http://www.nist.org/nist_plugins/content/content.php?content.25
Can anyone confirm or make a comment if Notes is also implicated?
Any comments on this from IBM?
Thanks for your reply
Edit:
Link to US-CERT http://www.us-cert.gov/cas/techalerts/TA05-362A.html
Note: it doesnt work to filter .wmf files as MS is currently advising, because .wmf files can also end on .jpg or .bmp.
Nevertheless the .wmf pattern will be recocised via the API and the harmful functions are called
Subject: RE: Any comments on WMF vulnerability in LN client?
i wasn’t able to reproduce this scenario when using notes internal viewer (attachment / view). i see one access to this dll (QUERY INFORMATION in filemon) but dll is never attached to nlnotes.exe.
“Lotus Notes uses the same vulneraable shimgvw.dll graphics rendering engine file implicated in the Microsoft Security Advisory (912840) to view image file attachments”
as far as i know that’s not true, notes has ever had it’s own attachment viewer (third party, see http://www.verity.com/products/oem/keyview/index.html) and all i get when trying to view a faked wmv/jpg file is “unknown file format”…
Markus Seitz
Subject: RE: Any comments on WMF vulnerability in LN client?
Internal and external viewer are both using the shimgvw.dll
I was able to trace in both cases API calls of shimgvw ( via API Monitor: Spy on API Calls and COM Interfaces (Freeware 32-bit and 64-bit Versions!) | rohitab.com V1.5 beta )
Screenshot API calls with external viewer ( command “open”)
http://img505.imageshack.us/img505/9867/openattachment3sg.jpg
Screenshot AP calls with interal viewer ( command: “view”)
Subject: what does it show?
i just don’t see that this dll has been loaded at all - and without loadlibrary there will be no single call to this dll - therefor no hazards at all.
please correct me if i’m wrong and what i’m missing - and help me to reproduce this scenario where “view attachment” leads to useage of shimgvw.dll to view attachment.
unless i’m able to reproduce this i stick to not believe it:)
Markus Seitz
Subject: RE: what does it show?
Hi Markus -
The only circumstance I can detect shimgvw.dll being used is when I open a wmf files using Windows Picture and Fax viewer. It is actually run by the Explorer process through rundll32.exe.
This would be the consequence if you use Notes to Open a wmf attachment when the Windows Picture and Fax viewer is the default application for the wmf extension. On my test machine the Notes Viewer, Paint Shop Pro or MS Paint did not appear to use the vulnerable dll when opening wmf files.
The only role I see Notes/Domino playing here is the one of delivery boy. I’ve checked my AntiVirus signature files are up to date (the norm) and that’s as far as I’m going. As I mentioned already, both McAfee and Symantec have released recent antivirus signature updates that counter known viruses that exploit the shimgvw.dll vulnerability.
Have a good weekend!
John
Subject: RE: what does it show?
What signature handles this? I searched Symanted on shimgvw.dll but only found a 2002 document. Which Symantec document covers this?
Subject: RE: Any comments on WMF vulnerability in LN client?
Gustav, Everyone -
Do you intend taking any countermeasures to this? My instinct is to increase my perimeter filtering to block all images, at least over the holiday weekend while people look at this.
Subject: RE: Any comments on WMF vulnerability in LN client?
I’m blocking from now for the next days until we have a clear statement/advise from IBM. It’s currently not absolutely clear, if the Notes Client is involved. I hope that IBM will make a statement soon.
Subject: RE: Any comments on WMF vulnerability in LN client?
I’ve conducted some tests and it is pretty plain that the vulnerable dll is invoked when Notes (6.5.4) wmf attachments are opened from Notes - this is more to do with the way Windows handles wmf format files rather than Notes I think. Notes isn’t the vulnerability - it is simply a delivery mechanism which is true for any email-progated malware.
I’ve done a little more checking and it appears that recent antivirus updates from both McAfee and Symantec contain signatures for known exploits of the bug. Both company websites provide assessments of the threat as low. I’ve been round the servers and made sure they are up to date and also confirmed that we are scanning wmf, gif, jpg and other common image formats on the servers and at the desktop.
I haven’t filtered image formats at the smtp perimiter but will check on Monday for more news to see whether I need to come to work or not 
The most vulnerable access is the web connection - blocking all image formats will cause uproar if their web access is reduced to web only.
One of the other posters on this thread said their users are unlikely to click on image attachments from unknown sources. I wonder if he wants to trade users? Or at least training techniques - he must have a bigger explaining stick than we do
Thanks for raising this to our attention.
Subject: RE: Any comments on WMF vulnerability in LN client?
This is John H. from NIST.org, I posted the original Notes vulnerability report. I have updated that report at http://www.nist.org/nist_plugins/content/content.php?content.25 to indicate that Lotus Notes code is probably not involved. The Sysinternals Filemon utility was falsely attributing nlnotes.exe as calling the shimgvw.dll file. Further testing using API monitors and debugging software indicates that it is probably Windows XP browser causing this. When attaching or saving a file Notes uses Windows for the file dialog. On a Windows XP computer the browser will call the shimgvw.dll file to retrieve image information. If thumbnails are enable it will generate thumbnails as well. Keep in mind that this activity is enough to trigger the WMF exploit (even if the image is a JPG) so Lotus Notes (and many other applications) can trigger the exploit in an infected image file. Of course users can still open an infected image attachment and trigger the exploit (same as any other email application).
Others have mentioned workarounds to the Notes.ini file for WMF images. This will not help as WMF’s renamed as JPG or GIF files will cause the same problem. SANS.org is highly recommending an unofficial hotfix. NIST.org has tested this hotfix and we’re also recommending it. It’s available on NIST.org at http://www.nist.org/news.php?extend.50. Its going to be 7 days before Microsoft releases their fix. A LOT between now and then.
John H
Subject: Thanks for posting. One follow up question
I ran the hotfix. Is there any way of checking that it worked or seeing if it has been run? (I guess the answer to the latter is that it shows up on the Add/Remove Programs list from the Control Panel, but how do I know whether it is protecting the machine?)
Subject: Any comments on WMF vulnerability in LN client?
It would make a lot of difference if it were clear that this executed even when the image was referenced in the MIME as an image, since then it would be impossible to stop if the mail was opened at all. Most people will not launch even a JPEG attachment from someone they don’t know, whereas an image that shows up when the message is opened is easy to execute even if you have Preview turned on. This sounds like an important thing to fix.