Cisco Security Agent and the Microsoft WMF Exploit
A critical vulnerability was announced on December 27, 2005 for the code used to view picture and fax files in multiple versions of Microsoft Windows operating systems. Microsoft has released a patch for Windows 2000/SP4, Windows XP, and Windows 2003. It is currently unclear whether earlier versions of Windows 2000 or Windows NT are vulnerable. The patch is available from Microsoft  at
Many exploits are circulating in the wild and targeting this vulnerability. An exploit creation utility is also circulating, allowing the exploit to mutate rapidly. Cisco Systems
® has obtained many exploit files, and has confirmed that the Cisco
® Security Agent is effective in stopping these exploits, using the default security policy configuration. Current supported versions of Cisco Security Agent are 220.127.116.117, 18.104.22.1689, and 22.214.171.124. All are effective in stopping the exploits seen to date.
The vulnerability is in a Windows API most frequently used by a utility shipped with Windows XP SP1 and SP2, and Windows 2003. The utility allows users to view picture and fax files. Malicious files with the extension .wmf that are viewed in Internet Explorer or other applications can execute arbitrary code with SYSTEM privilege. It is possible that malicious files without the .wmf extension could cause a vulnerable application to execute and be exploited due to the header information in the file. Many Trojan horse programs are using this to download and compromise systems. Applications known to be vulnerable include Internet Explorer, Windows Explorer, Outlook, Lotus Notes, and the Google Desktop Search (GDS) (if it indexes a file containing exploit code).
The CERT advisory  states that most e-mail clients are likely able to be exploitable in this way.
Once an exploit begins to execute code, it typically performs many malicious actions, including (but not limited to):
• Downloading malware files
• Installing software that automatically starts at boot time (RUN or RUNONCE Registry keys)
• Executing command shells such as CMD.EXE
• Capture keystrokes typed by the user
The specific types and sequences of malicious activity used will vary from exploit to exploit.
HOW CISCO SECURITY AGENT STOPS THE WORM
The Cisco Security Agent default policies contain at least five rules that stop the exploit and variants. The exact number of malicious activities that is stopped varies depending on the variant tested, but up to 60 behaviors were identified during testing at Cisco (using the XLP1.WMF variant). No changes to the Cisco Security Agent binaries or default configuration are required to get this protection.
The following actions have been observed being blocked by Cisco Security Agent running the default security policies:
• Execution of a system function from a buffer, via a buffer overflow
• Execution of a downloaded executable
• The attacked service attempted to execute a command shell (CMD.EXE)
• An executable file (or files) was written to the %SYSTEM directory
• One of the downloaded executables attempted to capture keystrokes
• The application executed from the file tried to create RUN registry entries
This testing is shown in Figure 1.
Note that the exploit was tested at Cisco, with the agent in Test mode, which will cause the agent to alert (but not block) malicious behavior. This was done to observe all possible ways that the Cisco Security Agent default policies would stop the exploit. When the agent is in protect mode (the typical operational configuration), the first rule would kill the exploit-no subsequent events would be seen, since the exploit would be terminated before it could perform any malicious actions. Cisco tested with agents in Test mode to determine how deep the Cisco Security Agent defense in depth is for the exploits and variants. For the XLP1.WMF variant, this defense in depth is over 60 (Figure 1 contains only a partial screen capture due to the volume of data).
Testing was performed against the Cisco Security Agent default policies. No binary or policy update was needed for CSA agents to be effective. In short, this was a true test of "Day Zero" protection. This is similar to what we have seen with earlier exploits and worms-the default Cisco Security Agent configuration stopped the exploit, with no binary or policy updates required. The following is a partial list of prior worms and exploits that the Cisco Security Agent has stopped via the default security policy settings:
This exploit is only the latest example of new and mutating attacks that can seriously impact organization's computing and network environments. The key to stopping these new attacks is the ability to stop the attack without requiring any changes to default configuration, and multiple rules in the default policies that provide a defense in depth.
Cisco observed two anomalous situations during testing. One was during testing on benign (non-malicious) proof-of-concept code. Since this limited itself to executing the calculator application (CALC.EXE), it did not trigger protective rules. This is by intent-the security policies are designed to block malicious activity, as opposed to interesting but harmless activity. The second situation occurred while testing a malicious exploit, where a three-minute delay was observed between execution of the exploit and generation of events by Cisco Security Agent. Cisco believes that the exploit was searching memory addresses during this interval, and had not yet executed malicious behavior. Once the exploit performed malicious activities, Cisco Security Agent blocked the activities as expected.
Figure 1. Cisco Security Agent Default Configuration Stops the WMF Exploit (XPL1.WMF variant). First 14 event captures (of 61 total). Tested on Cisco Security Agent 126.96.36.199