Page 1 of 1
XnView crashes with *.wmf-exploit-image
Posted: Tue Jan 03, 2006 3:18 am
by bloodflash
Testcase:
http://www.heise.de/security/dienste/br ... wmfexp.php
This URL loads a Test-Image for the Windows-WMF-Vulnerability from the german IT-mag "c't".
This image forces XnView to crash immediatly on my W2kSP4-System.
Posted: Tue Jan 03, 2006 6:25 pm
by Danny
Well, in this case, that's better than executing the embedded code at least.
Posted: Wed Jan 04, 2006 6:36 am
by Guest
But some users won't recognize the reason. And when a similar image is saved in the XnView standard-startup-folder such a user can't use XnView any more!
Posted: Wed Jan 04, 2006 8:44 am
by helmut
Danny wrote:Well, in this case, that's better than executing the embedded code at least.
Does XnView crash before executing the code or after? (Maybe a dumb question, I'm not deep in the WMF exploit discussion).
Posted: Wed Jan 04, 2006 8:46 am
by ckit
None of you, should be discussing this until Microsoft has released their patch on Tuesday 10th Jan.
Win2000 users:
From command line, type "regsvr32 -u c:\winnt\system32\shimgvw.dll"
and press Enter any other bugs will have to wait for now.
Posted: Wed Jan 04, 2006 10:27 am
by Guest
Code: Select all
regsvr32 -u %windir%\system32\shimgvw.dll
Does not help. At least not on my W2K system. The German magazine c't has published a test for this exploit (which will run calc.exe) and calc.exe is executing when opening the test file with XnView (even after running the above line).
IrfanView simply complains about an invalid file format. I will switch to IrfanView until this has been solved
Posted: Wed Jan 04, 2006 11:06 am
by robc
It's obvious that it's no use unregistering the DLL in this case: doing that just disables standard opening and processing of a WMF file saved on a disk, if you've associated image files with other applications than Windows Picture and Fax Viewer, the result depends on that application's behavior. The flaw lies in gdi32.dll, which is at the core of the Windows graphics subsystem, so any and all apps using standard APIs for WMF processing (thumbnailing, indexing, opening etc.) may be vulnerable... not to speak of the fact that browsing to a page containing a malicious WMF may be enough to get hit, since of course the browser doesn't use that DLL to render WMFs.
Posted: Wed Jan 18, 2006 6:12 am
by Guest
how do u stop it? firefox seems to open wmf for me in wmp.
could a pac file work, going to options>file types and removing any thing that opens wmf?
Posted: Wed Jan 18, 2006 4:50 pm
by Drahken
You can use a PAC file to block any file with the .wmf extension, although that won't help if they rename the file to "worm.jpg" or "worm.png" or some such.
Go to about:config and search for "ask", you should find 3 entries:
browser.helperApps.neverAsk.openFile
browser.helperApps.neverAsk.saveToDisk
browser.helperApps.alwaysAsk.force
Edit the openFile one and make certain to remove any wmf entries. Now add WMF to one of the other 2 (always ask is safer, but saveToDisk should be safe as well).