etc.) set to open WMF and EMF files, then you are at much less risk since the vulnerability is in the built-in default Windows Picture and Fax view application.
   

Eventual Solution

Once Microsoft releases a patch for this flaw, we will deploy it using the usual Automatic Updates method.