dans.blog: WMF Hotfix for nasty Windows vulnerability

This isn't exactly breaking news, but there's a very nasty bug in Windows 2000, XP and 2003 that has just recently been revealed being called the "WMF vulnerability." The bug has to do with a vulnerable function in GDI32.DLL library that can allow a malicious hacker/web site to install a virus/spyware on your computer.

What makes this bug extremely dangerous is any program that views images (such as Internet Explorer, Firefox, etc) is vulnerable.

Microsoft is claiming that there will not be an "official" patch for this bug until next week. However, this thing is nasty enough that everyone running Windows 2000, XP or 2003 should take some kind of action now.

There are currently two workarounds for this bug. The official Microsoft stance is to unregister the shimgvw.dll. While this should protect you while surfing the web, it's doesn't prevent every application from being protected. This solution is better than nothing, but not as good as the next solution. To unregister the DLL, do the following:

Click on the "Start" button.
Click on the "Run" option.
Type: regsvr32 /u shimgvw.dll
Press [ENTER].

NOTE:
Unregistering this DLL will cause you to lose some functionality in Windows such as previewing thumbnails.

The solution I went with is to use a 3rd party application written by Ilfak Guilfanov. The application resides in memory to protect you from the WMF vulnerability and doesn't change any files in your operating system. Also, Windows should function as normal, with the exception being that anything that tries to take advantage of the vulnerability will have it's processed halted.

The nice thing about this, is when Microsoft does finally release a patch you can just uninstall the application.

The hotfix for the WMF vulnerability can be downloaded from any the following URLs:

The MD5 checksum of the file is 15f0a36ea33f39c1bcf5a98e51d4f4f6.

MSI repackages can be downloaded here:

http://accentconsulting.com/wmf.shtml by Brian Higgins (MD5: a5108c0fa866101d79bb8006617641ee)
http://handlers.sans.org/tliston/WMFHotfix-1.1.14.msi by Evan Anderson (MD5: 0dd56dac6b932ee7abf2d65ec34c5bec)
http://hexblog.axmo12.de/WMFHotfix-1.1.14.msi by Evan Anderson (MD5: 0dd56dac6b932ee7abf2d65ec34c5bec)

The WMF vulnerability checker can be downloaded from the following URLs:

The MD5 checksum of the file is ba65e1954070074ea634308f2bab0f6a.

Ilfak has also put together a brief FAQ.

Categories: JavaScript, Potpourri, SQL, Technology, HTML/ColdFusion, Flex/Flash, Java, Source Code

1 Comments

Rick Osborne
Jan 4, 2006 @ 2:46 PM

For anyone who doubts that this is serious ... I was tooling around on the web yesterday, going through the usual blogs and news, when I saw an IFrame ad start to load then hang as my AVG antivirus caught it and quarantined it. I didn't think to check where the IFrame source was pointing to, as I was too stunned that (a) Adblock hadn't caught the IFrame to begin with, and (b) there really are exploits in the wild for this. I consider myself lucky for having some good AV-fu, but I pity those whose definitions are out of date or whose AV isn't thorough enough to catch it.

Comments for this entry have been disabled.