Microsoft Confirms WMF Vulnerability, Plans for Patch

Discussion in 'News and Article Comments' started by syngod, Dec 29, 2005.

  1. syngod

    syngod Moderator

    Likes Received:
    15
    Trophy Points:
    18
    Microsoft and CERT.ORG have issued bulletins on the Windows Metafile vulnerability:
    http://www.microsoft.com/technet/security/advisory/912840.mspx
    http://www.kb.cert.org/vuls/id/181038

    Microsoft's bulletin confirms that this vulnerability applies to all the main versions of Windows: Windows ME, Windows 2000, Windows XP and Windows 2003.

    They also list the REGSVR32 workaround. It's a good idea to use this while waiting for a patch. To quote Microsoft's bulletin:

    Un-register the Windows Picture and Fax Viewer (Shimgvw.dll)

    1. Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll"
    (without the quotation marks), and then click OK.

    2. A dialog box appears to confirm that the un-registration process has succeeded.
    Click OK to close the dialog box.

    Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started
    when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.

    To undo this change, re-register Shimgvw.dll by following the above steps.
    Replace the text in Step 1 with “regsvr32 %windir%\system32\shimgvw.dll” (without the quotation marks).

    This workaround is better than just trying to filter files with a WMF extension. There are methods where files with other image extensions (such as BMP, GIF, PNG, JPG, JPEG, JPE, JFIF, DIB, RLE, EMF, TIF, TIFF or ICO) could be used to exploit a vulnerable machine.

    We got several questions on our note on Google Desktop yesterday. Bottom line is that if an image file with the exploit ends up to your hard drive, Google Desktop will try to index it and will execute the exploit in the process. There are several ways such a file could end up to the local drive. And this indexing-will-execute problem might happen with other desktop search engines too.

    And finally, you might want to start to filter these domains at your corporate firewalls too. Do not visit them.

    toolbarbiz[dot]biz
    toolbarsite[dot]biz
    toolbartraff[dot]biz
    toolbarurl[dot]biz
    buytoolbar[dot]biz
    buytraff[dot]biz
    iframebiz[dot]biz
    iframecash[dot]biz
    iframesite[dot]biz
    iframetraff[dot]biz
    iframeurl[dot]biz

    So far, we've only seen this exploit being used to install spyware or fake antispyware / antivirus software on the affected machines. I'm afraid we'll see real viruses using this soon.

    Source: F-Secure
     

Share This Page