Top
Browse > Home / Tech / Windows WMF Vulnerability — Heads up!

Windows WMF Vulnerability — Heads up!

January 2, 2006

Update — Microsoft has released an official patch; you can go here to read more details, including how to uninstall the unofficial patch and re-register the DLL the instructions below had you unregister.

There has been a lot of talk in the last week about the new WMF vulnerability in Windows. Unfortunately, if you’ve been living on a desert island — or just taking a little time away from the computer celebrating the holidays — chances are that you may not have heard of it.

In brief, there is a newly discovered and un-patched vulnerability (what is called a “zero day” vulnerability) in Windows that can allow a seemingly innocent image to execute code on your computer.

Let me put this in a bit more blunt terms — imagine loading a web page (even a perfectly innocuous-looking web page that you visit often) and an image — perhaps even a single-pixel white dot on a white background — causes your computer to load up lots of spyware, spawn ads all over the place, capture your information when you type in passwords or credit card information, send out spam without you knowing it, damage your data, and infect other computers in your local network.

Now imagine that you’re not imagining.


This flaw exists, and new exploits doing some or all of the above are multiplying like cockroaches on the ‘net. Other vulnerabilities in web servers, ad servers, etc. could cause you to get infected with this on web sites you never would expect to (your bank, a favorite news site, etc.) You could also get infected from an instant message, an e-mail, etc.

This flaw affects Windows XP, Windows 2000 & 2003, and probably all other versions.

There is currently no patch from Microsoft.

Due to the many ways this infection can be (and is being) distributed, antivirus vendors are in a steep tailchase and not able to catch up with it so far. Ultimately, a patch from Microsoft will probably solve this, but there is none yet.

Experts are getting very concerned, and are afraid that when many people return to work tomorrow after being away from their machines for a week or more, all hell is going to break loose.

In short, this is an ugly one.

Who is vulnerable?

Anyone running Windows.

If you haven’t explicitly performed one or more of the stopgap steps shown below, you are at risk of being a victim.

Running Windows Update and having a good anti-virus and anti-spyware program is not enough to protect you at this time (although an anti-virus might help, it many not stop newly emerging variants).

If you are running Windows 95/98/ME — there isn’t even a stopgap, and will probably not ever be a patch from Microsoft as these are no longer supported versions. It’s time to upgrade.

What do I need to do?

The Internet Storm Center has a FAQ for this vulnerability with more information and steps you can take. You should go read it.

If you won’t do that, here are their core recommendations:

  1. Microsoft has not yet released a patch. An unofficial patch was made available by Ilfak Guilfanov. Our own Tom Liston reviewed the patch and we tested it. The reviewed and tested version is available here (now at v1.3, MD5: 14d8c937d97572deb9cb07297a87e62a), PGP signature (signed with ISC key) here. THANKS to Ilfak Guilfanov for providing the patch!!
  2. You can unregister the related DLL.
    To unregister the DLL:

    • Click Start, click Run, type “regsvr32 -u %windir%\system32\shimgvw.dll” (without the quotation marks), and then click OK.
    • A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.
  3. Virus checkers provide some protection.

Our current “best practice” recommendation is to both unregister the DLL and to use the unofficial patch.

As always, you do this kind of thing at your own risk.

On the other hand, the risk of NOT doing these things appears very high right now — how good is your most recent backup?

Update — Microsoft has released an official patch; you can go here to read more details, including how to uninstall the unofficial patch and re-register the DLL the instructions above had you unregister.

Rate this:
2.8
Like this article? Share it!
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Mixx
  • Google
  • Reddit
  • StumbleUpon

Written by User ImageChuck Lawson · Filed Under Tech 
Tags:

Comments

Got something to say? [privacy policy]





Possibly Related


Official WMF Vulnerability PatchMicrosoft has released an official patch for the Windows WMF vulnerability -- a little ahead of their official schedule, and a little behind when it probably should have came out. The patch and details are available here. The SANS Internet Storm Center has recommendations on how to apply this update, including how to uninstall the previous unofficial patch and re-register the DLL that had the problem in the first place. Details are here. The SANS instructions are a little complicated, since they are written for both individual users and administrators of multiple systems. If it's just your own machine, and you followed the instructions in the previous post, here is a simplified set of instructions for replacing the unofficial patch...


Running Windows SecurelyOver the past few weeks, I’ve written quite a bit on various Windows issues—Spyware, Viruses, and going to a more secure browser.  Even though those articles have scrolled off the front page, a lot of people are still looking for them, so this article will be a “living document” with links to all articles I write on the topic, and there will be a link to this on the right sidebar if you should need to refer back to it in the future. Windows Security Articles No. More. Excuses. - The very basics of securing a Windows computer, and why it’s important (to all of us) that you do so. Spyware and You. - The details of how and why...


Windows MCE - My Movies 1.31 ReleasedNeed to get all of those wayward DVDs cataloged? F-Stop Blues is reporting that the new version (1.31) of the "My Movies" plugin for Windows Media Center Edition 2005 has been released. You can find the new plug-in here. ...


IE Security hole worse than fearedJust to put a cherry on top of the whole "Firefox 1.5 has been released" thing, if you're still using Internet Explorer, you should go read this: IE Flaw Is Worse Than Expected. There's a lot of geek-talk on that page, but the upshot of it is, if you're a Windows user using Internet Explorer, any website you visit could be used by a malicious user to execute anything on your computer. Like reformat your drive. Or mail your Quicken account data to someone. There is no fix for this yet. Scary Stuff....


5 Ways to copy music OFF your iPod (Windows / Mac OS X)So, you've got music on your iPod that you don't have on your computer? It doesn't matter how you got in this predicament -- maybe you've lost a hard drive (or an entire computer), or you've accidently deleted just a little too much, and for one reason or another, you don't have the original source of the music. If any of that sounds familiar, the time to fix it is now -- before you lose your iPod (and your music), or iTunes manages to get set to automatically sync your entire library (its default state, if you have to re-install it) and starts deleting all of the songs it doesn't know about. Unfortunately, the standard tool for transferring music between...

Bottom