slide1 n.
Skip this Video
Loading SlideShow in 5 Seconds..
SANS Internet Storm Center WMF workarounds and patches PowerPoint Presentation
Download Presentation
SANS Internet Storm Center WMF workarounds and patches

SANS Internet Storm Center WMF workarounds and patches

96 Vues Download Presentation
Télécharger la présentation

SANS Internet Storm Center WMF workarounds and patches

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. SANS Internet Storm Center WMF workarounds and patches

  2. Outline • How does WMF work? • How does the exploit work? • What does the Microsoft recommendation do? • What does the unofficial patch do?

  3. About the Internet Storm Center • Cooperative Incidents Response Community • Volunteer Operated (about 40 ISC Handlers) • vendor neutral • operating the largest worldwide sensor network, • depending on input from readers and volunteers donating a large part of their holiday weekend.

  4. WMF: how it works shimgvw.dll Application WMF file GDI32.DLL

  5. WMF: how it works • A WMF file finds its way onto a windows machine • The application opening the file calls shimgvw.dll • Which in turns call GDI32.DLL do to the actual work

  6. WMF: exploit shimgvw.dll exploit Application WMF file GDI32.DLLEscape()

  7. WMF: exploit • A WMF exploit is an image with a potentially huge payload of exploit code • The application will open the file and call shimgvw.dll • Which will call GDI32.DLL • But the function calls in the image data will cause the Escape() of GDI32.DLL to jump back to the data (now code) in the image itself. • From there on it depends on the payload what will happen next …

  8. WMF: Microsoft unregister X Shimgvw.dll exploit Application WMF file GDI32.DLLEscape() Who’s gonna call ?

  9. WMF: Microsoft’s solution • Microsoft advised to unregister the shimgvw.dll in order to break the chain that leads to the vulnerable Escape() in GDI32.DLL • This will work for all applications that follow this path, but • Nothing prevents direct calls to GDI32.DLL from being made by other applications • Some applications (e.g. mozilla) rely on the functionality provided by shimgvw.dll to do things people use in daily life • The library might be registered again by other software • Aside of the unregistration, Microsoft also recommends: • user awareness, not surfing to “bad” places and all other sorts of generic solutions that are not relevant to this problem. • to keep anti-virus signatures up to date, but our tests show that many anti-virus products trigger on the payload if they trigger at all. And the payload of the successful massive attack will be new.

  10. WMF: how it works: unofficial patch shimgvw.dll exploit Application UNOFFICIAL PATCH WMF file GDI32.DLLEscape()

  11. WMF: how it works: unofficial patch • The unofficial patch protects the in-memory copy of GDI32.DLL by preventing access to the vulnerable Escape() function. • This patch was made by Ilfak Guilfanov. • Unofficial patches generally are indeed a bad idea, but: • This patch was reviewed and vetted by Tom Liston, handler at the Internet Storm Center. • There is no other proper solution till Microsoft fixes things. • The bad guys now know the deadline: they have 1 week to come up with the über-payload to infect millions. • Do you want to be among the casualties ? • Or do you want to be prepared to the best of your abilities?