Conscientious Risk Management and WMF


This past week there have been a lot of questions about the WMF vulnerability, what Microsoft is doing, and what the community should do to protect against it. For many reasons, Microsoft's response to the problem is best left to those who do this for a living. However, there is a lot of interest in the community for ways to protect against the problem until an official patch is available. Obviously, a patch is the best protection there is, but until there is one, and until we can get it applied, do we just watch our systems melt around us? I cannot speak for Microsoft and this blog post is a purely personal opinion piece, not a Microsoft statement. However, I think this is just another risk management problem.

Let's look for just a minute at the vulnerability itself. It exploits a little-known function in Windows Meta Files (WMF). Those files are used for, well, I don't know really. I think they are mostly used for clipart in Office. In any case, the exploit involves a file with special commands in it, which would be rendered by shimgvw.dll acting on behalf of the user. The exploit requires user interaction, such as surfing to a web site hosting an image that exploits the problem, viewing an e-mail with an embedded such image in an e-mail program that shows those images (Outlook 2003 does not do so automatically), or opening an image as a file attachment. Of course, the usual "security researchers" are publishing canned versions, metasploit versions, and all other manner of sample exploits to make it possible for even criminals who barely know how to use a computer to exploit this issue. Jesper's Blog : Conscientious Risk Management and WMF via Microsoft Windows Security: WMF Risk Management

Linked by shanmuga Monday, 2nd January 2006 10:32PM