I admit I’m getting rather tired of talking about this WMF exploit and hope to stop writing about it soon. But because we were the first security company to break the story, a lot of people have been coming to this blog and we feel we have a responsibility to keep people updated.
Last night I blogged about the fact that based on our tests hardware-enforced DEP seems to mitigate this WMF exploit. I was surprised no one had written about this before and felt that we had an obligation to share our tests results. I had already posted other workarounds but this was a new twist.
I did make the caveat that this was based on preliminary research. And now we find there is at least one differing opinion out there.
A little history: I first got curious about this a few days ago when Microsoft posted their Security Advisory 912840 on this exact exploit, where they said:
I have software DEP enabled on my system, does this help mitigate the vulnerability?
Yes. Windows XP Service Pack 2 also includes software-enforced DEP that is designed to reduce exploits of exception handling mechanisms in Windows. By default software-enforced DEP applies to core operating system components and services. This vulnerability can be mitigated by enabling DEP for all programs on your computer.
For additional information about how to “Enable DEP for all programs on your computer”, see the product documentation.
I was baffled by Microsoft’s statement, which directly contradicted our own test results. And the word “mitigate”, which means to lessen the impact of something. Hey, you can’t mitigate this thing. It either happens or doesn’t.
I checked with one of our researchers and the answer back was that hardware-enforced DEP seemed to be doing the trick, but not software-enforced DEP. Yesterday, we ran tests which confirmed that this was the case on our test systems. A system that had hardware-enforced DEP (available on newer chipsets) was stopping the exploit. But software-enforced DEP was not doing the trick.
So we wrote about it, and an expert over at PC Doctor also confirmed that hardware-enforced DEP was doing the trick. PG over at VitalSecurity has also confirmed it works on his test system.
Obviously, we didn’t test it on thousands of machines, so it’s really preliminary research and that’s why I made that caveat in my blog.
Enter George Ou from ZDNET. On his test system, DEP didn’t stop the exploit, and he blogged about it. (Update: It ultimately did work for him, but he had to change his settings. More at his blog.)
Look, all I can say is that on our test systems, it worked. And others will confirm these results on their systems.
Security is like a pitched battle. Things are moving very quickly, information is coming in from all directions, confusion reigns as you get differing reports, and so you’re constantly trying to assess the best data. I’m sorry it’s not all perfect, but that’s the world of security software.
The best thing you can do to protect yourself from this exploit is a) keep your AV program updated and b) unregister shimgvw.dll (itself not a foolproof solution). You can also use our free Kerio firewall with added Snort rules to block it.
And ultimately, the best solution is for Microsoft to just fix this damn thing. At least then I can stop writing about it and go back to writing about my other favorite things.
Alex Eckelberry
IMPORTANT UPDATE: George Ou emailed me to tell me that he was ultimately able to make hardware-enforced DEP actually work on his system to stop the exploit, but he had to set DEP to “all programs and services”.
Here are some observations:
- Microsoft says that software-enforced DEP will “mitigate” this exploit. We have concluded that this is an incorrect statement.
- While we are able to stop the exploit using hardware-enforced DEP, and others have reported similar success, the fact that George Ou had to change his setting to make it work is of concern. Additionally, I have spoken with Dave Methvyn (a reputable authority) and he has had difficulties getting hardware-enforced DEP to work on his AMD 64.More details on that later.
CONCLUSION: Do not rely on any variant of DEP at all as a protection mechanism against this exploit.