Tuesday, January 03, 2006

TOPIC: Users Urged to Protect Computers from WMF Exploits...
I don't normally include Windows-type posts on my blog, BUT this warning is vitally important to all Windows XP/2003 users.
"The threat posed by the flaw in Windows WMF files is increasing. Now hundreds of websites are using exploits for the flaw to install malicious software on people's Windows-based computers. What makes the WMF vulnerability particularly insidious is that it can infect computers when users merely visit sites or view a maliciously crafted image in the preview pane of older versions of Microsoft Outlook; machines can become infected without requiring the user to click on anything or open any files. Microsoft is investigating the issue and says it will issue a patch, but has not yet said when that patch will be available."
[Culled from SANS.org and edited by yours truly...]

Microsoft’s “Suggested Action” is:

Un-register the Windows Picture and Fax Viewer (Shimgvw.dll) on Windows XP Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and Windows Server 2003 Service Pack 1. Microsoft has tested the following workaround. While this workaround will not correct the underlying vulnerability, it helps block known attack vectors. When a workaround reduces functionality, it is identified in the following section.
Note: The following steps require Administrative privileges. It is recommended that the machine be restarted after applying this workaround. It is also possible to log out and log back in after applying the workaround. However, the recommendation is to restart the machine.

To un-register Shimgvw.dll, follow these steps:
1. Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK. The %windir% part refers to the directory in which Windows is installed (usually C:\WINDOWS or C:\WINNT).
2. A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.
Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.
To undo this change, re-register Shimgvw.dll by following the above steps. Replace the text in Step 1 with “regsvr32 %windir%\system32\shimgvw.dll” (without the quotation marks)."
Additional comments from the Sope-Bocks...
A.) Using an alternative browser like Opera or Firefox can offer some protection.
B.) One thing you can do *IF* you have a graphics editor (Paint Shop Pro, PhotoShop, etc) is change the way WMF files are handled. In WinXP, go to My Computer => Tools => Folder Options => File Types. Choose WMF and then click Change to choose another program for that file type. I chose psp.exe, which is the EXE for Paint Shop Pro. OK the decision and close out of My Computer. This is a workaround that will work – or make WMF files fail (which is another method of not being exploited).

No comments: