The recent SANS ISC post about the WMF vulnerability has completely annihilated this argument. I have criticized SANS in the past, but I cannot fault their handling of the ongoing fiasco. I've never seen anything like this plea by Tom Liston before:
Looking forward to the week ahead, I find myself in the very peculiar position of having to say something that I don't believe has ever been said here in the Handler's diary before: "Please, trust us."
I've written more than a few diaries, and I've often been silly or said funny things, but now, I'm being as straightforward and honest as I can possibly be: the Microsoft WMF vulnerability is bad. It is very, very bad.
We've received many emails from people saying that no one in a corporate environment will find using an unofficial patch acceptable.
Acceptable or not, folks, you have to trust someone in this situation.
To the best of my knowledge, over the past 5 years, this rag-tag group of volunteers hasn't asked for your trust: we've earned it. Now we're going to expend some of that hard-earned trust:
This is a bad situation that will only get worse. The very best response that our collective wisdom can create is contained in this advice - unregister shimgvw.dll and use the unofficial patch. You need to trust us.
The unofficial patch Tom references was written by Ilfak Guilfanov and described here. What is this? It's a patch created by a non-Microsoft developer, acting more rapidly than Microsoft itself. Sure, you can argue that Microsoft is working now to develop a patch that will hopefully address deeper problems, perhaps serious problems. Nevertheless, SANS has reverse engineered the unoffical patch to ensure its validity, wrote a FAQ about the vulnerability, and is now hosting a .msi to ease patch installation. This is unprecedented.
Where is Microsoft on this issue? They published their initial advisory on 28 Dec and updated it 30 Dec. Nothing they've done has helped resolve the issue. Meanwhile, the Metasploit project has released a module to generate malicious WMF files. This puts exploit creation in the hands of the lowest common denomintaor.
F-Secure reports the WMF issue is truly "a feature, not a bug," due to Microsoft's design of the WMF format. In fact, F-secure says
"'The WMF vulnerability' probably affects more computers than any other security vulnerability, ever."
Everyone who paid good money to Microsoft to fulfill its duty as a commercial vendor selling closed, proprietary software is still waiting for an official patch. Meanwhile, users are owned by exploit spam and targeted WMF email attacks. Remember this example the next time your management refuses to allow running open source software because "no one is responsible for problems."
When private third parties like SANS and Ilfak Guilfanov have to step up to the plate to save the world, the argument for exclusively running closed, proprietary software with a poor security record is weak indeed.
Note: I do not mean to unduly criticize Microsoft employees. I know several of them who are really sharp. At the end of the day, however, Microsoft as a corporation is AWOL on the WMF issue.
Update: SANS has temporarily pulled their .msi. However, I just installed the original .exe on a Windows XP SP2 system without incident. I also unregistered the shimgvw.dll library. Ilfak Guilfanov's patch creates this directory on the host:
Volume in drive C has no label.
Volume Serial Number is 30EF-BD7B
Directory of C:\Program Files\WindowsMetafileFix>
01/02/2006 08:52 AM DIR .
01/02/2006 08:52 AM DIR ..
01/01/2006 12:38 PM 155 compile.bat
01/01/2006 03:54 PM 1,141 Readme.txt
01/02/2006 08:52 AM 3,537 unins000.dat
01/02/2006 08:52 AM 673,546 unins000.exe
01/01/2006 03:41 PM 7,022 wmfhotfix.cpp
5 File(s) 685,401 bytes
2 Dir(s) 3,207,041,024 bytes free
C:\Program Files\WindowsMetafileFix>type Readme.txt
MS WINDOWS METAFILE VULNERABILITY HOTFIX v1.3
PLEASE READ THE FOLLOWING CAREFULLY!
This is a temporary fix for the MS Windows
Metafile file vulnerability:
It has been tested on Windows 2000, Windows XP,
and Windows XP Professional 64bit.
Please use it at your own risk and switch
to the official patch from Microsoft as soon
as it is be available.
THIS FIX IS PROVIDED 'AS IS' WITHOUT WARRANTY OF
ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING,
BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF FITNESS
FOR A PURPOSE, OR THE WARRANTY OF NON-INFRINGEMENT.
IN NO EVENT SHALL ILFAK GUILFANOV BE LIABLE TO YOU
OR ANY THIRD PARTIES FOR ANY SPECIAL, PUNITIVE,
INCIDENTAL, INDIRECT OR CONSEQUENTIAL DAMAGES
OF ANY KIND, OR ANY DAMAGES WHATSOEVER, INCLUDING,
WITHOUT LIMITATION, THOSE RESULTING FROM LOSS OF USE,
DATA OR PROFITS, WHETHER OR NOT HE HAS BEEN ADVISED
OF THE POSSIBILITY OF SUCH DAMAGES, AND ON ANY THEORY OF
LIABILITY, ARISING OUT OF OR IN CONNECTION WITH THE USE
OF THIS SOFTWARE.
Copyright 2006 by Ilfak Guilfanov, email@example.com
As you can see, you can inspect the .cpp file and compile it yourself if you do not want to run the compiled wmffix_hexblog13.exe.