Presentation is loading. Please wait.

Presentation is loading. Please wait.

© SANS Institute 2005 SANS Internet Storm Center WMF workarounds and patches

Published byDonald Pope Modified over 9 years ago

Similar presentations

Presentation on theme: "© SANS Institute 2005 SANS Internet Storm Center WMF workarounds and patches"— Presentation transcript:

1 © SANS Institute 2005 http://isc.sans.org SANS Internet Storm Center WMF workarounds and patches http://isc.sans.org

2 © SANS Institute 2005 http://isc.sans.org Outline How does WMF work? How does the exploit work? What does the Microsoft recommendation do? What does the unofficial patch do?

3 © SANS Institute 2005 http://isc.sans.org About the Internet Storm Center Cooperative Incidents Response Community Volunteer Operated (about 40 ISC Handlers) vendor neutral operating the largest worldwide sensor network, DShield.org. depending on input from readers and volunteers donating a large part of their holiday weekend.

4 © SANS Institute 2005 http://isc.sans.org WMF: how it works WMF file Application shimgvw.dll GDI32.DLL

5 © SANS Institute 2005 http://isc.sans.org WMF: how it works A WMF file finds its way onto a windows machine The application opening the file calls shimgvw.dll Which in turns call GDI32.DLL do to the actual work

6 © SANS Institute 2005 http://isc.sans.org WMF: exploit WMF file Application shimgvw.dll GDI32.DLL Escape() exploit

7 © SANS Institute 2005 http://isc.sans.org WMF: exploit A WMF exploit is an image with a potentially huge payload of exploit code The application will open the file and call shimgvw.dll Which will call GDI32.DLL But the function calls in the image data will cause the Escape() of GDI32.DLL to jump back to the data (now code) in the image itself. From there on it depends on the payload what will happen next …

8 © SANS Institute 2005 http://isc.sans.org WMF: Microsoft unregister WMF file Application Shimgvw.dll GDI32.DLL Escape() exploit X Who’s gonna call ?

9 © SANS Institute 2005 http://isc.sans.org WMF: Microsoft’s solution Microsoft advised to unregister the shimgvw.dll in order to break the chain that leads to the vulnerable Escape() in GDI32.DLL This will work for all applications that follow this path, but Nothing prevents direct calls to GDI32.DLL from being made by other applications Some applications (e.g. mozilla) rely on the functionality provided by shimgvw.dll to do things people use in daily life The library might be registered again by other software Aside of the unregistration, Microsoft also recommends: user awareness, not surfing to “bad” places and all other sorts of generic solutions that are not relevant to this problem. to keep anti-virus signatures up to date, but our tests show that many anti-virus products trigger on the payload if they trigger at all. And the payload of the successful massive attack will be new.

10 © SANS Institute 2005 http://isc.sans.org WMF: how it works: unofficial patch WMF file Application shimgvw.dll GDI32.DLL Escape() exploit UNOFFICIAL PATCH

11 © SANS Institute 2005 http://isc.sans.org WMF: how it works: unofficial patch The unofficial patch protects the in-memory copy of GDI32.DLL by preventing access to the vulnerable Escape() function. This patch was made by Ilfak Guilfanov. Unofficial patches generally are indeed a bad idea, but: This patch was reviewed and vetted by Tom Liston, handler at the Internet Storm Center. There is no other proper solution till Microsoft fixes things. The bad guys now know the deadline: they have 1 week to come up with the über-payload to infect millions. Do you want to be among the casualties ? Or do you want to be prepared to the best of your abilities?

Download ppt "© SANS Institute 2005 SANS Internet Storm Center WMF workarounds and patches"

Similar presentations

Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
Computer Viruses and Worms* *Referred to slides by Dragan Lojpur, Zhu Fang at Florida State University.

Computer Viruses and Worms* *Referred to slides by Dragan Lojpur, Zhu Fang at Florida State University.
 Application software consists of programs designed to make users more productive and/or assist with personal tasks.  Growth of internet simplified.

 Application software consists of programs designed to make users more productive and/or assist with personal tasks.  Growth of internet simplified.
Compiled by : S. Agarwal, Lecturer & Systems Incharge, St. Xavier's Computer Centre, Kolkata : Compiled By : S. Agarwal, S. Agarwal, Lecturer.

Compiled by : S. Agarwal, Lecturer & Systems Incharge, St. Xavier's Computer Centre, Kolkata : Compiled By : S. Agarwal, S. Agarwal, Lecturer.
CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.

CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.
A Complete Tool For System Penetration Testing Presented By:- Mahesh Kumar Sharma B.Tech IV Year Computer Science Roll No. :- CS09047.

A Complete Tool For System Penetration Testing Presented By:- Mahesh Kumar Sharma B.Tech IV Year Computer Science Roll No. :- CS09047.
COMPUTER VIRUS: Potentially damaging computer program designed to infect other software or files by attaching itself to the software or files with which.

COMPUTER VIRUS: Potentially damaging computer program designed to infect other software or files by attaching itself to the software or files with which.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Viruses and Spyware. What is a Virus? A virus can be defined as a computer program that can reproduce by changing other programs to include a copy of.

Viruses and Spyware. What is a Virus? A virus can be defined as a computer program that can reproduce by changing other programs to include a copy of.
1 Computer Viruses (and other “Malicious Programs) Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.

1 Computer Viruses (and other “Malicious Programs) Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
14,698 High & Critical Vulnerabilities since 2005 Source: CVE Details

14,698 High & Critical Vulnerabilities since 2005 Source: CVE Details
Maintaining & Reviewing a Web Application’s Security By: Karen Baldacchino Date: 15 September 2012.

Maintaining & Reviewing a Web Application’s Security By: Karen Baldacchino Date: 15 September 2012.
IT:Network:Microsoft Applications

IT:Network:Microsoft Applications
Fermi Computer Incident Response Team Computer Security Awareness Day March 8, 2005 Michael Diesburg.

Fermi Computer Incident Response Team Computer Security Awareness Day March 8, 2005 Michael Diesburg.
R. FRANK NIMS MIDDLE SCHOOL A BRIEF INTRODUCTION TO VIRUSES.

R. FRANK NIMS MIDDLE SCHOOL A BRIEF INTRODUCTION TO VIRUSES.
Done By:Salha Mohammed Obaid AL-kaabi ID:201211567.

Done By:Salha Mohammed Obaid AL-kaabi ID:
Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden
Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.

Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

Similar presentations

Ads by Google