Computer Help and Spyware Removal Computer Help and Spyware Removal Computer Help and Spyware Removal Computer Help Forums Windows Startup Programs Database Virus, Spyware, and Malware Removal Guides Computer Tutorials Uninstall Database File Database Computer Glossary Computer Resources
 

Welcome Guest ( Log In | Click here to Register a free account now! )



Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

> How to use the self-help guides

This forum contains self-help guides on removing common malware and viruses. These guides can be advanced so please use them at your own risk.

If after following the self-help guide, or you can not find an appropriate guide, then you can receive step-by-step instructions directly from one of our experts by following the instructions in this topic: Preparation Guide For Use Before Posting A Hijackthis Log

 
Reply to this topicStart new topic
> How To Protect Yourself From The Windows Metafile Vulnerability
Grinler
post Dec 29 2005, 04:34 PM
Post #1


Bleep Bleep!
******

Group: Admin
Posts: 31,597
Joined: 24-January 04
From: USA
Member No.: 3

How to protect yourself from the Windows Metafile Vulnerability



Note: Microsoft has released their WMF vulnerability update today, January 5th. Please make sure to read the instructions here.



Table of Contents
  1. What is the WMF Vulnerability
  2. Protection Methods
  3. How to tell if your computer is vulnerable
  4. Steps to take before installing the Microsoft Patch
  5. Downloads and MD5
  6. References
  7. WMF patch installation instructions
  8. WMF patch removal instructions
  9. Using shimgvw.bat to unregister shimgvw.dll
  10. Using shimgvw.bat to register shimgvw.dll
  11. Manual instructions for unregistering shimgvw.dll
  12. Manual instructions for registering shimgvw.dll




What is the WMF Vulnerability

A recent vulnerability has been found in the Windows MetaFile image type. A specifically crafted Windows MetaFile can be used to run code on your computer that will allow the exploiter to install programs or change settings on your computer. One known application that can be exploited is the Windows Picture and Fax Viewer (SHIMGVW.DLL) or other Windows applications that can handle Windows MetaFiles. If you visit a web site that contains one of these types of image files or open one of these image files, then your computer will be exploited as per the instructions in the MetaFile. As of now, there is no patch for this exploit, while there is a steadily increasing amount of sites that are using this exploit.


Protection Methods

There are currently two methods of reducing your chances of getting infected with this exploit. We recommend that you use both methods to add extra protection until an official Microsoft patch is released. Once the Microsoft patch is released you can uninstall

The first method is to install an unofficial patch created by Ilfak Guilfanov. This patch has been extensively tested and has been found to block the WMF exploit. It does this by patching the Escape() function in the gdi32.dll file so that it ignores that SETABORTPROC parameter that the exploit uses. This patch actually patches the vulnerable function, so that you do not need to disable any image viewer programs if that is your wish. Instructions for installing this patch can be found below.

The second method is to unregister the shimgvw.dll file so that Windows Picture and Fax Viewer does not open these files when you visit a web site that contains this type of image. To do that you need to unregister the DLL using the instructions below. I have created a simple script that will unregister or register this .DLL in the event that you do not feel comfortable running these commands on your own.

Once you unregister this DLL, the Windows Picture and Fax Viewer will no longer work. To enable it you will be able to run the script again to register the DLL so that the program works once again. I advise that you only do this when Microsoft releases the official patch. Please note, that unregistering the DLL does not fix the vulnerability. It only decreases your chance of getting exploited.

Steps to take before installing the Microsoft Update

Now that Microsoft has released their WMF vulnerability update there are some steps that need to be taken before you install it so that your computer is back to normal operation. The first step is to uninstall the unofficial hotfix. Instructions on how to do this can be found here:

HotFix uninstallation instructions

After that has been completed you should register the Shimgvw.dll file. Instructions on how to do this can be found here:

Register Shimgvw.dll with script

Register Shimgvw.dll manually

Once this has been completed, reboot your computer and visit http://www.windowsupdate.com and install the update.


How to tell if your vulnerable

Not only has Ilfak Guilfanov released a patch for this vulnerability, but he has also released a tool to check to see if you are vulnerable. To check to see if your computer is vulnerable download the WMF Vulnerability Checker and run the program. When the program starts, simply press the OK button and it will will tell you whether or not you are vulnerable.

The WMF Vulnerability Checker will check to see if the Escape() function ignores the SETABORTPROC parameter. If it does ignore this parameter, it will state that you are not vulnerable, otherwise it will state that you are. If you are vulnerable, then you need to install the patch described above. Please note, that only unregistering the shimgvw.dll will still show you as vulnerable with the checker. In order to be seen as not vulnerable, you need to install the patch.


Downloads


Both fixes are for use on Windows XP, 2000, and 2003. If you are using Windows ME, then you should follow the manual instructions given below. Windows 95 and 98 users do not have the shimgvw.dll file.


MD5

File
MD5 Sum
Shimgvw.bat 96827b1ecf18066b11922260838f451a
wmffix_hexblog14.exe 15f0a36ea33f39c1bcf5a98e51d4f4f6
WMF Vulnerability Checker ba65e1954070074ea634308f2bab0f6a



References

http://www.microsoft.com/technet/security/advisory/912840.mspx
http://www.kb.cert.org/vuls/id/181038
http://www.hexblog.com



Method 1 - Install the WMF Patch
  1. Download wmffix_hexblog14.exe and save it to your desktop.

  2. Double-click on the wmffix_hexblog14.exe icon found on your desktop.

  3. Press the Next button.

  4. Read the license agreement, and if you agree, select I accept the agreement, and press the Next button.

  5. Change the directory where you would like it installed, or if the default directory is fine, press the Next button.

  6. Now review that everything is how you would like it installed, and press the Install button.

  7. When it prompts if you would like to reboot, select Yes, restart the computer now and press the Finish button.

  8. Your computer will now be patched so that WMF files cant exploit your computer.


When the official Microsoft patch is released you can uninstall this program by doing the following:
  1. Click on the Start button.

  2. Click on the Control Panel link.

  3. Double-click on Add or Remove Programs.

  4. Click on the entry labeled Windows WMF Metafile Vulnerability HotFix to select it.

  5. Click on the Remove button.

  6. When it asks if you would like to remove the HotFix press the Yes button.

  7. Reboot the computer if it asks.

  8. The hotfix should now be removed from the computer.


Method 2 - Unregister shimgvw.dll

Unregister shimgvw.dll instructions (This will disable the use of Windows Picture and Fax Viewer and help protect you):
  1. Download shimgvw.zip and save it to your desktop.

  2. Extract shimgvw.zip to your desktop.

  3. You should now have the file shimgvw.bat on your desktop.

  4. Double-click on shimgvw.bat.

  5. At the menu press the number 1 to unregister the DLL. When the DLL is unregistered you will see a notification appear that states DllUnregisterServer in C:\Windows\SystemFolder\shimgvw.dll succeeded.

    If you get a message after you pick your choice that states that This MS-DOS program has terminated, you can simply press the OK button and then close the DOS Windows by clicking on the X.

  6. The script will close and you have now disabled the Windows Picture and Fax Viewer.


Register shimgvw.dll instructions (This will enable the use of Windows Picture and Fax Viewer one the Microsoft patch is released):
  1. Download shimgvw.zip and save it to your desktop.

  2. Extract shimgvw.zip to your desktop.

  3. You should now have the file shimgvw.bat on your desktop.

  4. Double-click on shimgvw.bat.

  5. At the menu press the number 2 to unregister the DLL. When the DLL is unregistered you will see a notification appear that states DllRegisterServer in C:\Windows\SystemFolder\shimgvw.dll succeeded.

    If you get a message after you pick your choice that states that This MS-DOS program has terminated, you can simply press the OK button and then close the DOS Windows by clicking on the X.

  6. The script will close and you have now enabled the Windows Picture and Fax Viewer.


To manually unregister the DLL you would do the following (This will disable the use of Windows Picture and Fax Viewer and help protect you):
  1. Click on the Start button and then the Run field.

  2. In the run field type %WinDir%\System32\regsvr32.exe -u shimgvw.dll and press the OK button. (In Windows ME, substitute System32 with System)

    When the DLL is unregistered you will see a notification appear that states DllUnregisterServer in C:\Windows\SystemFolder\shimgvw.dll succeeded.

  3. You have now disabled the Windows Picture and Fax Viewer.


To manually register the DLL you would do the following (This will enable the use of Windows Picture and Fax Viewer one the Microsoft patch is released:
  1. Click on the Start button and then the Run field.

  2. In the run field type %WinDir%\System32\regsvr32.exe shimgvw.dll and press the OK button. (In Windows ME, substitute System32 with System)

    When the DLL is unregistered you will see a notification appear that states DllRegisterServer in C:\Windows\SystemFolder\shimgvw.dll succeeded.

  3. You have now enabled the Windows Picture and Fax Viewer.


 

This is a self-help guide. Use at your own risk.


If you have any questions about this self-help guide then please post those questions in our AntiVirus, Firewall and Privacy Products and Protection Methods forum and someone will help you.

This post has been edited by Grinler: Jul 13 2006, 03:41 PM


--------------------
Lawrence
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Go to the top of the page
 
+Quote Post
boopme
post Dec 31 2005, 09:50 PM
Post #2


To INSANITY and BEYOND !!
******

Group: Moderator
Posts: 21,860
Joined: 10-September 04
From: NJ USA
Member No.: 2,608
Thanks Grin and especially for the script,as it makes life easier. Good man and good work!
Happy New Year to you all
Pete


--------------------
Can you spare some PC cycles to help FIND A CURE .. BC FOLDING TEAM Click me /info..
ThoughtVent a goodplace to discuss.<<>>>Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook
Go to the top of the page
 
+Quote Post
Grinler
post Jan 1 2006, 10:40 PM
Post #3


Bleep Bleep!
******

Group: Admin
Posts: 31,597
Joined: 24-January 04
From: USA
Member No.: 3
This prevention guide has been updated to also incoporate the use of an unofficial patch for this vulnerability and how to check if your computer is vulnerable.


--------------------
Lawrence
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Go to the top of the page
 
+Quote Post
Grinler
post Jan 4 2006, 10:48 AM
Post #4


Bleep Bleep!
******

Group: Admin
Posts: 31,597
Joined: 24-January 04
From: USA
Member No.: 3
This guide has been updated to include local mirrored copes of the files.


--------------------
Lawrence
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Go to the top of the page
 
+Quote Post
« Next Oldest · Spyware and Malware Removal Guides and Reading Room · Next Newest »
 

Reply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version Time is now: 21st November 2009 - 01:29 AM


Advertise   |   About Us   |   Terms of Use   |   Privacy Policy   |   Contact Us   |   Site Map   |   Chat   |   Tutorials   |   Uninstall List
Discussion Forums   |   The Computer Glossary   |   Resources   |   RSS Feeds   |   Startups   |   The File Database   |   Virus Removal Guides

© 2003-2009 All Rights Reserved Bleeping Computer LLC.

Powered By IP.Board © 2009  IPS, Inc.