seeking to put some of the confusion about the recent windows metafile vulnerability to rest, i interviewed one of the most reliable sources of information on the bug: ilfak guilfanov. in addition to discussing the temporary patch he authored, ilfak offers valuable guidance and accurate information on a more general level for those dealing with this vulnerability.
tell us a little about yourself so that the audience knows who you are.
i’m the author of the ida pro tool, which is used by security specialists to analyze software binaries. ida pro is the biggest program i wrote, but there are also other programs (photorescue, for example).
now let’s discuss some of the details of the windows metafile vulnerability. there has been a lot of conflicting information about the details of the flaw. could you just describe the vulnerability for us so that people understand what the issue is?
yes, there is some confusion about the vulnerability. to speak simply, it is possible to get infected just by browsing the internet.
a specially-crafted wmf file can take full control of your computer. in fact, a wmf file is not an ordinary graphic file. it looks more like a program rather than a data file, because it consists of a sequence of commands for windows.
most are commands like ‘draw a blue line’, ‘fill a rectangle with red’, and so on.
there is one very powerful command code in wmf files. this command code means ‘if something wrong happens, do the following: …’. so the creator of the wmf file can make your computer do anything he/she wants by using this command code and deliberately creating an error condition afterward.
so this is a design issue?
yes, it is a design issue.
when you heard of this vulnerability, you created a temporary patch to close the hole until microsoft updates its software. could you tell us more about what the patch does?
the patch just removes this powerful command. it does not do anything else. the fix modifies the memory image of the system on the fly. it does not alter any files on the disk.
it modifies [the image of] the system dll ‘gdi32.dll’ because the vulnerable code is there.
some people are concerned about installing a temporary fix that doesn’t come from microsoft, because of potential problems with that. is there an uninstaller available if people run into problems?
yes, sure. the fix comes with a full installer/uninstaller.
do you provide the source code of the fix so that people can verify that it works effectively?
yes, the fix comes with the source code.
when you wrote this, did you expect this patch to become so popular?
oh no, not at all. it was a big surprise for me.
should users who install your patch also apply microsoft’s fix when it is available?
should they uninstall your fix before they do that?
my fix can be uninstalled before or after applying the official patch.
is there anything that you think should be done to make vulnerabilities like this less dangerous in the future?
good design and good coding practices, but that is easier said than done.
what options are there for users if, for some reason, they are not able to install your patch?
first, there is the option of unregistering shimgvw.dll
second, hardware-based dep [data execution prevention] seems to protect systems.
[for the most effective protection, dep should be enabled for all programs as outlined below. — matt]
shouldn’t users have dep on already, if possible, as good practice?
yes, it is a good practice and should be enabled if possible.
thanks again for taking the time to discuss this. we appreciate it. it’s obvious from its popularity that the community appreciates your efforts in developing this patch.
i’d like to thank ilfak guilfanov, of course, for allowing myself and securiteam this interview. the popularity of his patch is proof of the quality of his work. thanks are also in order for his contribution of this valuable tool to the community. i’d also like to thank securiteam’s Sun Shine, who decided to do the interview and helped get the ball rolling on it for me.
more information on the topics covered in ilfak’s interview:
- microsoft’s advisory, along with official workaround (unregistering shimgvw.dll): http://www.microsoft.com/technet/security/advisory/912840.mspx
- ilfak’s temporary wmf hotfix homepage is back at www.hexblog.com. you will have to download from one of the better-connected mirrors, as poor ilfak has already had to move hosts once. i guess he’s a victim of his own popularity. 🙁
- datarescue is the home of the ida pro product that ilfak has helped develop. their site also contains a link to the wmf vulnerability information.
- information on enabling hardware-enforced dep is available from microsoft (for windows xp sp2, though the process for windows server 2003 sp1 will be similar). dep should be configured to protect all programs for maximum protection. hardware-enforced dep does not protect applications (like windows picture & fax viewer) by default.