The Antivirus Guy Blog

Keeping people up to date with antivirus and security information

More WMF Exploit Info from the Internet Storm Center

Trustworthy Computing (NEW)

Published: 2006-01-01,
Last Updated: 2006-01-01 17:58:01 UTC by Tom Liston (Version: 1)

Looking forward to the week ahead, I find myself in the very peculiar position of having to say something that I don’t believe has ever been said here in the Handler’s diary before: “Please, trust us.”I’ve written more than a few diaries, and I’ve often been silly or said funny things, but now, I’m being as straightforward and honest as I can possibly be: the Microsoft WMF vulnerability is bad. It is very, very bad.

We’ve received many emails from people saying that no one in a corporate environment will find using an unofficial patch acceptable.

Acceptable or not, folks, you have to trust someone in this situation.

To the best of my knowledge, over the past 5 years, this rag-tag group of volunteers hasn’t asked for your trust: we’ve earned it. Now we’re going to expend some of that hard-earned trust:

This is a bad situation that will only get worse. The very best response that our collective wisdom can create is contained in this advice – unregister shimgvw.dll and use the unofficial patch. You need to trust us.

Looking back over the past year, the ISC handlers have faced up to any number of challenges: from worms and viruses to DNS poisoning and hurricanes. We’ve done our best to keep you informed and to tell it like it is. Somehow, it seems fitting that on the last day of 2005 we rang in the New Year in what can only be described as typical ISC style.

On December 31st, we received word that a “new and improved” version of the WMF exploit had been published. This new exploit code generated WMF files that were sufficiently different that they bypassed nearly all AV and IDS signatures. Publishing exploit code such as this for an unpatched vulnerability on a holiday weekend is, without any doubt, a totally irresponsible act.

And so, as the hours to the New Year slowly counted down, a group of volunteers gave up their holiday weekend to come together as a team and put their collective knowledge and intellect to work on the problems this reckless disclosure created. Some tested the exploit, some talked to AV vendors, some worked toward finding a means to mitigate the vulnerability, some tested “fix” ideas and the resulting patches.

I was privileged to be a part of that team, and I’m incredibly proud of everyone who participated. As it became obvious that the “fix” that we were working toward was essentially what had already been created by Ilfak Guilfanov, we wrote to him to ask if we could redistribute his patch from the ISC. He was incredibly gracious and courteous in allowing us to do so and we were able to work with him to verify several changes that allowed the patch to work on a wider variety of Windows systems.

We have very carefully scrutinized this patch. It does only what is advertised, it is reversible, and, in our opinion, it is both safe and effective.

The word from Redmond isn’t encouraging. We’ve heard nothing to indicate that we’re going to see anything from Microsoft before January 9th.

The upshot is this: You cannot wait for the official MS patch, you cannot block this one at the border, and you cannot leave your systems unprotected.

It’s time for some real trustworthy computing. All we’re asking is if we’ve proved ourselves to be worthy of your trust.

Recommended Block List (NEW)

Published: 2006-01-01, Last Updated: 2006-01-01 18:11:26 UTC by Swa Frantzen (Version: 1)

I hate block lists… maybe because I have been on the ‘wrong end’ of them in the past. But after careful consideration, we do recommend blocking traffic from these two netblocks:
InterCage Inc.: ( –
Inhoster: ( –

The list may be updated later. We do not expect to make this a “regular feature”. But at this time we find that it is necessary to point out these particular two netblocks. They have been associated with a number of high profile criminal activities in the past. A good number of WMF exploits use name servers or other resources in these netblocks. They have been non responsive to current and past requests to remove malicious content.

Updated version of Ilfak Guilfanov’s patch / ,msi file (NEW)

Published: 2006-01-01,
Last Updated: 2006-01-02 03:26:26 UTC by Tom Liston (Version:
2(click to highlight changes))
Ilfak Guilfanov has released an updated version of his unofficial patch for the Window’s WMF issue. We have reverse engineered, reviewed, and vetted the version here. Note: If you’ve already successfully installed the patch, this new version adds nothing new. It only adds code to make it able to install on some other very specific configurations and code to recognize when the patch has already been installed.(Note: the version information in the installation script indicates that this is version 1.2 – but it really IS version 1.3… the version info in the install script is incorrect…)

MD5: 14d8c937d97572deb9cb07297a87e62a – wmffix_hexblog13.exe
PGP Signature (signed with SANS ISC key) is

We have also created a .msi file suitable for unattended installation from version 1.3 of the patch. It can be downloaded from a link on this page.

MD5: ae6bb95196853843f4aceb7fca5a78ee – WindowsMetafileFix.msi
PGP signature is


January 2, 2006 - Posted by | Security News, Virus Outbreaks

No comments yet.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: