BleepingComputer.com: Windows WMF 0-day Exploit

Important Information for Thursday 5 January 2006

Microsoft announced that it would release a security update to help protect customers from exploitations of a vulnerability in the Windows Meta File (WMF) area of code in the Windows operating system on Tuesday, January 2, 2006, in response to malicious and criminal attacks on computer users that were discovered last week.

Microsoft will release the update today on Thursday, January 5, 2006, earlier than planned.

Microsoft originally planned to release the update on Tuesday, January 10, 2006 as part of its regular monthly release of security bulletins, once testing for quality and application compatibility was complete. However, testing has been completed earlier than anticipated and the update is ready for release.

The security update will be available at 2:00 pm PT as MS06-001.

Published: 2006-01-05,
Last Updated: 2006-01-05 22:49:16 UTC by Marcus Sachs

Many of you already know this if you receive advance notification from Microsoft. For everybody else, see their announcement about an early release of the WMF patch. The patch and details about it are available here. If you have installed any of the earlier patches or workarounds, here is our recommendation for updating:

1. Reboot your system to clear any vulnerable files from memory
2. Download and apply the new patch
3. Reboot
4. Uninstall the unofficial patch, by using Add/Remove Programs on single systems. If you used msi to install the patch on multiple machines you can uninstall it with this:

msiexec.exe /X{E1CDC5B0-7AFB-11DA-8CD6-0800200C9A66} /qn

5. Re-register the .dll if you previously unregistered it (use the same command but without the "-u"):

regsvr32 %windir%\system32\shimgvw.dll

6. Reboot one more time just for good measure

We tested the patch, and it does block the attack just like the unofficial patch does.

If you experience any problems with the official patch, check support.microsoft.com and call the toll-free number listed for free assistance. Microsoft will not support the unofficial patch. As an alternative to the sequence shown above, you may want to uninstall the unofficial patch first. But make sure you keep shimgvw.dll unregistered until the official patch is applied. Either sequence works in our testing. Removing the unofficial patch later provides an extra layer of protection.

You can use our test image at http://sipr . net/test . wmf as a test to make sure you are not vulnerable. The test image will start the calculator if you are vulnerable.

I'd like to take this opportunity to thank all of our incident handlers for the endless hours of analysis over the past week. Also, many thanks to the hundreds of readers who sent in analysis and observations. Finally, thanks to the response team at Microsoft for issuing the patch today. We all appreciate the extra internal effort it took to do this out of cycle.

Marcus H. Sachs
Director, SANS Internet Storm Center