!!! – Windows WMF exploit – Updated on 03/01/2006 @ 20:32

Alright, you should pay attention to this one, according to F-Secure (link), there’s now an unpatched exploit for the WMF (I think it stands for Windows Meta File – but I’m not sure).  And this time, all you have to do is visit a website to get infected.  According to the F-Secure page (link), some of the sites include:
Crackz . ws <— All you crack-heads out there, beware!
unionseek . com
http://www.tfcco . com
Iframeurl . biz
beehappyy . biz
Since the exploit targets a common component used by applications to view WMF – shimgvw.dll, this time, all you have to do to get pwned is to simply visit a site (containing the malicious) WMF…  So urm… I guess the usual advice of "don’t download any un-trusted files" doesn’t apply here – and this is exactly why you (including me…) should be very careful with this, until a patch or work around is available.
Is it me or does this have a familiar ring to one of a previous exploit (I can’t remember exactly which one – but there were definitely one that sounds similar to this one…).

Update (29/12/2005 @ 09:05):
Microsoft have now posted a link on their website suggesting some possible workarounds (link).  They are:
• Enabling DEP (Data Execution Prevention) for ALL programs and services.
• Un-registering shimgvw.dll.

Update (30/12/2005 @ 17:05):
Ok, forget about what I said about enabling DEP.  According to ZDNet (link), enabling DEP (be it software / hardware) won’t protect you against this exploit.  The only real solution for now is to un-register shimgvw.dll.
You can do that by simply running the following command in cmd:
regsvr32 /u shimgvw.dll
(To re-register it, use the following command:
regsvr32 shimgvw.dll
The downside to this is that the Windows Picture and Fax Viewer will not work after un-registering the dll.
(More information on this is available on the Microsoft website (link) ).
However, it is important to point out that you can still get exploited if you open the image – and by that I don’t mean with a .wmf extension – it can be in any extension).  Though I’m not sure whether you can still be exploited if Google Desktop Search is installed and indexing WMF.

Update (31/12/2005 @ 17:52):
Apparently, there’s now a temporary fix for the WMF exploit according to F-Secure (link).  So urm… for those of you who are weeping because Windows Picture and Fax Viewer is not working anymore (and other things, perhaps?), here might be one worth checking out.
As for me?  Well, I’ll wait for the official fix… whenever that will come out…
(Come-on Microsoft, get the patch out!)

Update (31/12/2005 @ 19:49):
Ok, great… now there’s officially a worm taking advantage of the WMF exploit (link) – to make matter worse, it propagates on MSN Messenger as a download link.  So urm… if someone sends you anything (and by that I mean, not just pictures, but anything!), DON’T DONWLOAD THEM unless you are 110% sure that it is from a trusted source and it is legitimate – ask the person that is sending the file before accepting it!

Update (02/01/2006 @ 00:29):
Alright, people, remember what I said about the patch that provides a temporary fix for the exploit (posted on 31/12/2005 @ 17:52)?  Well, now that I’ve heard (link) the patch is safe to apply, I have (and also suggest you to) apply the patch to keep your system safe until MS decides to release a patch sometime next decade (link)…
You can get the patch here:

Update (03/01/2006 @ 20:32):
lol, don’t you just love Microsoft when it comes to security (sarcastically speaking, of course!).  I mean, they are now saying (link) the patch for the WMF exploit will be out on 10th January – yes, that’s right, 10th!
I was wondering, did MS host a big Christmas / New Year party or something in which all their researches are involved, got drunk, and only starting to recover today or something,  !?
In the mean time, if you are worried, you can apply a temporary patch (please see my previous update for link).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: