How to protect yourself from the Windows Metafile Vulnerability


Note: Microsoft has released their WMF vulnerability update today, January 5th. Please make sure to read the instructions here.



Table of Contents

1. What is the WMF Vulnerability
2. Protection Methods
3. How to tell if your computer is vulnerable
4. Steps to take before installing the Microsoft Patch
5. Downloads and MD5
6. References
7. WMF patch installation instructions
8. WMF patch removal instructions
9. Using shimgvw.bat to unregister shimgvw.dll
10. Using shimgvw.bat to register shimgvw.dll
11. Manual instructions for unregistering shimgvw.dll
12. Manual instructions for registering shimgvw.dll

What is the WMF Vulnerability

A recent vulnerability has been found in the Windows MetaFile image type. A specifically crafted Windows MetaFile can be used to run code on your computer that will allow the exploiter to install programs or change settings on your computer. One known application that can be exploited is the Windows Picture and Fax Viewer (SHIMGVW.DLL) or other Windows applications that can handle Windows MetaFiles. If you visit a web site that contains one of these types of image files or open one of these image files, then your computer will be exploited as per the instructions in the MetaFile. As of now, there is no patch for this exploit, while there is a steadily increasing amount of sites that are using this exploit.


Protection Methods

There are currently two methods of reducing your chances of getting infected with this exploit. We recommend that you use both methods to add extra protection until an official Microsoft patch is released. Once the Microsoft patch is released you can uninstall

The first method is to install an unofficial patch created by Ilfak Guilfanov. This patch has been extensively tested and has been found to block the WMF exploit. It does this by patching the Escape() function in the gdi32.dll file so that it ignores that SETABORTPROC parameter that the exploit uses. This patch actually patches the vulnerable function, so that you do not need to disable any image viewer programs if that is your wish. Instructions for installing this patch can be found below.

The second method is to unregister the shimgvw.dll file so that Windows Picture and Fax Viewer does not open these files when you visit a web site that contains this type of image. To do that you need to unregister the DLL using the instructions below. I have created a simple script that will unregister or register this .DLL in the event that you do not feel comfortable running these commands on your own.

Once you unregister this DLL, the Windows Picture and Fax Viewer will no longer work. To enable it you will be able to run the script again to register the DLL so that the program works once again. I advise that you only do this when Microsoft releases the official patch. Please note, that unregistering the DLL does not fix the vulnerability. It only decreases your chance of getting exploited.

Steps to take before installing the Microsoft Update

Now that Microsoft has released their WMF vulnerability update there are some steps that need to be taken before you install it so that your computer is back to normal operation. The first step is to uninstall the unofficial hotfix. Instructions on how to do this can be found here:

HotFix uninstallation instructions

After that has been completed you should register the Shimgvw.dll file. Instructions on how to do this can be found here:

Register Shimgvw.dll with script

Register Shimgvw.dll manually

Once this has been completed, reboot your computer and visit http://www.windowsupdate.com and install the update.


How to tell if your vulnerable

Not only has Ilfak Guilfanov released a patch for this vulnerability, but he has also released a tool to check to see if you are vulnerable. To check to see if your computer is vulnerable download the WMF Vulnerability Checker and run the program. When the program starts, simply press the OK button and it will will tell you whether or not you are vulnerable.

The WMF Vulnerability Checker will check to see if the Escape() function ignores the SETABORTPROC parameter. If it does ignore this parameter, it will state that you are not vulnerable, otherwise it will state that you are. If you are vulnerable, then you need to install the patch described above. Please note, that only unregistering the shimgvw.dll will still show you as vulnerable with the checker. In order to be seen as not vulnerable, you need to install the patch.


Downloads

• Shimgvw.bat
• wmffix_hexblog14.exe
• WMF Vulnerability Checker

Both fixes are for use on Windows XP, 2000, and 2003. If you are using Windows ME, then you should follow the manual instructions given below. Windows 95 and 98 users do not have the shimgvw.dll file.


MD5

File	MD5 Sum
Shimgvw.bat	96827b1ecf18066b11922260838f451a
wmffix_hexblog14.exe	15f0a36ea33f39c1bcf5a98e51d4f4f6
WMF Vulnerability Checker	ba65e1954070074ea634308f2bab0f6a

References

http://www.microsoft.com/technet/security/advisory/912840.mspx
http://www.kb.cert.org/vuls/id/181038
http://www.hexblog.com

---

Method 1 - Install the WMF Patch

1. Download wmffix_hexblog14.exe and save it to your desktop.
   
   
2. Double-click on the wmffix_hexblog14.exe icon found on your desktop.
   
   
3. Press the Next button.
   
   
4. Read the license agreement, and if you agree, select I accept the agreement, and press the Next button.
   
   
5. Change the directory where you would like it installed, or if the default directory is fine, press the Next button.
   
   
6. Now review that everything is how you would like it installed, and press the Install button.
   
   
7. When it prompts if you would like to reboot, select Yes, restart the computer now and press the Finish button.
   
   
8. Your computer will now be patched so that WMF files cant exploit your computer.
   

When the official Microsoft patch is released you can uninstall this program by doing the following:

1. Click on the Start button.
   
   
2. Click on the Control Panel link.
   
   
3. Double-click on Add or Remove Programs.
   
   
4. Click on the entry labeled Windows WMF Metafile Vulnerability HotFix to select it.
   
   
5. Click on the Remove button.
   
   
6. When it asks if you would like to remove the HotFix press the Yes button.
   
   
7. Reboot the computer if it asks.
   
   
8. The hotfix should now be removed from the computer.
   

Method 2 - Unregister shimgvw.dll

Unregister shimgvw.dll instructions (This will disable the use of Windows Picture and Fax Viewer and help protect you):

1. Download shimgvw.zip and save it to your desktop.
   
   
2. Extract shimgvw.zip to your desktop.
   
   
3. You should now have the file shimgvw.bat on your desktop.
   
   
4. Double-click on shimgvw.bat.
   
   
5. At the menu press the number 1 to unregister the DLL. When the DLL is unregistered you will see a notification appear that states DllUnregisterServer in C:\Windows\SystemFolder\shimgvw.dll succeeded.
   
   If you get a message after you pick your choice that states that This MS-DOS program has terminated, you can simply press the OK button and then close the DOS Windows by clicking on the X.
   
   
6. The script will close and you have now disabled the Windows Picture and Fax Viewer.

Register shimgvw.dll instructions (This will enable the use of Windows Picture and Fax Viewer one the Microsoft patch is released):

1. Download shimgvw.zip and save it to your desktop.
   
   
2. Extract shimgvw.zip to your desktop.
   
   
3. You should now have the file shimgvw.bat on your desktop.
   
   
4. Double-click on shimgvw.bat.
   
   
5. At the menu press the number 2 to unregister the DLL. When the DLL is unregistered you will see a notification appear that states DllRegisterServer in C:\Windows\SystemFolder\shimgvw.dll succeeded.
   
   If you get a message after you pick your choice that states that This MS-DOS program has terminated, you can simply press the OK button and then close the DOS Windows by clicking on the X.
   
   
6. The script will close and you have now enabled the Windows Picture and Fax Viewer.

To manually unregister the DLL you would do the following (This will disable the use of Windows Picture and Fax Viewer and help protect you):

1. Click on the Start button and then the Run field.
   
   
2. In the run field type %WinDir%\System32\regsvr32.exe -u shimgvw.dll and press the OK button. (In Windows ME, substitute System32 with System)
   
   When the DLL is unregistered you will see a notification appear that states DllUnregisterServer in C:\Windows\SystemFolder\shimgvw.dll succeeded.
   
   
3. You have now disabled the Windows Picture and Fax Viewer.

To manually register the DLL you would do the following (This will enable the use of Windows Picture and Fax Viewer one the Microsoft patch is released:

1. Click on the Start button and then the Run field.
   
   
2. In the run field type %WinDir%\System32\regsvr32.exe shimgvw.dll and press the OK button. (In Windows ME, substitute System32 with System)
   
   When the DLL is unregistered you will see a notification appear that states DllRegisterServer in C:\Windows\SystemFolder\shimgvw.dll succeeded.
   
   
3. You have now enabled the Windows Picture and Fax Viewer.

 

---

If you have any questions about this self-help guide then please post those questions in our AntiVirus, Firewall and Privacy Products and Protection Methods forum and someone will help you.

Thanks Grin and especially for the script,as it makes life easier. Good man and good work!
Happy New Year to you all
Pete

This prevention guide has been updated to also incoporate the use of an unofficial patch for this vulnerability and how to check if your computer is vulnerable.

This guide has been updated to include local mirrored copes of the files.