Thursday, December 29, 2005

"WMF Day 2"

F-Secure : News from the Lab

"Microsoft and CERT.ORG have issued bulletins on the Windows Metafile vulnerability:
http://www.microsoft.com/technet/security/advisory/912840.mspx
http://www.kb.cert.org/vuls/id/181038

Microsoft's bulletin confirms that this vulnerability applies to all the main versions of Windows: Windows ME, Windows 2000, Windows XP and Windows 2003.

They also list the REGSVR32 workaround. It's a good idea to use this while waiting for a patch. To quote Microsoft's bulletin:

Un-register the Windows Picture and Fax Viewer (Shimgvw.dll)
1. Click Start, click Run, type 'regsvr32 -u %windir%\system32\shimgvw.dll' (without the quotation marks), and then click OK.

2. A dialog box appears to confirm that the un-registration process has succeeded.
Click OK to close the dialog box.

Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.

To undo this change, re-register Shimgvw.dll by following the above steps. Replace the text in Step 1 with "regsvr32 %windir%\system32\shimgvw.dll" (without the quotation marks).

This workaround is better than just trying to filter files with a WMF extension. There are methods where files with other image extensions (such as BMP, GIF, PNG, JPG, JPEG, JPE, JFIF, DIB, RLE, EMF, TIF, TIFF or ICO) could be used to exploit a vulnerable machine.

..."

I'm sure you've all heard about the WMF vulnerability and active exploiting of it by now (I hope). This is one of those scary ones...

I think the worse thing is that there are so many infection vectors... Switching away from IE won't really help as this problem is in a base OS component. Some researchers even believe that you can be infected by just having the WMF/infected file indexed by a desktop search tool (like Google Desktop).

I unregistered Shimgvw.dll yesterday and so far haven't had any major problems. Minor problems include image thumbnails not being created/viewed in Windows Explorer... But I can live without those until this is patched.

Keep your eyes open for a quick patch from MS and keep your anti-virus very up to date...

Posted 12/29/2005 09:29:00 AM

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)