It looks like you're using an Ad Blocker.
Please white-list or disable AboveTopSecret.com in your ad-blocking tool.
Some features of ATS will be disabled while you continue to use an ad-blocker.
Windows users should install an unofficial security patch now, without waiting for Microsoft to make its move, advised security researchers at The SANS Institute's Internet Storm Center (ISC).
Their recommendation follows a new wave of attacks on a flaw in the way versions of Windows from 98 through XP handle malicious files in the WMF (Windows Metafile) format. One such attack arrives in an e-mail message entitled "happy new year," bearing a malicious file attachment called "HappyNewYear.jpg" that is really a disguised WMF file, security research companies including iDefense and F-Secure. said Sunday. Even though the file is labelled as a JPEG, Windows recognizes the content as a WMF and attempts to execute the code it contains.
While some workarounds are being suggested on the Web, Dunham is only validating this one for disabling windowsmetafile file handling: First, users should click on the Start button on the taskbar. Then they should click on Run, type "regsvr32 /u shimgvw.dll," and click "Ok" when the change dialog appears.
A Windows system may be compromised through several methods including:
Opening a specially crafted WMF file. Note that a malicious WMF file may masquerade as a JPEG or other type of image file.
Visiting a specially crafted web site.
Placing a malicious WMF file in a location that is indexed by Google Desktop Search or other content indexing software.
Viewing a folder that contains a malicious WMF file with Windows Explorer.
Once the vulnerability is exploited, a remote attacker may be able to perform any of the following malicious activities:
Execute arbitrary code
Cause a denial-of-service condition
Take complete control of a vulnerable system
Disable or reset the file association for Windows Metafiles
Disabling or remapping Windows Metafile files to open a program other than the default Windows Picture and Fax Viewer may prevent exploitation via some attack vectors. Microsoft has suggested taking the following steps to disable shimgvw.dll in Microsoft Security Advisory (912840):
Un-register the Windows Picture and Fax Viewer (Shimgvw.dll) on Windows XP Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and Windows Server 2003 Service Pack 1
To un-register Shimgvw.dll, follow these steps:
Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK.
A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.
Systems Affected------------- Vendor Status Date Updated
Google Vulnerable -----------------30-Dec-2005
Lotus Software Unknown ----------30-Dec-2005
Microsoft Corporation Vulnerable -29-Dec-2005
Mozilla, Inc. Unknown--------------28-Dec-2005
Dunham characterizes the threat as "significant," while Secunia rates it "extremely critical." Symantec labels it as a "level two" threat, on a scale in which "level four" is the most critical.
Secunia lists the vulnerable operating systems as Windows Server 2003 Datacenter Edition, Windows Server 2003 Enterprise Edition, Windows Server 2003 Standard Edition, Windows Server 2003 Web Edition, Windows XP Home Edition, and Windows XP Professional.
Ilfak Guilfanov (see GREEN box below) produced a highly-effective true patch which successfully suppresses all known exploitable vulnerabilities for anyone using Windows 2000, XP, server 2003, or 64-bit XP. No patch is available for Windows 95, 98, ME or NT, and none is expected to be forthcoming. But anyone using Windows 2000, XP, server 2003, or 64-bit XP should IMMEDIATELY install Ilfak's exploit suppressor into all of their systems.
Windows 98/SE/ME users: Microsoft's original advice to "unregister the shimgvw.dll" (shell image viewer) was never correct or useful on those platforms. The good news is that all current WMF exploits appear to be non-functional on the older Win9x vintage platforms . . . so you will likely be okay until Microsoft has updated your system with the next security patches. There is no short-term workaround for Windows 9x users.
Originally posted by 12m8keall2c
By "unregistering" the windowsmetafile file type (regsvr32 /u shimgvw.dll) you basically lose the "thumbnail" viewing of files. At least that's all I've noticed since doing so 3 - 4 days ago.
Security Focus Discussion
The thumbnail view in Windows Explorer will parse the graphics files in a folder, even if the file is never explicitly opened. This is enough to trigger the exploit.
Even more frightening is that you don't have to use the thumbnail view for a thumbnail to be generated. Under some circumstances, just single-clicking on the file will cause it to be parsed.
However, as SO has noted, simply unregistering the file type is not a complete fix. An actual WindowsMetaFile will be executed, regardless of extension/file-type, by several components within the Windows operating system.
Fix Site Ilfak Guilfanov
Technical details: this is a DLL which gets injected to all processes loading user32.dll.
It patches the Escape() function in gdi32.dll. The result of the patch is that the SETABORT escape sequence is not accepted anymore.
Tom has taken this thing apart and looked at it very, very closely. It does exactly what it advertises and nothing more. The wmfhotfix.dll will be injected into any process loading user32.dll. It then will then patch (in memory) gdi32.dll's Escape() function so that it ignores any call using the SETABORTPROC (ie. 0x09) parameter. This should allow for Windows to display WMF files normally while still blocking the exploit.