The family of Windows Operating systems supports a wide variety of services, networking methods and technologies. Many of these components are implemented as Service Control Programs (SCP) under the control of Service Control Manager (SCM), which runs as Services.exe. Vulnerabilities in these services that implement these Operating System functionalities are one of the most common avenues for exploitation. Remotely exploitable buffer overflow vulnerabilities continue to be the number one issue that affects Windows services. Several of the core system services provide remote interfaces to client components through Remote Procedure Calls (RPC). They are mostly exposed through named pipe endpoints accessible through the Common Internet File System (CIFS) protocol, well known TCP/UDP ports and in certain cases ephemeral TCP/UDP ports.

Windows also contains several services which implement network interfaces based on a variety of other protocols, including several Internet standards such as SMTP, NNTP etc. Many of these services can be exploited via anonymous sessions (i.e., sessions with null username and password) to execute arbitrary code with ―SYSTEM‖ privileges.

Earlier versions of the operating system, especially Windows NT and Windows 2000, enabled many of these services by default for better out of the box experience. These non essential services increase the exploit surface significantly. The critical vulnerabilities were reported in the following
Windows Services within the past year:

MSDTC and COM+ Service Print Spooler Service Plug and Play Service Server Message Block Service Exchange SMTP Service Message Queuing Service License Logging Service WINS Service NNTP Service NetDDE Service Task Scheduler Exploit code is available for most of these vulnerabilities and has been seen in the wild. Zotob worm and its variants exploited the buffer overflow in Plug and Play service.

Operating Systems Affected Windows NT Workstation and Server, Windows 2000 Workstation and Server, Windows XP Home and Professional, and Windows 2003 are all potentially vulnerable.


The Windows Metafile vulnerability is a security vulnerability in Microsoft Windows NT-based operating systems (i.e., all recent versions of Windows) which has been used in a variety of exploits since late December 2005. The vulnerability was first discussed in the computer security community around 26 and December 27, 2005, with the first reports of affected computers subsequently announced within 24 hours. A high-priority update to eliminate this vulnerability was made available via Windows Update on January 5, 2006 (see announcement). No patches are needed for Windows 95, Windows 98, or Windows Millennium Edition, as they are unaffected by this vulnerability. The vulnerability, located in gdi32.dll, arises from the way in which Windows operating systems handle Windows Metafile (WMF) vector images, and permits arbitrary code to be executed on affected computers without the knowledge or permission of their users. The vulnerability therefore facilitates the propagation of various types of malware, typically through drive-by downloads.


Windows Metafiles are extensively supported by all versions of the Microsoft Windows operating system. All versions from Windows 3.0 to the latest Windows Server 2003 R2 contain this securit flaw. However, versions from Windows XP onwards are more severely affected than earlier versions, since they have a handler and reader for the WMF file in their default installation.

According to Steve Gibson’s M.I.C.E. analysis, Windows NT 4 may be affected by known exploits if it has an Image Preview Feature enabled Computers not susceptible to known exploits of the flaw (but potentially susceptible to future versions or as-yet undiscovered exploits) include those running other versions of Windows, without Image Previewing enabled, or those with hardware-based Data Execution Prevention (DEP) effective for all applications. Machines running non-Windows operating systems (e.g. Mac OS, Linux, etc.) are not directly affected. A scenario in which such computers might become vulnerable would be where a third-party program or library, designed to view WMF files on a non-Windows system, used the native Windows GDI DLL or a clone which copied the design flaw leading to this bug, e.g. through a Windows emulator or compatibility layer. Steve Gibson stated that the vulnerability could be exploited in Wine, and has provided a tool called Mousetrap to detect this on all Windows and Windows emulator systems.


According to assessments by F-Secure the vulnerability is an inherent defect in the design of WMF files, because the underlying architecture of such files is from a previous era, and includes features which allow actual code to be executed whenever a WMF file opens. The original purpose of this was mainly to handle the cancellation of print jobs during spooling. According to Secunia, ―The vulnerability is caused due to an error in the handling of Windows Metafile files ( ̳.wmf‘) containing specially crafted SETABORTPROC  ̳Escape‘ records. Such records allow arbitrary user-defined function to be executed when the rendering of a WMF file fails.‖

According to the Windows 3.1 SDK docs, the SETABORTPROC escape was obsoleted and replaced by the function of the same name in Windows 3.1, long before the WMF vulnerability was discovered. However the obsolete escape code was retained for compatibility with 16 bit programs written for (or at least backwards compatible with) Windows 3.0. This change happened at approximately the same time as Microsoft was creating the 32 bit reimplementation of GDI for Windows NT, and it is likely that the vulnerability occurred during this effort.

The ‘Escape’ mechanism in question allows applications (not metafiles) to access output device features not yet abstracted by GDI, such as hardware accelerated Bezier curves, encapsulated postscript support etc. This is done by passing an opcode, a size and a pointer to some data to the call, which will usually just pass it on to the driver. Because most Escape calls produce actual graphics, the general escape mechanism is allowed in metafiles with little thought originally given to the possibility of using it for things like SETABORTPROC, modern non-vulnerable metafile interpreters now checks the opcode against a blacklist or white list, while keeping the full set of opcodes available to regular code that calls the GDI escape functions directly (because such code is already running in the same way as the code it could make GDI call, there is no security risk in that case).

It is worth noting that 16 bit Windows (except the rarely used Real mode of Windows 3.0) was immune to the vulnerability because the pointer specified in the metafile can only point to data within the metafile, and 16 bit Windows always had a full no-execute-data enforcement mandated by Intel’s design of the 80286 protected mode architecture. This immunity also applies to Windows 95/98/Me because those operating systems used the original 16 bit GDI code. Windows NT for CPU architectures other than 32 bit x86 (such as MIPS, PowerPC, Alpha, Itanium and x86_64) had similar immunity because those architectures had the no-execute functionality missing from the 386, 486, Pentium and early (32 bit) Xeon and Athlon CPUs.


Computers can be affected via the spread of infected e-mails which carry the hacked WMF file as an attachment. Infection may also result from:

  • Viewing a website in a web browser that automatically opens WMF files, in which case any potential malicious code may be automatically downloaded and opened. Internet Explorer, the default Web browser for all versions of Microsoft Windows since 1996, does this.
  • Previewing an infected file in Windows Explorer.
  • Viewing an infected image file using some vulnerable image-viewing programs.
  • Previewing or opening infected emails in older versions of Microsoft Outlook and Outlook Express.
  • Indexing a hard disk containing an infected file with Google Desktop.
  • Clicking on a link through an instant messaging program such as Windows Live Messenger, AOL Instant Messenger (AIM) or Yahoo! Messenger.

Other methods may also be used to propagate infection. Because the problem is within the operating system, using non-Microsoft browsers such as Firefox or Opera does not provide complete protection. Users are typically prompted to download and view a malicious file, infecting the computer. Infected files may be downloaded automatically, which opens the possibility for infection by disk indexing or accidental previewing.

According to assessments from the McAfee antivirus company, the vulnerability has been used to propagate the Bifrost backdoor Trojan horse. Other forms of malware have also exploited the vulnerability to deliver various malicious payloads. McAfee claims that the first generation of such exploits had been encountered by more than 6% of their customer base by 31 December 2005.


Microsoft released an official patch (available here) to address the problem on 5 January 2006. This patch may be applied in lieu of other corrective measures.

The official patch is available for Windows 2000, Windows XP and Microsoft Windows Server 2003. Windows NT 4 and other older operating systems will not receive a patch as they are no longer supported by Microsoft. Steve Gibson stated here, in his Security Now! podcast #20, that his company Gibson Research Corporation would make a patch available for Windows 9x systems if Microsoft did not. After further research, Steve Gibson stated here, in the more recent Security Now! podcast#23, that Windows 9x and ME are not vulnerable and do not need patching. Windows 9x/ME users can run his Mouse Trap utility to see this for themselves. A free downloadable patch for Windows NT has been provided by Paolo Monti from Future Time, the Italian distributor of Eset’s NOD32 anti-virus system. The patch works on older operating systems, but it is supplied without warranty. There have been reports of the official patch being automatically installed even when Windows Automatic Update is configured to ask before installing automatically-downloaded updates. This causes an automatic reboot, which can cause loss of data if the user has a program open with unsaved changes.


A third party patch was released by Ilfak Guilfanov on 31 December 2005 to temporarily disable the vulnerable function call in gdi32.dll. This unofficial patch received much publicity due to the unavailability of an official one from Microsoft, receiving the recommendation of SANS Institute Internet Storm Center and F-Secure. Because of the large amount of publicity, including being indirectly slashdotted Guilfanov’s website received more visitors than it could cope with, and was suspended on 3 January 2006; the patch was still available for download from a number of mirrors including the Internet Storm Center website

Guilfanov’s website went back online on 4 January in a much-reduced state. No longer providing the patch on-site due to bandwidth issues, the homepage provided a list of mirrors where a user could download the patch and the associated vulnerability-checker, and the MD5 checksum for the file, so that it could be checked that a downloaded files was probably genuine. After Microsoft released its patch, Guilfanov withdrew his.


As a workaround before a patch was available, on 28 December 2005 Microsoft advised Windows users to unregister the dynamic-link library file shimgvw.dll (which can be done by executing the command regsvr32.exe /u shimgvw.dll from the Run menu or the command prompt) which invokes previewing of image files and is exploited by most of these attacks. The DLL can be re-registered after patching by running regsvr32.exe shimgvw.dll. This workaround blocks a common attack vector but does not eliminate the vulnerability.


Microsoft says its patch removes the flawed functionality in gdi32 that allowed the WMF vulnerability. For computers running an unpatched version of Windows, a defense in depth approach is recommended, to mitigate the risk of infection. Various sources have recommended mitigation efforts that include:

  • Making use of hardware-enforced Data Execution Prevention effective for all applications.
  • Set the default WMF application to be one not susceptible to infection, such as Notepad.
  • Do not use Internet Explorer, or at least turn off downloads by setting the default security settings to high.
  • Keep all anti-virus software up-to-date. Consider frequent manual updates.
  • Block all WMF files on the network perimeter by file-header filtering.
  • Making use of user‘s accounts that are configured with only the user rights that are required.
  • Disable image loading in Internet Explorer and all other browsers.
  • Disable image loading in Outlook Express
  • Disable hyperlinks in MSN Messenger. .
  • Disable the Indexing Service on Windows 2000, Windows XP and Windows Server 2003.
  • Disable Desktop Search applications such as Google Desktop or Windows Desktop Search until the problem is corrected.

According to this SANS Institute Internet Storm Center article, using a web browser other than Internet Explorer may offer additional protection against this vulnerability. Depending on settings, these browsers may ask the user before opening an image with the .wmf extension, but this only reduces the chance of opening the maliciously crafted Windows Metafile, and does not protect against the vulnerability being exploited as these browsers still open the metafile if it is masquerading as another format. It is better to entirely disable image loading in any browser used.


For any query or issue, feel free to discuss on