Bits from Bill

Technology thoughts leaking from the brain of "Bill Pytlovany"

Thursday, December 29, 2005

Zero-Day WMF Exploit

Just when you think threats to your personal computer can’t get much worse, another one pops up.
This one could be launched by simply viewing an image with the Windows Metafile file type (.WMF) because of a flaw in a file that comes with Windows XP and Windows Server 2003.  A previously discovered flaw in which malicious code could be introduced by viewing a (.JPG) image has been fixed and is available from Microsoft.  You would have thought Microsoft would have checked other image file types when they released a fix to the JPG exploit but I’m sure they were in a hurry.

At this point, there’s no patch available from Microsoft but I have a couple recommendations.

Change the default viewer for .WMF files. 

Open Explorer with (Win Key + E)
Go to the Tools menu and select Folder Options.
Click on the File Type tab.
Scroll down until you find “WMF Image”.
The default setting will be “Windows Picture and Fax Viewer”.
Change your “Opens with” to a non-Microsoft program.

Unfortunately, this won’t help if the .WMF exists in a web page you’re viewing but it can if the file arrives as an attached file in your Email.  If you’re really concerned you can take a more drastic steps.

Unregister shimgvw.dll

Click on the Start Button and select “Run”
Type in “regsvr32 /u shimgvw.dll” and click OK
This may seem like a drastic step and it will prevent thumbnails and some images from being displayed.
To restore the process, type “regsvr32 shimgvw.dll”  without the /u.
Once Microsoft provides a patch for the shimgvw.dll file you can re-register the file.

Nobody agrees yet on how serious this flaw is but as more of the bad guys take advantage of it the sooner we’ll need that patch from Microsoft.  Meanwhile, as always I recommend having WinPatrol monitoring your system. While WinPatrol won’t prevent the attack, it will alert you to any changes and allow you to remove the possible infections it tries to install.



Share on Facebook


Post a Comment

<< Home