Thank you for this, though a ready-made MSI package would be nice for us who would like to spread this through group policies or clear documentation what exactly this installs so I could make one myself.

Ok, I'll see how to prepare an MSI package (never tried before).

As about the installer, it does the following:

- extracts and tries to use wmfhotfix.dll on the target system
- if it fails, it informs the user and quits
- otherwise it copies wmfhotfix.dll to the system directory and creates/updates this registry key:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows
\AppInit_DLLs
- the installer also creates the WindowsMetafileFix directory in the "Program files" and copies there the source code of the dll. These files are not required for the dll to work.

The most difficult thing is to update the registry key because we can not simply overwrite it but have to preserve its contents. I had to program it manually since InnoSetup does not support this type of update (or did I miss it? It is a great setup, I like it a lot!)

Does this hotfix also work on Windows 2003 Server?

I could not try it (I don't have Windows2003 here) but most likely it will work.

Please try it - if a compabitility issue arises, it will quit without modifying anything in the system.

I just made an MSI file that does the things listed above. It installed and uninstalled cleanly on my test machine XP Pro SP2. I'm still just wondering about some metadata on the package before putting it for download (publisher, product url etc).

You are fast! I just read Microsoft's article how to create MSI packages and was wondering about a clean machine...

You can put my name and hexblog.com in package + plus your name to reflect the fact that you repackaged it.

One more thing: I updated the wmfhotfix.dll. The previous version could silently fail at VirtualProtect() - well, in theory.

The MSI repackaging can be downloaded at your own risk at:

http://users.utu.fi/vpjsuu/wmfhotfix/

Will this work on XP Pro SP1? This is the OS that it is really needed for as I have read of several good workarounds for XP SP2. Plus, how about a fix for all of us who have other older computers running 98SE?

I haven't tried it on XP SP1, please try.

As about 98SE, sorry, it is out of my reach...

VS: thanks for the msi package!

Hi
WFMfix tells me that the fix is not compatible with my system.
Im running WinXP Prof
Any idea?

Oh, I have XP SP1 only, looks iyt doesnt like the fix :(

Patch appears to work on Win2003 Server.

Nice, but what exactly is happening, are you simply patching gdi32.dll ? if so what about hexediting gdi32.dll and changing the callname SETABORT to something else? I'd like to see some tech stuff such as hex data since this one is only 4 XP, hexediting is possible on any system.

Thank you, one and all, for sharing your knowledge and efforts on this issue.

I got hit by a wmf-borne Desktop Hijacker and had to wade through my registry with a machete and half-a-dozen virus cleaners (including F-secure) in order to dig it all out and get back in shape. (I was using rage and frustration as weapons where you guys were using skills and education. =:-o

The following day, I read about this wmf thing, and then you guys came up with the antidote almost as soon as I had digested the information.

Thank you tons. The Dark Side cannot win while there are people like you working for the Powers of Good. You guys ARE the Force! Thanks again.

Seems to be working fine on the five XP SP2 PC's I've installed it on. Spent 5 hours trying to remove the adware/spyware garbage loaded on the one I didn't get to before it got infected. Misery... Thanks for the patch/workaround!

Can someone post a patched DLL that will work on XP without the SP ? Thanks.

It would be GREAT to have this also working on Windows 2000. Is there anything I can do to help widen the patch's application range?

VS and ilfak, you guys have been a tremendous help in this. I want to thank you profusely for your quick response to these issues. I'm a network admin who was previously facing the daunting task of rolling out this or the unregister dll "fix" on a couple hundred PCs, so this really saved my skin. Do either or both of you have a paypal account so I can throw a coupla bucks your way? Thanks again.

Mele wrote:
Will this work on XP Pro SP1? This is the OS that it is really needed for as I have read of several good workarounds for XP SP2.

What workarounds have you heard of for sp2? All I have seen is the very familiar shimgvw.dll disable. This has been shown to be fair at best. What else is there that is so good?

wmffix.exe fails on my machine with a the following error:

"Sorry, this fix is not compatible with your system"

However, ilfak's MSI re-package of same installs w/o complaint. I have no idea why this is so.

I have MS Windows XP Pro, Version 2002, Service Pack 2, v.2055

Same here; XP without SP and re-packed MSI installs, and aparently is working.

We are currently working on the version for W2K.

It is quite possible that the W2K version will work on other systems too.

For the moment, if the wmffix.exe installer says that the fix can not be applied to your system, please do not try MSI.

P.S. Do not try to install the hotfix twice, it will fail.

Update: Windows2000 version is available. Most likely it will handle vanilla XP and XP SP1 too. If not, please tell!

Tried the updated hotfix on my Win 2K Pro + sp4 but it refused to install, claiming
my system isn't compatible.

Art

Just an FYI, you have probably seen this already but here it is:

Yahoo antispyware detects the patch as follows (and gives a pop up window on reboot that says the file must be uninstalled from the command prompt):
12/31/2005-17:55:18,29756979,1553861216,Detected,CWS,ppclean pest,453075759,Key "hkey_local_machine \software\microsoft\windows nt\currentversion\windows" Value "appinit_dlls" Data "c:\windows\system32\wmfhotfix.dll",-1
12/31/2005-17:55:19,29756979,1559331216,Quarantined,CWS,ppclean pest,453075759,Key "hkey_local_machine \software\microsoft\windows nt\currentversion\windows" Value "appinit_dlls",-1
12/31/2005-17:55:19,29756979,1559331216,Permanently deleted,CWS,ppclean pest,453075759,Not Applicable,-1
12/31/2005-17:55:19,29756979,1559331216,Detected,CWS,ppclean pest,453075759,File "c:\windows\system32\wmfhotfix.dll",-1
12/31/2005-17:55:19,29756979,1560271216,Quarantined,CWS,ppclean pest,453075759,File "c:\windows\system32\wmfhotfix.dll",-1
12/31/2005-17:55:19,29756979,1562301216,Detected,CWS,ppclean pest,453075759,File "c:\windows\system32\drivers\etc\hosts",-1
12/31/2005-17:55:19,29756979,1563081216,Quarantined,CWS,ppclean pest,453075759,File "c:\windows\system32\drivers\etc\hosts",-1

Art,

What version info do you have for Win2K's GDI32.DLL file in your \WINNT\System32 directory?

I've successfully applied Ilfak's current v1.1 release both on a very old SP4, GDI32.DLL dated 6/19/2003 with a version of [5.0.2195.6660] and also a much more recent edition dated 10/6/2005 with a version of [5.0.2195.7069].

What do you have?

XP Home SP2 updated. file installed. Haven't tested it. However I've lost recognition of my CD drive with default XP burning app. Files are not burnable and RWs are not erasable. Drive has disappeared from right click "send to" menu, and message says drive is unavailable. Files are still burnable however with Nero 6.6 and CD Burner XPPro 3.0

That's *REALLY* bizarre. I've studied Ilfak's code, and there's just no way to explain that sort of interaction.

Could you try removing the patch (and rebooting) and see whether it restores things? Ilfak's code is NOT modifying anything permanently, all of its patching is in RAM only, so there's no way it could "persist" after being removed.

won't work for my win2k sp4 eigher... gdi32.dll is dated April 2005

... And you had NOT previously installed the MSI or any other version of Ilfak's patch?

hi,

wat are the limitations of this fix? can i still see the photos using my picture viewer?

pls help

tnx

someone commented at dslreports that this tool is not reliable anymore, is it true?

[quote]TEST it, TRY it, you will see that the best protection CURRENTLY is to use the OS to un-register it, because the current TOOLS created by I might add, by very respected people, are being PULLED apart as we speak.

Secondly, since we KNOW Microsoft is NOT Sony, do you think that if Microsoft THOUGHT that HOOKING SETABORT would truly be a WORKABLE temp fix, that they would NOT have released it?

Remember PLEASE, that these tools that are being created as temp fixes are using HOOKS to provide that, and HOOKS can be just as EASILY removed as they can be created, which is what is being DONE now.

However, it is MUCH more complicated to re-register a .dll than it is to REMOVE a hook since the NOW non-existent .dll is not around to even ALLOW the code to execute in the first place.[/quote]

I describe the way Ilfak's patch works here: http://www.GRC.com/groups/securitynow:423

There are no limitations to this solution, other than it kills a "probably never needed" error-handling function of Windows metafile processing.

Since it is subtly patching the core Windows' GDI32.DLL on the fly, whenever it's loaded into a process space, you SHOULD remember to remove this after Microsoft has updated Windows to repair the GDI32.DLL. But until then it simply and cleanly cures the problem without any known side effects.

thank you Steve. the explanation is very technical, i hardly understand any of it.

Sorry about that.

Essentially it means that Ilfak's "patch" is automatically loaded into a program's memory space whenever a program like Windows Explorer or Internet Explorer is loaded by the operating system and starts to run.

At the moment that Ilfak's patch is loaded, it immediately seeks out and locates the specific function that we now know is "broken" in the current Windows GDI32.DLL program library file. When it finds it, it "patches" the defective code in memory so that it does nothing if any malicious image file attempts to abuse the file's defect. In that way we are all protected from the danger in this defective Windows file until Microsoft fixes if "officially".

It's a very nice, elegant and clever solution to tide us over until Microsoft fixes it permanently.

Hi Steve. Based on my layman reading of your explanation, am I correct in interpreting you as stating that Ilfak's patch works by:

(1) searching for specific gdi32.dll code in Windows versions 2000 and above,

(2) and when it does find the code in that file, it patches that portion of the file, whereby the fix is some sort of "intervention mechanism" against the ESCAPE function?

(3) Does this mean that it is the ESCAPE function that is specifically being exploited by the WMF malware?

As for the portion of the quoted comment: "However, it is MUCH more complicated to re-register a .dll than it is to REMOVE a hook since the NOW non-existent .dll is not around to even ALLOW the code to execute in the first place."

My understanding is that the .dll, even if it is being unregistered, is not being wiped from the hard disk, so what's to prevent a malware from re-registering it just as easily as removing a patch of gdi32.dll?

Oops. I took too long to type my questions. Thanks for your responses (emphasis on the plural), Steve.

Steve, picking up on wmfsucks' earlier comment about countermeasures for Ilfak's patch, this poster claims to have already seen exploit code variants which defeat it:-

http://www.dslreports.com/speak/print/default;15142923
http://www.dslreports.com/speak/print/default;15143094
http://www.dslreports.com/speak/print/default;15143172
http://www.dslreports.com/speak/print/default;15142958
http://www.dslreports.com/speak/print/default;15143054

If true, then should your current advice (at http://www.grc.com/sn/notes-020.htm ) not to bother with unregistering the DLL be changed to do both (i.e. to unregister and rename the DLL, and apply Ilfak's patch)?

It seems that my MSI repackaging does less checking about the target system. This might mean that if Ilfak's package won't install and the MSI package will, the MSI might not work either and may create a false sense of security.

Regarding that posting on DSLReports: You can safely ignore it. I'm sure that the poster had good intentions, but his logic is flawed. It presumes that something has already penetrated the user's system in order to remove Ilfak's patching hook. But if something has penetrated the user's system well enough to do that, then the penetration has already occured. Ilfak's temporary patch simply prevents the WMF exploits from being able to gain a foothold in the first place.

Any way to run the patch silently?

Thanks!

Installed it on Win x64 without problems. Not going to try and find injected WMF's though ;-) Thanks!

ravi: Yes, you will still be able to see all image files using the picture viewer. Even if you try to open a malicious WMF file, the picture viewer will clearly inform you that the file can not be rendered. You will not be infected by the worms exploiting this vulnerability.

In response to Steve Gibson's
inquiry about the date and version of my gdi32.dll file
on Win 2K Pro sp4 in the \system32 folder:

4/8/2005 version 5.0.2195.7011

Katom,

To run the setup in the silent mode, try this:

wmffix_hexblog12.exe /VERYSILENT /SUPPRESSMSGBOXES

Is there a good way to know if a system has already been hit by the WMF exploit? (Other than the obvious adware/spyware pop-ups or other strange behavior.) Like checking a file version or something that would have been modified by the WMF exploit?

After the wmffix is installed, would it still be prudent to unregister the shimgvw.dll to be 100% safe?

Also, is there an easy way to deploy this wmffix via Windows login script? If so, could someone please give some details, thanks.

Sorry for the quick 2nd posting, but I was wondering if there is a way to 'test' that the wmffix is actually working as intended?

Is there some non-malicious WMF file that you could post to allow people to check if the wmffix is installed and working?

baze68,

It is rather difficult to detect if the system was hit by a WMF exploit. The problem is that the exploit code could do anything including hiding itself, installing a rootkit, or any other software on the system. There will be no trace of the exploit itself in the system logs but the system will be compromised.

The fix renders your system invulnerable against WMF worms. I did not unregister the shigvw.dll on my system (well, I did it for the research stage but after reenabled it) but if you want to be on the safe side, unregister it - in theory this will make your system less vulnerable but also less useable at the same time.

I like your idea of having a method to check if your system is vulnerable against WMF exploit!

I found that there are many graphic viewer use GDI32 library to play windows metafiles so it is not good just to unregister shigvw.dll

Ilfak, thanks so much for this. Can you please post the MD5 sum for the current version of the patch?

Is it possible for you to create a patch for Win9x (ME)?

We with no money for new OS would appreciate!

Does this patch install correctly if the user is not an Administrator on the local system, i.e. User/Power User?

With this installer, what is the command-line to uninstall once the MS fix is out? I am going to run the install process in an AD script (runs as admin rights as users don't have install rights)and then would like to later remove it.

Ilfak: First of all, great job on getting this fix out. You're saving a lot of us a many hours of unpaid overtime over the coming days and weeks.

I am working on a new MSI file to deploy this now. Is it possible that you could provide me the source to the InnoSetup installer you made? I'm sure I can translate that into something that can be compiled into an MSI with the WiX toolkit.

I will publish the WiX source to my installer once I've gotten it done, along with instructions on how to re-compile it with WiX (so that nobody has to download an untrusted MSI file from me and people can rebuild it from scratch if the WMFFIX patch is updated).

Per the request above for a simple logon script:
IF EXIST c:\wmf_fixed.log GOTO DONE
\\yourserver\softlocation\wmffix_hexblog13.exe /VERYSILENT /SUPPRESSMSGBOXES
copy \\yourserver\softlocation\wmf_fixed.log c:\wmf_fixed.log

:DONE

After I posted about losing the CD burning app, my whole system crashed. Because of that it has taken me awhile to get back here. As far as I can tell, the fix WASN'T the cause of the problem but rather the issue was unrelated. I've since loaded the file onto a fresh install, and the system is running fine.

Does the wmffix install have an option to create a log file to verify/confirm that a 'silent' install, i.e. login script, completed successfully?

Kudos to Ilfak for the patch!!! I too, found like to verify the errorlevel upon install (perhaps sending it to a server log file for review) So that we don't have a false sense of security. We could institute a software restriction policy for the dll on 2003 AD or could unregister the dll via a startup and logon script (to ensure it is not re-enabled), but would like to avoid this do to the loss of functionality.

Hi,

what about Windows 9x?
No patch possible??

Hi,

what about Windows 9x?
No patch possible??

Thanks in advance, a lot of people has still a computer running Win 98/Me.

Is XP64 vulnerable? If so, does the patch work?

Can anyone try this: locate gdi32.dll, open it with a hexeditor, find 'SetAbortProc', change it into something else (same length), write back the changed file to gdi32mod.dll, backup your gdi32.dll and replace your gdi32.dll with the mod one in dllcache and system32. (Mikko if you read this pse test this one)

Why don't you post the source code so people don't have to reverse engineer this to check it does what you say it does?

Hey Ilfak, just installed the 1.3 fix and seems to work great. I had a couple of ideas.

The main GUI windows still says 1.2, which is very minor. Also, I think a command-line uninstall switch would be a cool thing to have. If there is already one, I missed it. Thanks for the patch

-Todd

Hi, happy new year.... not...

Anyone been testing this on Windows 2000/2003 terminal servers ?

Please share info if anyone has tested...

Any Windows server administrators in this audience...have you, or are you going to apply this wmffix to your Windows 2000/2003 servers? Just curious how many Windows administrators have or are planning on actually deploying this patch to their production desktops and/or servers?

Thanks for this patch Ilfak...has Microsoft called yet to ask if they can use your patch code?!? (Are those guys in Redmond asleep at the wheel or what?!?)

I'm a contracted Windows server admin working with several Customers who have a mix of NT 4.0 and AD domains, and client computers running Windows 2000 and Windows XP Professional. I've got about 1,200 client PC's and 20 servers in my largest client site w/ an AD domain that I need to deploy this patch onto.

I'm trying to get an MSI package built using the WiX tools now, because I really would prefer not to deploy this with a script (e.g. I don't want to uninstall it with a script later-- I want to back it off w/ MSI).

V. Suuronen (poster above) gave me his MSI, and it compares to what I'm doing. I've got more details on my blog, but essentially I've got the skeleton MSI built now, but I'm going to have to write some custom actions to finish it up. I'll post updates to what I've gotten done to my blog.

Let's assume that Microsoft patches this thing ;) If ilfak's fix is installed, and 'Auto Update' is enabled, is it likely that machines will break after the Microsoft patch gets put on automatically (without first removing this fix)?

I realize it depends on what Microsoft does to patch this, but just a little worried about the systems that have auto update enabled.

Hi Ilfak,

Just a quick note a sincere appreciation for your dedication, expertise and availability for so rapidly producing a fix for this exploit (on a new year's eve no less) while the 60,000+ MS workforce could only come up with a very partial workaround so far. And the same goes for all those who participated in fine tuning the code for this fix (Steve Gibson comes to mind...).

A great and highly commendable job.

Does the fix require the restart to actually be effective or is it live as soon as it's installed?

I would install it on a few servers but they can not be restarted untill "patch tuesday..."

Also, saw the new v1.3 added support for "Win2K SP4" but I installed v1.1 on a "Win2K SP4" machine and it went ok... v1.3 says it does not need to be installed twice on that machine now...

Hi Per,

I'll answer for Ilfak since I'm very familiar with the operation of his code.

First, machines do NOT need to be restarted for the patch to start taking effect. However, any already running programs that might attempt to render an image would not be protected. So the rule is, once Ilfak's "patcher" is installed, any processes that are subsequently started will have their own instances of GDI32.DLL patched, but previously running instances would not be patched. Therefore, the restart is just a clean way of assuring that all possible instances of GDI32.DLL running will have been dynamically patched.

Also, if the v1.1 patch installed on your system, then it found a version of GDI32.DLL that it understood and you should be okay. What Ilfak has been doing since v1.0 is (mostly) adding additional recognition signatures for the function entrypoints which vary a bit from one GDI32.DLL version to another.

Hello all,

Kaspersky has provided a patch for that trouble. Do you think it is useful to use Ilfak's patch after KAV's ?

Does anybody knows the difference between the two.

Thank you all and happy new year :)

Lim.

Limerick,
Which 'patch' from Kaspersky are you referring to? If it is just a virus def update then yes, you should still use Iifak's patch. The reason is because the antivirus software companies need to come out with new updates for each variation to this WMF exploit. As of the last check i think there were over 70 different variations. This patch prevents ANY of these from being run.

I was just trying to create a program that hooks the Escape function in windows 98. Now I'm not exactly sure what to do with it. How can I get it tested and see if it works?

Is there a way I can automatically install this patch? I would like to put it in the logon script, have it silently install and force the machine reboot afterwards. Of course, the second time the patch runs, and if it's installed, it would silently exit.

Frank

Frank

This is odd, well I did an odd thing. For some reason I only located the dll in win32.... so I unloaded it, ran the installer, restarted and realised here that there are 2 more. I unloaded the other 2 dlls. Uninstalled the hexblog. Restarted and now when I try to run hexblog I get "Sorry this fix is not compatible with your computer" :?

Lim ...

Kaspersky's update is for detection of WMF exploits of the vulnerability, but it does nothing to actually eliminate the vulnerability. Ilfak's dynamic patching solution actively "suppresses" the vulnerability, thus also prevent new exploits that Kaspersky's scanning might not catch. So, yes, doing BOTH makes lots of sense.

hp550c : here is KAV's patch : http://www.kaspersky.com/technews?id=176836515

Thank you Steve for your advice. I'll do so.
But do you know exactly what KAV's patch is supposed to do ?

Lim.

Thank you for the patch, very impressive how fast this came about. I had friends and family downloading the Ubuntu Live CD to use to until MS came out with a patch. I only had 2 people decide to ditch their Windows completely because of this but now I can let them know that if they want to go back to using their Windows computer, that they can feel a little more secure using this fix. Thank you a bunch.

Was macht dieser Patch eigentlich GENAU ??

Would the following steps reduce the probability of downloading an infected file or having an infected file be triggered by automatic indexing? Even if they work, they are just band-aids, but might reduce the attack surface:

1. Turn off images in Internet Explorer [Tools > Internet Options > Advanced > Multimedia > Show Pictures (uncheck)

2. Disable indexing by Windows [drive by drive right click > Properties > Allow indexing service to index this disk (uncheck)] or alternatively disable the indexing service via Services menu

Would the following steps reduce the probability of downloading an infected file or having an infected file be triggered by automatic indexing? Even if they work, they are just band-aids, but might reduce the attack surface:

1. Turn off images in Internet Explorer [Tools > Internet Options > Advanced > Multimedia > Show Pictures (uncheck)

2. Disable indexing by Windows [drive by drive right click > Properties > Allow indexing service to index this disk (uncheck)] or alternatively disable the indexing service via Services menu

Lim,
To me it sounds like that Kaspersky patch is just making it so that the software actively scans .wmf files in real time, rather than during a scheduled scan. The problem with that is that the WMF exploit can actually be disguised as other file types (most commonly .jpg files).

As Steve mentioned, your best bet is to update Kaspersky AND use this patch.

I have been experiencing problens installing the WMF HotFix. I ran v.1.2, but it did not install (no icon under Programs). I removed 1.2 and then ran v. 1.3. When it boot up, it showed v. 1.2 (again) and was still not shown in Programs. Any suggestions would be appreciated.

Jack
jhrobbins@hotmail.com

There is no icon in the programs - this is perfectly normal, the fix does not require any user intervention after the installation.

As about the version number mess - sorry, this is by mistake, I forgot to change it.

I'm having problems with this patch..

I installed v1.3 ealier today and then tried to uninstall again (for checking). Now after rebooting i was trying to install it again.

Everything seems ok, but after another reboot the changes seem to be undone because your WMF exploit checker says i'm vulnerable again?!

Don't know how to secure my system now... Patch is still installed but it says it's vulnerable...

Seems like your program unregisters the patch after every reboot?! ...

What can I do now? Tried uninstall/install a few times now...

Thanks for any help!
Alex

Thanks for the fix. It seems to disable WesternDigital Retrospect backup software.

Thanks for telling! We will try to gather more information about these cases and hopefully will find a solution. Meanwhile please uninstall the fix.

Hey Ilfak,

Do you have a paypal account? I would like to send you a small token of appreciation for what you did.

Warmest,

Daniel