Security news and information

Not only has Ilfak Guilfanov released a patch for this vulnerability, but he also created a program that will let you know if your computer is vulnerable. You can find information about this vulnerability checker here:

http://www.hexblog.com/2006/01/wmf_vulnera…ty_checker.html

For a concise guide on installing the patch, disabling the Shimgvw.dll, and checking your system you should read our WMF vulnerability guide here:

How to protect yourself from the Windows Metafile Vulnerability

Tags: No Tags

An unofficial patch for the WMF vulnerability patch has been released. This program will patch in memory the Escape() routine of GDI32.dll so that it will not accept the SETABORT escape sequence that is being used to exploit this vulnerability.

You can get the patch here:

http://www.hexblog.com/security/files/wmffix_hexblog13.exe

This patch has been tested and works as advertised and is supported under Windows 2000, XP 32-bit, XP 64-bit, and Windows Server 2003. This patch should be installed by every Windows users until Microsoft releases an official patch.

Tags: No Tags

Well the WMF Exploit is definitely the hot topic right now. For the most part we are seeing only rogue sites (tend to be .info or .biz sites) using WMF files to install fake antispyware apps and other spyware/adware software. Today, though, there have been reports of a MSN Messenger worm in the Netherlands utilizing this exploit. Be on the lookout for any MSN Messenger messages telling you to visit a link to any image file.

Why do I say any? Because it’s possible to create a malformed WMF file to exploit your computer, and simply change the extension to JPG or GIF. Now you think it’s a safe file, but in reality the OS will read the headers of the file, see that it is really a WMF file, and exploit you all the same.

I spent a good chunk of yesterday, in between feeding the twins, playing around with various sites that have WMF exploits. I tested these sites when having the shimgvw.dll registered and unregistered. I also test while enabling Software DEP as I do not have the hardware necessary to use Hardware DEP.

What I found was:

Tests done while shimgvw.dll is registered

Visit a site that launches a WMF via a iframe or other method - The WMF file will load in picture viewer, close picture viewer, and IE and you are now infected or being infected.

Download the WMF and launch it - If you download the wmf, and run it from a command prompt, it will infect you as well.

Open a folder that the WMF resides in - If you open the folder you get infected as the OS tries to generate thumbnails and thus triggers the WMF headers that infect you.

Tests done while shimgvw.dll is unregistered

Visit a site that launches a WMF - Not infected..didnt open image viewr.

Download the WMF and launch it - Nothing happens

Open a folder that the WMF resides in - Nothing happens

3rd party software

Irfanview - Infects with or without the shimgvw.dll being registered. Still
need to test this with DEP.

When I tested with Software DEP on, my test computer was protected, but there have been too many people stating that they were still being infected. Due to this conflicting information going around I still suggest that people unregister the DLL to help prevent getting infected with these files. It’s not a perfect solution, but it’s better than nothing.

Because for some people unregistering/registering a DLL can be difficult I put together a script and guide on how to unregister the shimgvw.dll.

The guide on using the script and unregistering the DLL can be found here:

Windows Metafile Exploit Mitigation By Unregistering Shimgvw.dll

The script to unregister the DLL can be found here:

shimgvw.zip

Tags: No Tags