The Windows Metafile vulnerability—also called the Metafile Image Code Execution and abbreviated MICE—is a

security vulnerability Vulnerabilities are flaws in a computer system that weaken the overall security of the device/system. Vulnerabilities can be weaknesses in either the hardware itself, or the software that runs on the hardware. Vulnerabilities can be exploited by ...

in the way some versions of the

Microsoft Windows Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for serv ...

operating system An operating system (OS) is system software that manages computer hardware, software resources, and provides common services for computer programs. Time-sharing operating systems schedule tasks for efficient use of the system and may also in ...

handled images in the

Windows Metafile Windows Metafile (WMF) is an image file format originally designed for Microsoft Windows in the 1990s. The original Windows Metafile format was not device-independent (though could be made more so with placement headers) and may contain both vector ...

format. It permits

arbitrary code In computer security, arbitrary code execution (ACE) is an attacker's ability to run any commands or code of the attacker's choice on a target machine or in a target process. An arbitrary code execution vulnerability is a security flaw in softwa ...

to be executed on affected computers without the permission of their users. It was discovered on December 27, 2006, and the first reports of affected computers were announced within 24 hours.

Microsoft Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washing ...

released a high-priority update to eliminate this vulnerability via

Windows Update Windows Update is a Microsoft service for the Windows 9x and Windows NT families of operating system, which automates downloading and installing Microsoft Windows software updates over the Internet. The service delivers software updates for Wind ...

on January 5, 2007. Attacks using this vulnerability are known as WMF exploits. The vulnerability was located in

gdi32.dll The Microsoft Windows operating system supports a form of shared libraries known as "dynamic-link libraries", which are code libraries that can be used by multiple processes while only one copy is loaded into memory. This article provides an ove ...

and existed in all versions of Microsoft Windows from

Windows 3.0 Windows 3.0 is the third major release of Microsoft Windows, launched in 1990. It features a new graphical user interface (GUI) where applications are represented as clickable icons, as opposed to the list of file names seen in its predecesso ...

Windows Server 2003 R2 Windows Server 2003 is the sixth version of Windows Server operating system produced by Microsoft. It is part of the Windows NT family of operating systems and was released to manufacturing on March 28, 2003 and generally available on April 24, 2 ...

. However, attack vectors only exist in NT-based versions of Windows (Windows NT,

Windows 2000 Windows 2000 is a major release of the Windows NT operating system developed by Microsoft and oriented towards businesses. It was the direct successor to Windows NT 4.0, and was Software release life cycle#Release to manufacturing (RTM), releas ...

Windows XP Windows XP is a major release of Microsoft's Windows NT operating system. It was released to manufacturing on August 24, 2001, and later to retail on October 25, 2001. It is a direct upgrade to its predecessors, Windows 2000 for high-end and ...

and

Windows Server 2003 Windows Server 2003 is the sixth version of Windows Server operating system produced by Microsoft. It is part of the Windows NT family of operating systems and was released to manufacturing on March 28, 2003 and generally available on April 24, 2 ...

). Exploits taking advantage of the vulnerability on

Windows NT Windows NT is a proprietary graphical operating system An operating system (OS) is system software that manages computer hardware, software resources, and provides common services for computer programs. Time-sharing operating systems sc ...

-based systems facilitated the propagation of various types of

malware Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, depri ...

, typically through

drive-by download Drive-by download is of two types, each concerning the unintended download of computer software from the Internet: # Authorized drive-by downloads are downloads which a person has authorized but without understanding the consequences (e.g. down ...

s. Due to extreme impact, this bug won the 2007

Pwnie Award The Pwnie Awards recognize both excellence and incompetence in the field of information security. Winners are selected by a committee of security industry professionals from nominations collected from the information security community. Nomine ...

for "Mass 0wnage" and "Breaking the Internet".

Affected systems

All versions of the

operating system support the Windows Metafile graphics standard. All versions from

contain this security flaw. However,

Windows NT 4.0 Windows NT 4.0 is a major release of the Windows NT operating system developed by Microsoft and oriented towards businesses. It is the direct successor to Windows NT 3.51, which was released to manufacturing on July 31, 1996, and then to retail ...

and

, unless

patch Patch or Patches may refer to: Arts, entertainment and media * Patch Johnson, a fictional character from ''Days of Our Lives'' * Patch (''My Little Pony''), a toy * "Patches" (Dickey Lee song), 1962 * "Patches" (Chairmen of the Board song) ...

ed, are more vulnerable than earlier versions because their default installation enables Windows Metafile code execution, the source of the vulnerability. Later versions of Windows do not have this vulnerability. According to computer security expert Steve Gibson,

Windows NT 4 Windows NT 4.0 is a major release of the Windows NT operating system developed by Microsoft and oriented towards businesses. It is the direct successor to Windows NT 3.51, which was released to manufacturing on July 31, 1996, and then to retail ...

is vulnerable to known exploits if image preview is enabled. Windows operating systems that do not have image preview enabled or that have hardware-based

Data Execution Prevention In computer security, executable-space protection marks memory regions as non-executable, such that an attempt to execute machine code in these regions will cause an exception. It makes use of hardware features such as the NX bit (no-execute bit ...

(DEP) active for all applications should not be susceptible to this exploit. Operating systems other than Windows (e.g.,

macOS macOS (; previously OS X and originally Mac OS X) is a Unix operating system developed and marketed by Apple Inc. since 2001. It is the primary operating system for Apple's Mac computers. Within the market of desktop and lapt ...

Unix Unix (; trademarked as UNIX) is a family of multitasking, multiuser computer operating systems that derive from the original AT&T Unix, whose development started in 1969 at the Bell Labs research center by Ken Thompson, Dennis Ritchie, and ot ...

Linux Linux ( or ) is a family of open-source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991, by Linus Torvalds. Linux is typically packaged as a Linux distribution, which ...

, etc.) are not directly affected. However, a non-Windows system could become vulnerable if it runs software to view Windows WMF files. This could include software that incorporates or clones Windows' native

Graphics Device Interface The Graphics Device Interface (GDI) is a legacy component of Microsoft Windows responsible for representing graphical objects and transmitting them to output devices such as monitors and printers. Windows apps use Windows API to interact with GDI ...

(GDI)

Dynamic-link library Dynamic-link library (DLL) is Microsoft's implementation of the shared library concept in the Microsoft Windows and OS/2 operating systems. These libraries usually have the file extension DLL, OCX (for libraries containing ActiveX controls), o ...

(DLL) or that run Windows or Windows programs through an

emulator In computing, an emulator is Computer hardware, hardware or software that enables one computer system (called the ''host'') to behave like another computer system (called the ''guest''). An emulator typically enables the host system to run so ...

compatibility layer In software engineering, a compatibility layer is an interface that allows binaries for a legacy or foreign system to run on a host system. This translates system calls for the foreign system into native system calls for the host system. With som ...

. A

Unix-like A Unix-like (sometimes referred to as UN*X or *nix) operating system is one that behaves in a manner similar to a Unix system, although not necessarily conforming to or being certified to any version of the Single UNIX Specification. A Unix-li ...

system that uses

Wine Wine is an alcoholic drink typically made from fermented grapes. Yeast consumes the sugar in the grapes and converts it to ethanol and carbon dioxide, releasing heat in the process. Different varieties of grapes and strains of yeasts are m ...

to emulate Windows, for example, could be exploited. Gibson wrote the program MouseTrap, which his company distributes as

freeware Freeware is software, most often proprietary, that is distributed at no monetary cost to the end user. There is no agreed-upon set of rights, license, or EULA that defines ''freeware'' unambiguously; every publisher defines its own rules for the f ...

, to detect Windows Metafile vulnerability in systems running Windows and Windows emulators.

The vulnerability

According to assessments by

F-Secure F-Secure Corporation is a global cyber security and privacy company, which has its headquarters in Helsinki, Finland. The company has offices in Denmark, Finland, France, Germany, India, Italy, Japan, Malaysia, Netherlands, Norway, Poland, Sweden, ...

, the vulnerability is an inherent defect in the design of WMF files, because the underlying

architecture Architecture is the art and technique of designing and building, as distinguished from the skills associated with construction. It is both the process and the product of sketching, conceiving, planning, designing, and constructing building ...

of such files is from a previous era, and includes features which allow actual code to be executed whenever a WMF file opens. The original purpose of this was mainly to handle the cancellation of print jobs during

spooling In computing, spooling is a specialized form of multi-programming for the purpose of copying data between different devices. In contemporary systems, it is usually used for mediating between a computer application and a slow peripheral, such as ...

. According to

Secunia Flexera is an American computer software company based in Itasca, Illinois. History On 1 April 2008, Macrovision sold its software division to the Thoma Bravo investment fund, which became Acresso Software. Macrovision subsequently changed i ...

, "The vulnerability is caused due to an error in the handling of Windows Metafile files ('.wmf') containing specially crafted SETABORTPROC 'Escape' records. Such records allow arbitrary user-defined function to be executed when the rendering of a WMF file fails." According to the Windows 3.1 SDK documentation, the SETABORTPROC escape was obsoleted and replaced by the function of the same name in Windows 3.1, long before the WMF vulnerability was discovered. However the obsoleted escape code was retained for compatibility with 16 bit programs written for (or at least backwards compatible with) Windows 3.0. This change happened at approximately the same time as Microsoft was creating the 32 bit reimplementation of GDI for Windows NT, and it is likely that the vulnerability occurred during this effort. The 'Escape' mechanism in question allows applications (not metafiles) to access output device features not yet abstracted by GDI, such as hardware accelerated

Bézier curve A Bézier curve ( ) is a parametric curve used in computer graphics and related fields. A set of discrete "control points" defines a smooth, continuous curve by means of a formula. Usually the curve is intended to approximate a real-world shape t ...

s, encapsulated postscript support, etc. This is done by passing an opcode, a size and a pointer to some data to the call, which will usually just pass it on to the driver. Because most Escape calls produce actual graphics, the general escape mechanism is allowed in metafiles with little thought originally given to the possibility of using it for things like SETABORTPROC, modern non-vulnerable metafile interpreters now checks the opcode against a blacklist or whitelist, while keeping the full set of opcodes available to regular code that calls the GDI escape functions directly (because such code is already running in the same way as the code it could make GDI call, there is no security risk in that case). It is worth noting that 16 bit Windows (except the rarely used Real mode of Windows 3.0) was immune to the vulnerability because the pointer specified in the metafile can only point to data within the metafile, and 16 bit Windows always had a full no-execute-data enforcement mandated by the segmented architecture of 16 bit protected mode. Windows NT for CPU architectures other than 32 bit x86 (such as MIPS, PowerPC, Alpha, Itanium and x86_64) required

return-oriented programming Return-oriented programming (ROP) is a computer security exploit technique that allows an attacker to execute code in the presence of security defenses such as executable space protection and code signing. In this technique, an attacker gains cont ...

to exploit because those architectures had the no-execute functionality missing from older x86 processors. The vulnerability is in the

Common Vulnerabilities and Exposures The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures. The United States' National Cybersecurity FFRDC, operated by The MITRE Corporation, maintai ...

database,

US-CERT The United States Computer Emergency Readiness Team (US-CERT) is an organization within the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA). Specifically, US-CERT is a branch of the Office of C ...

reference VU#181038 and Microsoft Knowledge Base Article 912840. It was first observed in the wild by researchers at

Sunbelt Software VIPRE Security Group, (also known as VIPRE or VIPRE Security) a brand of Ziff Davis, is a privately held cybersecurity company headquartered in New York. VIPRE develops cybersecurity products focused on endpoint and email security along with ad ...

on December 28, 2005, and announced publicly by the company's president

Alex Eckelberry Alex is a given name. It can refer to a shortened version of Alexander, Alexandra, Alexis. People Multiple *Alex Brown (disambiguation), multiple people * Alex Gordon (disambiguation), multiple people *Alex Harris (disambiguation), multiple peo ...

Propagation and infection

Computers can be affected via the spread of infected e-mails which carry the hacked WMF file as an attachment. Infection may also result from: * Viewing a website in a web browser that automatically opens WMF files, in which case any potential malicious code may be automatically downloaded and opened.

Internet Explorer Internet Explorer (formerly Microsoft Internet Explorer and Windows Internet Explorer, commonly abbreviated IE or MSIE) is a series of graphical user interface, graphical web browsers developed by Microsoft which was used in the Microsoft Wind ...

, the default Web browser for all versions of Microsoft Windows since 1996 through

Windows 10 Windows 10 is a major release of Microsoft's Windows NT operating system. It is the direct successor to Windows 8.1, which was released nearly two years earlier. It was released to manufacturing on July 15, 2015, and later to retail on J ...

, does this. * Previewing an infected file in

Windows Explorer File Explorer, previously known as Windows Explorer, is a file manager application that is included with releases of the Microsoft Windows operating system from Windows 95 onwards. It provides a graphical user interface for accessing the file ...

. * Viewing an infected image file using some vulnerable image-viewing programs. *Previewing or opening infected emails in older versions of

Microsoft Outlook Microsoft Outlook is a personal information manager software system from Microsoft, available as a part of the Microsoft Office and Microsoft 365 software suites. Though primarily an email client, Outlook also includes such functions as Calen ...

and

Outlook Express Outlook Express, formerly known as Microsoft Internet Mail and News, is a discontinued email and news client included with Internet Explorer versions 3.0 through to 6.0. As such, it was bundled with several versions of Microsoft Windows, from ...

. *Indexing a hard disk containing an infected file with

Google Desktop Google Desktop was a computer program with desktop search capabilities, created by Google for Linux, Apple Mac OS X, and Microsoft Windows systems. It allowed text searches of a user's email messages, computer files, music, photos, chats, Web pag ...

. *Clicking on a link through an

instant messaging Instant messaging (IM) technology is a type of online chat allowing real-time text transmission over the Internet or another computer network. Messages are typically transmitted between two or more parties, when each user inputs text and trigge ...

program such as

Windows Live Messenger MSN Messenger (also known colloquially simply as "Messenger"), later rebranded as Windows Live Messenger, was a cross-platform instant messaging client, instant-messaging client developed by Microsoft. It connected to the Microsoft Messenger ser ...

AOL Instant Messenger AIM (AOL Instant Messenger) was an instant messaging and presence computer program created by AOL, which used the proprietary OSCAR instant messaging protocol and the TOC protocol to allow registered users to communicate in real time. AIM w ...

(AIM) or

Yahoo! Messenger Yahoo! Messenger (sometimes abbreviated Y!M) was an advertisement-supported instant messaging client (computing), client and associated protocol provided by Yahoo!. Yahoo! Messenger was provided free of charge and could be downloaded and used wit ...

. Other methods may also be used to propagate infection. Because the problem is within the operating system, using non-Microsoft browsers such as

Firefox Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation. It uses the Gecko rendering engine to display web pages, which implements current and ...

Opera Opera is a form of theatre in which music is a fundamental component and dramatic roles are taken by singers. Such a "work" (the literal translation of the Italian word "opera") is typically a collaboration between a composer and a librett ...

does not provide complete protection. Users are typically prompted to download and view a malicious file, infecting the computer. Infected files may be downloaded automatically, which opens the possibility for infection by disk indexing or accidental previewing. According to assessments from the

McAfee McAfee Corp. ( ), formerly known as McAfee Associates, Inc. from 1987 to 1997 and 2004 to 2014, Network Associates Inc. from 1997 to 2004, and Intel Security Group from 2014 to 2017, is an American global computer security software company head ...

antivirus company, the vulnerability has been used to propagate the Bifrost

backdoor A back door is a door in the rear of a building. Back door may also refer to: Arts and media * Back Door (jazz trio), a British group * Porta dos Fundos (literally “Back Door” in Portuguese) Brazilian comedy YouTube channel. * Works so title ...

trojan horse The Trojan Horse was a wooden horse said to have been used by the Greeks during the Trojan War to enter the city of Troy and win the war. The Trojan Horse is not mentioned in Homer's ''Iliad'', with the poem ending before the war is concluded, ...

. Other forms of

have also exploited the vulnerability to deliver various malicious

payload Payload is the object or the entity which is being carried by an aircraft or launch vehicle. Sometimes payload also refers to the carrying capacity of an aircraft or launch vehicle, usually measured in terms of weight. Depending on the nature of ...

s. McAfee claims that the first generation of such exploits had been encountered by more than 6% of their customer base by December 31, 2005.

Official patch

released an official

to address the problem on January 5, 2006. This patch may be applied in lieu of other corrective measures. The official patch is available for

and

Microsoft Windows Server 2003 Windows Server 2003 is the sixth version of Windows Server operating system produced by Microsoft. It is part of the Windows NT family of operating systems and was released to manufacturing on March 28, 2003 and generally available on April 24, 2 ...

and other older operating systems did not receive a patch as they were no longer supported by Microsoft by then. Steve Gibson stated in his

Security Now! ''Security Now!'' is a weekly podcast hosted by Steve Gibson and Leo Laporte. It was the second show to premiere on the TWiT Network, launching in summer 2005. The first episode, “As the Worm Turns”, was released on August 19, 2005. ''Se ...

podcast A podcast is a program made available in digital format for download over the Internet. For example, an episodic series of digital audio or video files that a user can download to a personal device to listen to at a time of their choosing ...

No. 20, that his company

Gibson Research Corporation Steven "Steve Tiberius" Gibson (born March 26, 1955) is an American software engineer, security researcher, and IT security proponent. In the early 1980s, he worked on light pen technology for use with Apple and Atari systems, and in 1985, ...

would make a patch available for

Windows 9x Windows 9x is a generic term referring to a series of Microsoft Windows computer operating systems produced from 1995 to 2000, which were based on the Windows 95 kernel and its underlying foundation of MS-DOS, both of which were updated in subs ...

systems if Microsoft did not. After further research, Steve Gibson stated, in a later

No. 23, that Windows 9x and ME are not vulnerable and do not need patching. Windows 9x/ME users can run his Mouse Trap utility to see this for themselves. A free downloadable patch for Windows NT has been provided by Paolo Monti from Future Time, the Italian distributor of Eset's

NOD32 ESET NOD32 Antivirus, commonly known as NOD32, is an antivirus software package made by the Slovakia, Slovak company ESET. ESET NOD32 Antivirus is sold in two editions, Home Edition and Business Edition. The Business Edition packages add ESET R ...

anti-virus Antivirus software (abbreviated to AV software), also known as anti-malware, is a computer program used to prevent, detect, and remove malware. Antivirus software was originally developed to detect and remove computer viruses, hence the name. ...

system. The patch works on older operating systems, but it is supplied without warranty. There have been reports of the official patch being automatically installed even when Windows Automatic Update is configured to ask before installing automatically downloaded updates. This causes an automatic

reboot In computing, rebooting is the process by which a running computer system is restarted, either intentionally or unintentionally. Reboots can be either a cold reboot (alternatively known as a hard reboot) in which the power to the system is physi ...

, which can cause loss of data if the user has a program open with unsaved changes.

Other corrective measures

These measures are of historical interest only on systems updated on or after January 5, 2006.

Workaround

As a

workaround A workaround is a bypass of a recognized problem or limitation in a system or policy. A workaround is typically a temporary fix that implies that a genuine solution to the problem is needed. But workarounds are frequently as creative as true solut ...

before a patch was available, on December 28, 2005, Microsoft advised Windows users to unregister the

dynamic-link library Dynamic-link library (DLL) is Microsoft's implementation of the shared library concept in the Microsoft Windows and OS/2 operating systems. These libraries usually have the file extension DLL, OCX (for libraries containing ActiveX controls), o ...

file shimgvw.dll (which can be done by executing the command regsvr32.exe /u shimgvw.dll from the Run menu or the

command prompt Command Prompt, also known as cmd.exe or cmd, is the default command-line interpreter for the OS/2, eComStation, ArcaOS, Microsoft Windows (Windows NT family and Windows CE family), and ReactOS operating systems. On Windows CE .NET 4.2, Wind ...

) which invokes previewing of image files and is exploited by most of these attacks. The DLL can be re-registered after patching by running regsvr32.exe shimgvw.dll. This workaround blocks a common attack vector but does not eliminate the vulnerability.

Third-party patch

third party Third party may refer to: Business * Third-party source, a supplier company not owned by the buyer or seller * Third-party beneficiary, a person who could sue on a contract, despite not being an active party * Third-party insurance, such as a Veh ...

patch was released by

Ilfak Guilfanov Ilfak Guilfanov (russian: Ильфак Гильфанов, born 1966) is a software developer, computer security researcher and blogger. He became well known when he issued a free hotfix for the Windows Metafile vulnerability on 31 December 2005 ...

on December 31, 2005, to temporarily disable the vulnerable

function Function or functionality may refer to: Computing * Function key, a type of key on computer keyboards * Function model, a structured representation of processes in a system * Function object or functor or functionoid, a concept of object-oriente ...

call in gdi32.dll. This

unofficial patch An unofficial patch is a patch for a piece of software, created by a third party such as a user community without the involvement of the original developer. Similar to an ordinary patch, it alleviates bugs or shortcomings. Unofficial patches do no ...

received much publicity due to the unavailability of an official one from Microsoft, receiving the recommendation of

SANS Institute The SANS Institute (officially the Escal Institute of Advanced Technologies) is a private U.S. for-profit company founded in 1989 that specializes in information security, cybersecurity training, and selling certificates. Topics available for tr ...

Internet Storm Center {{multiple issues, {{no footnotes, date=November 2017 {{primarysources, date=February 2010 The Internet Storm Center (ISC) is a program of the SANS Technology Institute, a branch of the SANS Institute which monitors the level of malicious activity ...

and F-Secure. Because of the large amount of publicity, including being indirectly

slashdotted The Slashdot effect, also known as slashdotting, occurs when a popular website links to a smaller website, causing a massive increase in traffic. This overloads the smaller site, causing it to slow down or even temporarily become unavailable. Thi ...

, Guilfanov's website received more visitors than it could cope with, and was suspended on January 3, 2006; the patch was still available for download from a number of

mirrors A mirror or looking glass is an object that Reflection (physics), reflects an image. Light that bounces off a mirror will show an image of whatever is in front of it, when focused through the lens of the eye or a camera. Mirrors reverse the ...

including the Internet Storm Center website. Guilfanov's website went back online on January 4 in a much-reduced state. No longer providing the patch on-site due to

bandwidth Bandwidth commonly refers to: * Bandwidth (signal processing) or ''analog bandwidth'', ''frequency bandwidth'', or ''radio bandwidth'', a measure of the width of a frequency range * Bandwidth (computing), the rate of data transfer, bit rate or thr ...

issues, the homepage provided a list of mirrors where a user could download the patch and the associated vulnerability-checker, and the MD5

checksum A checksum is a small-sized block of data derived from another block of digital data for the purpose of detecting errors that may have been introduced during its transmission or storage. By themselves, checksums are often used to verify data ...

for the file, so that it could be checked that a downloaded file was probably genuine. After Microsoft released its patch, Guilfanov withdrew his.

Risk reduction techniques

Microsoft says its patch removes the flawed functionality in GDI32 that allowed the WMF vulnerability. For computers running an unpatched version of Windows, a

defence in depth Defence in depth (also known as deep defence or elastic defence) is a military strategy that seeks to delay rather than prevent the advance of an attacker, buying time and causing additional casualties by yielding space. Rather than defeating ...

approach was recommended, to mitigate the risk of infection. Various sources have recommended mitigation efforts that include: *Making use of hardware-enforced

effective for all applications. *Set the default WMF application to be one not susceptible to infection, such as

Notepad A notebook (also known as a notepad, writing pad, drawing pad, or legal pad) is a book or stack of paper pages that are often Ruled paper, ruled and used for purposes such as note-taking, diary, journaling or other writing, drawing, or scrapbook ...

. *Do not use Internet Explorer, or at least turn off downloads by setting the default security settings to high. *Keep all

anti-virus software Antivirus software (abbreviated to AV software), also known as anti-malware, is a computer program used to prevent, detect, and remove malware. Antivirus software was originally developed to detect and remove computer viruses, hence the name. ...

up-to-date. Consider frequent manual updates. *Block all WMF files on the network perimeter by file-header filtering. *Making use of users accounts that are configured with only the user rights that are required. *Disable image loading in Internet Explorer and all other browsers. *Disable image loading in

. *Disable hyperlinks in MSN Messenger. *Disable the Indexing Service on

and

. *Disable Desktop Search applications such as

Windows Desktop Search Windows Search (also known as Instant Search) is a content index desktop search platform by Microsoft introduced in Windows Vista as a replacement for both the previous Indexing Service of Windows 2000 and the optional MSN Desktop Search for Win ...

until the problem is corrected. According to SANS Institute Internet Storm Center article, using a web browser other than Internet Explorer ''may'' offer additional protection against this vulnerability. Depending on settings, these browsers may ask the user before opening an image with the .wmf extension, but this only reduces the chance of opening the maliciously crafted Windows Metafile, and does not protect against the vulnerability being exploited as these browsers still open the metafile if it is masquerading as another format. It is better to entirely disable image loading in any browser used.

Accusations

In 2006 Steve Gibson suggested that the peculiar nature of the 'bug' was an indication that the vulnerability was actually a

intentionally engineered into the system. The accusation became an assertion and spread through the internet as a rumor after the technology news website

Slashdot ''Slashdot'' (sometimes abbreviated as ''/.'') is a social news website that originally advertised itself as "News for Nerds. Stuff that Matters". It features news stories concerning science, technology, and politics that are submitted and evalu ...

picked up Gibson's speculation. The rumor was widely debunkedOtto Helweg for Mark Russinovich's Blog. January 18, 200
Inside the WMF Backdoor
/ref> and Thomas Greene, writing in ''

The Register ''The Register'' is a British technology news website co-founded in 1994 by Mike Magee, John Lettice and Ross Alderson. The online newspaper's masthead sublogo is "''Biting the hand that feeds IT''." Their primary focus is information tec ...

'', attributed Gibson's mistake to "his lack of security experience" and called him a "popinjay expert".

Notes

#
Security Watch: Iniquitous Images Imperil the Internet!
Larry Seltzer, PC Magazine. #
A Description of the Image Preview Feature in Windows Millennium Edition
Microsoft. #

Microsoft clarifies DEP issue #

to run WMF files. #
Linux/BSD still exposed to WMF exploit through WINE
ZDNet. #

F-Secure. #

by McAfee #
Microsoft Security Advisory (912840) - Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution
Microsoft Official Advisory on the vulnerability. #

unofficial patch by Ilfak Guilfanov. #
Trustworthy Computing
SANS Institute Internet Storm Center. #

F-Secure. #
Trustworthy Computing
Slashdot. Linking to SANS Institute Internet Storm Center's article titled Trustworthy Computing (see above). #
.MSI installer file for WMF flaw available
SANS Institute Internet Storm Center. #
How to Configure Memory Protection in Windows XP SP2
software-enforced Data Execution Prevention (DEP) feature in Microsoft Windows XP SP 2. #
How to improve browsing performance in Internet Explorer (KB153790)
Microsoft. #
Images are blocked when you open an e-mail message in Outlook Express on a Windows XP Service Pack 2-based computer (KB843018)
Microsoft. #
http://www.nod32.ch/en/download/tools.php
Unofficial WMF patch by Paolo Monti distributed by ESET. #
http://blogs.securiteam.com/index.php/archives/210
Unofficial Windows 98SE patch by Tom Walsh.

References

External links

{{Wikinews, Microsoft Windows metafiles are a vector for computer viruses

Metafile Image Code Execution
Microsoft Security Bulletin for novice Home UsersMicrosoft Security Bulletin MS08-021Microsoft Security Bulletin MS06-001WMF FAQ
– SANS Institute Internet Storm Center

–

Washington Post ''The Washington Post'' (also known as the ''Post'' and, informally, ''WaPo'') is an American daily newspaper published in Washington, D.C. It is the most widely circulated newspaper within the Washington metropolitan area and has a large nati ...

Microsoft Windows WMF "SETABORTPROC" Arbitrary Code Execution
–

advisory
Summary of status as of 1 JanuaryLooking at the WMF issue, how did it get there?
– Microsoft Security Response Center Blog
New exploit released for the WMF vulnerability
– SANS Institute Internet Storm Center

– F-Secure
Lotus Notes Vulnerable to WMF 0-Day Exploit
– SANS Institute Internet Storm Center

– Ilfak Guilfanov

–

Metasploit Project The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. It is owned by Boston, Massachusetts-based security company Rapid7. It ...

Microsoft Developer Network Microsoft Developer Network (MSDN) was the division of Microsoft responsible for managing the firm's relationship with developers and testers, such as hardware developers interested in the operating system (OS), and software developers developing ...

pages fo
Escape
an
SetAbortProcMark Russinovich's Technical Commentary on the Backdoor Controversy
Windows administration Computer security exploits