When the going gets weird, the weird turn pro. - Hunter S. Thompson

02 January 2006

Patch Windows now to avoid WMF exploit

Update, January 6, 2006:

There is now an official patch from Microsoft to address the WMF vulnerability issue. This post explains how to get it.

Don't follow the directions below to "fix" your system; they have been rendered obsolete now that an official patch is available.



There's a very dangerous new security exploit that affects Microsoft Windows users. It involves a "hole" in Windows that allows code to be executed automatically when web-based images (Windows Metafiles - WMFs) are viewed.

Currently, there is no patch from Microsoft and no announced availability date for a patch.

An independent programmer has developed an unofficial patch, and the SANS Internet Storm Center advises all Windows users to both apply the patch and disable the part of the operating system that can be potentially exploited.

How to protect yourself, short version:
  1. Download the patch here.
  2. Run the executable patch to install it.
  3. Click Start, click Run, type
    regsvr32 -u %windir%\system32\shimgvw.dll
    and then click OK.
How to educate and protect yourself, somewhat longer version:

This FAQ file from SANS explains the vulnerability and how you can (temporarily) protect yourself. I advise you to read the whole thing, but if you don't have the patience for that, at least read these relevant excerpts and follow the directions therein.
Why is this issue so important?

The WMF vulnerability uses images (WMF images) to execute arbitrary code. It will execute just by viewing the image. In most cases, you don't have click anything. Even images stored on your system may cause the exploit to be triggered if it is indexed by some indexing software. Viewing a directory in Explorer with 'Icon size' images will cause the exploit to be triggered as well.

Is it better to use Firefox or Internet Explorer?

Internet Explorer will view the image and trigger the exploit without warning. New versions of Firefox will prompt you before opening the image. However, in most environments this offers little protection given that these are images and are thus considered 'safe'

What versions of Windows are affected?

All. Windows 2000, Windows XP, (SP1 and SP2), Windows 2003. All are affected to some extent. Mac OS-X, Unix or BSD is not affected.

Note: If you're still running on Win98/ME, this is a watershed moment: we believe (untested) that your system is vulnerable and there will be no patch from MS. Your mitigation options are very limited. You really need to upgrade.

What can I do to protect myself?
  1. Microsoft has not yet released a patch. An unofficial patch was made available by Ilfak Guilfanov. Our own Tom Liston reviewed the patch and we tested it. The reviewed and tested version is available here (now at v1.3, MD5: 14d8c937d97572deb9cb07297a87e62a), PGP signature (signed with ISC key) here. THANKS to Ilfak Guilfanov for providing the patch!!
  2. You can unregister the related DLL.
  3. Virus checkers provide some protection.
To unregister the DLL:
  • Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK.
  • A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.
Our current "best practice" recommendation is to both unregister the DLL and to use the unofficial patch.
Related links:

No comments: