Windows WMF Vulnerability — Heads up!
January 2, 2006
Update — Microsoft has released an official patch; you can go here to read more details, including how to uninstall the unofficial patch and re-register the DLL the instructions below had you unregister.
There has been a lot of talk in the last week about the new WMF vulnerability in Windows. Unfortunately, if you’ve been living on a desert island — or just taking a little time away from the computer celebrating the holidays — chances are that you may not have heard of it.
In brief, there is a newly discovered and un-patched vulnerability (what is called a “zero day” vulnerability) in Windows that can allow a seemingly innocent image to execute code on your computer.
Let me put this in a bit more blunt terms — imagine loading a web page (even a perfectly innocuous-looking web page that you visit often) and an image — perhaps even a single-pixel white dot on a white background — causes your computer to load up lots of spyware, spawn ads all over the place, capture your information when you type in passwords or credit card information, send out spam without you knowing it, damage your data, and infect other computers in your local network.
Now imagine that you’re not imagining.
This flaw exists, and new exploits doing some or all of the above are multiplying like cockroaches on the ‘net. Other vulnerabilities in web servers, ad servers, etc. could cause you to get infected with this on web sites you never would expect to (your bank, a favorite news site, etc.) You could also get infected from an instant message, an e-mail, etc.
This flaw affects Windows XP, Windows 2000 & 2003, and probably all other versions.
There is currently no patch from Microsoft.
Due to the many ways this infection can be (and is being) distributed, antivirus vendors are in a steep tailchase and not able to catch up with it so far. Ultimately, a patch from Microsoft will probably solve this, but there is none yet.
Experts are getting very concerned, and are afraid that when many people return to work tomorrow after being away from their machines for a week or more, all hell is going to break loose.
In short, this is an ugly one.
Who is vulnerable?
Anyone running Windows.
If you haven’t explicitly performed one or more of the stopgap steps shown below, you are at risk of being a victim.
Running Windows Update and having a good anti-virus and anti-spyware program is not enough to protect you at this time (although an anti-virus might help, it many not stop newly emerging variants).
If you are running Windows 95/98/ME — there isn’t even a stopgap, and will probably not ever be a patch from Microsoft as these are no longer supported versions. It’s time to upgrade.
What do I need to do?
The Internet Storm Center has a FAQ for this vulnerability with more information and steps you can take. You should go read it.
If you won’t do that, here are their core recommendations:
- Microsoft has not yet released a patch. An unofficial patch was made available by Ilfak Guilfanov. Our own Tom Liston reviewed the patch and we tested it. The reviewed and tested version is available here (now at v1.3, MD5: 14d8c937d97572deb9cb07297a87e62a), PGP signature (signed with ISC key) here. THANKS to Ilfak Guilfanov for providing the patch!!
- You can unregister the related DLL.
To unregister the DLL:
- Click Start, click Run, type “regsvr32 -u %windir%\system32\shimgvw.dll” (without the quotation marks), and then click OK.
- A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.
- Virus checkers provide some protection.
Our current “best practice” recommendation is to both unregister the DLL and to use the unofficial patch.
As always, you do this kind of thing at your own risk.
On the other hand, the risk of NOT doing these things appears very high right now — how good is your most recent backup?
Update — Microsoft has released an official patch; you can go here to read more details, including how to uninstall the unofficial patch and re-register the DLL the instructions above had you unregister.