In association with heise online

Internet Explorer - Demo: WMF vulnerability

The proprietary image format Windows Metafile Format (WMF) also allows you to embed and execute your own program code. Due to a bug in the Windows libraries, this function may be exploited, for instance to install backdoors or spyware with specifically prepared WMF files. More than a thousand Web sites already exploit this vulnerability, including serious sites that have been manipulated by intruders. Under Internet Explorer, all you need to do to get into trouble is open a Web page with a manipulated WMF image. Infection may also occur through other browsers if the user confirms that the WMF file can be opened.

The WMF exploits are very infectious. Users who open such a file can infiltrate their system with malware. Since under certain circumstances Windows can recognize the file type independent of its extension, such exploits may also be masked as JPG images. Once the file is stored on the hard disk, the preview image in the Explorer may be enough to initiate the damaging routine. Background services such as Google Desktop, which produce preview images, may also activate them. Emails with supposed JPG images are circulated; they install a backdoor when the attachment is opened. A worm disseminates such files via the MSN Messenger.

Demo:
This demo exploits the WMF vulnerability to start the Windows calculator; it will not do any harm. Our tests have shown that it worked with Windows XP SP2 and all current patches with the Internet Explorer and Firefox. With Firefox, it is necessary to confirm the open action, which is proposed as default setting. The demo is based on a published exploit from the Metasploit Project and has been adapted for the The H Browsercheck accordingly.

If the demo works properly, the Windows calculator will open. If this does not happen, the demo has failed. The causes for failure are manifold, and failure does not by any means imply that you are not vulnerable. For example, blocking the transfer of WMF files is not enough since such files can be masked as JPG images. Antivirus software does not provide reliable protection either because new versions might not be recognized.

Test it

You can request an email of such a WMF file via the The H Emailcheck

Remedy:
Microsoft provides a patch for Windows XP, 2000 and Server 2003 in MS06-001 to solve this problem.

The H

The H open source

The H Security

The H Internet Toolkit