Interview: Ilfak Guilfanov

seeking to put some of the confusion about the recent windows metafile vulnerability to rest, i interviewed one of the most reliable sources of information on the bug: ilfak guilfanov. in addition to discussing the temporary patch he authored, ilfak offers valuable guidance and accurate information on a more general level for those dealing with this vulnerability.

tell us a little about yourself so that the audience knows who you are.

i’m the author of the ida pro tool, which is used by security specialists to analyze software binaries. ida pro is the biggest program i wrote, but there are also other programs (photorescue, for example).

now let’s discuss some of the details of the windows metafile vulnerability. there has been a lot of conflicting information about the details of the flaw. could you just describe the vulnerability for us so that people understand what the issue is?

yes, there is some confusion about the vulnerability. to speak simply, it is possible to get infected just by browsing the internet.

a specially-crafted wmf file can take full control of your computer. in fact, a wmf file is not an ordinary graphic file. it looks more like a program rather than a data file, because it consists of a sequence of commands for windows.

most are commands like ‘draw a blue line’, ‘fill a rectangle with red’, and so on.

there is one very powerful command code in wmf files. this command code means ‘if something wrong happens, do the following: …’. so the creator of the wmf file can make your computer do anything he/she wants by using this command code and deliberately creating an error condition afterward.

so this is a design issue?

yes, it is a design issue.

when you heard of this vulnerability, you created a temporary patch to close the hole until microsoft updates its software. could you tell us more about what the patch does?

the patch just removes this powerful command. it does not do anything else. the fix modifies the memory image of the system on the fly. it does not alter any files on the disk.

it modifies [the image of] the system dll ‘gdi32.dll’ because the vulnerable code is there.

some people are concerned about installing a temporary fix that doesn’t come from microsoft, because of potential problems with that. is there an uninstaller available if people run into problems?

yes, sure. the fix comes with a full installer/uninstaller.

do you provide the source code of the fix so that people can verify that it works effectively?

yes, the fix comes with the source code.

when you wrote this, did you expect this patch to become so popular?

oh no, not at all. it was a big surprise for me.

should users who install your patch also apply microsoft’s fix when it is available?

yes, absolutely.

should they uninstall your fix before they do that?

my fix can be uninstalled before or after applying the official patch.

is there anything that you think should be done to make vulnerabilities like this less dangerous in the future?

good design and good coding practices, but that is easier said than done.

what options are there for users if, for some reason, they are not able to install your patch?

first, there is the option of unregistering shimgvw.dll
second, hardware-based dep [data execution prevention] seems to protect systems.

[for the most effective protection, dep should be enabled for all programs as outlined below. -- matt]

shouldn’t users have dep on already, if possible, as good practice?

yes, it is a good practice and should be enabled if possible.

thanks again for taking the time to discuss this. we appreciate it. it’s obvious from its popularity that the community appreciates your efforts in developing this patch.

i’d like to thank ilfak guilfanov, of course, for allowing myself and securiteam this interview. the popularity of his patch is proof of the quality of his work. thanks are also in order for his contribution of this valuable tool to the community. i’d also like to thank securiteam’s Sun Shine, who decided to do the interview and helped get the ball rolling on it for me.

more information on the topics covered in ilfak’s interview:

  • microsoft’s advisory, along with official workaround (unregistering shimgvw.dll): http://www.microsoft.com/technet/security/advisory/912840.mspx
  • ilfak’s temporary wmf hotfix homepage is back at www.hexblog.com. you will have to download from one of the better-connected mirrors, as poor ilfak has already had to move hosts once. i guess he’s a victim of his own popularity. :-(
  • datarescue is the home of the ida pro product that ilfak has helped develop. their site also contains a link to the wmf vulnerability information.
  • information on enabling hardware-enforced dep is available from microsoft (for windows xp sp2, though the process for windows server 2003 sp1 will be similar). dep should be configured to protect all programs for maximum protection. hardware-enforced dep does not protect applications (like windows picture & fax viewer) by default.
Share
  • Pingback: The Edge of I-Hacked » Interview: Ilfak Guilfanov

  • Pingback: CastleCops

  • Pingback: SecNews

  • Pingback: The PC Doctor » Blog Archive » Another day, another WMF patch

  • Pingback: DivisionByZero WebLog

  • Pingback: GoodShit

  • http://www.x-formation.com John Scatter

    Quote good interview. I wonder how the official fix from MS works though? Maybe someone can give some insight?

  • http://www.x-formation.com John Scatter

    Ups it should have said “Quite good”.

  • sunshine
  • http://www.sploitcast.com Harrison

    Ilfak does an excellent job of explaining the exploit in terms that anyone can understand. The anwer to the second question is the best overview of what the exploit does that I have read so far. Thanks for the interview, it was a good read and informative.

  • 0x20FE

    Are there any plans or can a Windows 98/ME version of the fix be made? It does not appear that Microsoft will patch those versions.

  • omar

    Windows Me solution
    start->run
    regsvr32 /u shimgvw.dll

    >What options are there for users if, for some >reason, they are not able to install your patch?

    >First, there is the option of unregistering >shimgvw.dll

  • lamer

    wtf is DEP? (forgive me for being lame, but windows oriented acronyms arent really my area of expertise)

  • wtf

    What happens if you don’t uninstall the hexblog fix before applying the MS one?

  • http://blogs.securiteam.com/index.php/archives/author/mattmurphy/ Matthew Murphy

    @0x20FE: NOD32 Italy has a fix that they claim works on 98/Me. I haven’t verified this, though, so your mileage may vary, use it at your own risk.

    @lamer: DEP = Data Execution Prevention. It implements page-based no-execute support on the newer Intel, AMD, and Transmeta CPUs. I’ve edited the post to expand the acronym.

    @wtf: I’ve heard no reports of specific side-effects that happened because of applying the MS patch on top of the hexblog update. As Ilfak says, you can remove the hexblog patch before or after applying the update. It’s really up to you.

  • xet7

    There will be patch for Win9x/ME:
    http://www.grc.com/sn/notes-020.htm

    And now that it’s known that Microsoft patch does the same thing as Ilfak’s temporary patch (disabling WMF SETABORT), why not get some more code gurus patch Windows even more :)

  • Pingback: luxoro dot org

  • http://blogs.securiteam.com/index.php/archives/author/mattmurphy/ Matthew Murphy

    @xet7: There will more than likely *NOT* be a patch for Windows 98, 98 SE, and Me. If there is, it won’t be a Microsoft patch. GRC, et al, have claimed they have/will have patches, but until there’s real evidence of any validity to those claims, I’m inclined to treat them as suspicious.

  • loquacious

    I don’t think this has been said, or said enough:

    THANK YOU ILFAK GUILFANOV!

    It may have been just a few moments work to you; A simple tweak, an easy hack.

    But.

    I have no idea how many systems you actually saved or protected, how many man-hours of work saved, or how much actual money was saved by your patch.

    If I wasn’t among the lowest of the low-paid IT wage slaves, I’d personally send you money. If I had the responsibility to do so, and if I wasn’t at the bottom of the food chain, I’d insist that my employers donate you something, or to the org of your choice. (Perhaps you could name an org for people to donate to on your behalf, or you could set up a paypal link for yourself if you haven’t.)

    I sincerely hope that people have expressed their thanks and that people who are able have put their money where their mouth is, or that the publicity lands you lucrative work.

    Again, thank you. What you did was awesome. Thank you.

  • Pingback: mark++ » Blog Archive » NX-Bit Protects Systems from WMF Vuln

  • Darrell

    Microsoft’s arrogant decision to downgrade the importance of the WMF vulnerability for users of W98/ME assigns those users to a low status and denies them protection.

    I wonder how many new worms and viruses will find their way to the net as a result of all the older computers that can now, so easily, be made into zombies through this vulnerability?

  • http://blogs.securiteam.com/index.php/archives/author/mattmurphy/ Matthew Murphy

    @Darrell: Frankly, I never understood the point of the whole “criticals only” patch policy. It leaves Windows 98 and Windows Me looking like a mesh net of patched and unpatched vulnerabilities.

    While their decision seems reasonable (the dangerous WMFs can’t be rendered with the default association settings on Windows 98/Me or Windows 2000, AFAIK), the policy never made sense. My attitude is, either support it or don’t. Regardless, EOL for both products is on June 30, 2006. I will be the happiest man alive.

  • jb

    “I’m the author of the IDA Pro tool” I think he not the only author of IDA, isnt?

  • http://blogs.securiteam.com/index.php/archives/author/mattmurphy/ Matthew Murphy

    @jb: Indeed, DataRescue.com lists Ilfak as the “architect and main developer” of IDA Pro and *the* developer of PhotoRescue.

  • Pingback: Project :: penkiblog » Blog Archive » 本日書籤

  • Pingback: dae’s weblog » SecuriTeam Blogs Interview: Ilfak Guilfanov

  • Pingback: SecuriTeam Blogs » Patch to eliminate GDI32 Escape() functionality in Windows98SE