Microsoft Security Advisory (912840): Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution
PA Bear
Followup set to microsoft.public.security.
Microsoft Security Advisory (912840): Vulnerability in Graphics
Rendering Engine Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/912840.mspx
Welcome to the Microsoft Security Response Center Blog!
New Security Advisory for Possible Windows Vulnerability
http://blogs.technet.com/msrc/archive/2005/12/29/416569.aspx
--
~PA Bear
Trax
Digg.com has an article on this, few of the posters have been bit by
this one.
http://digg.com/technology/New_exploit_blows_by_fully_patched_Windows_XP_systems
Shorter link http://tinyurl.com/cb3x9
I'm not vulnerable to this one <VBG> One of the first things I do
after a XP installation is disable the "Windows Picture and Fax
Viewer"
http://www.annoyances.org/exec/show/article03-201
--
Puzzle break.
http://219.101.39.52/~nanahiro/main.html
Thwaits@discussions.microsoft.com Lorin Thwaits
http://geekswithblogs.net/lorint
Tom [Pepper] Willett
posted.
Tom
"Lorin Thwaits" <Lorin Thw...@discussions.microsoft.com> wrote in message
news:0D495E47-39D5-44B9...@microsoft.com...
Stephen Howe
> Rendering Engine Could Allow Remote Code Execution
> http://www.microsoft.com/technet/security/advisory/912840.mspx
Aaaahhh, I wonder if all those recent SpyTrooper, SpyAxe and Winfixer
outbreaks are using this method to get in? Would explain a lot.
Stephen
Thwaits@discussions.microsoft.com Lorin Thwaits
protection I see mentioned is to enable Enhanced Security Configuration. I
still recommend this solution:
http://geekswithblogs.net/lorint
Stephen Howe
> posted.
Is it? I dont see any workaround on
http://www.microsoft.com/technet/security/advisory/912840.mspx
SH
Tom [Pepper] Willett
Tom
"Stephen Howe" <stephenPOINThoweATtns-globalPOINTcom> wrote in message
news:%23PDxfWI...@tk2msftngp13.phx.gbl...
Tom [Pepper] Willett
Tom
"Lorin Thwaits" <Lorin Thw...@discussions.microsoft.com> wrote in message
news:98B0BB9C-AAFB-4DD5...@microsoft.com...
Alun Jones
>I'm not vulnerable to this one <VBG> One of the first things I do
>after a XP installation is disable the "Windows Picture and Fax
>Viewer"
>http://www.annoyances.org/exec/show/article03-201
Don't be too sure - the way I read it, this flaw affects any program that uses
the usual libraries to display WMF files.
Windows Picture and Fax Viewer is only the one that comes up by default if
you've installed no other image viewer, and you double-click on an image file.
If you have any program that displays WMF files, you are probably vulnerable.
Alun.
~~~~
[Please don't email posters, if a Usenet response is appropriate.]
--
Texas Imperial Software | Find us at http://www.wftpd.com or email
23921 57th Ave SE | al...@wftpd.com.
Washington WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.
Stephen Howe
No it is not. Those, in the strictest sense, do not prevent you getting
inadvertently infected. None of them do. A "workaround" would prevent you
getting infected. That is the normal meaning of the word "workaround".
Here is a workaround:
Run
regsvr32 /u shimgvw.dll
Stephen Howe
Tom [Pepper] Willett
Suggested Actions
Workarounds
Microsoft has tested the following workaround. While this workaround will
not correct the underlying vulnerability, it will help block known attack
vectors. When a workaround reduces functionality, it is identified in the
following section.
Un-register the Windows Picture and Fax Viewer (Shimgvw.dll) on Windows
XP Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and
Windows Server 2003 Service Pack 1
From the MS Advisory:
To un-register Shimgvw.dll, follow these steps:
1.
Click Start, click Run, type "regsvr32 -u
%windir%\system32\shimgvw.dll" (without the quotation marks), and then click
OK.
2.
A dialog box appears to confirm that the un-registration process has
succeeded. Click OK to close the dialog box.
Impact of Workaround: The Windows Picture and Fax Viewer will no longer be
started when users click on a link to an image type that is associated with
the Windows Picture and Fax Viewer.
To undo this change, re-register Shimgvw.dll by following the above steps.
Replace the text in Step 1 with “regsvr32 %windir%\system32\shimgvw.dll”
(without the quotation marks).
Tom
"Stephen Howe" <stephenPOINThoweATtns-globalPOINTcom> wrote in message
news:umNfEnID...@TK2MSFTNGP09.phx.gbl...
Kerry Brown
Click on the plus sign beside Suggested Actions, then click on the plus sign
beside Workarounds. It is there.
Kerry
Lem
The advice to unregister shimgvw.dll is indeed in the originally-posted MS
article. However, in true MS fashion, it is hidden several layers deep. You
have to click on the + to expand "Suggested Actions," then click on the +
next to "Workarounds" and finally, click on the + next to "Un-register the
Windows Picture and Fax Viewer (Shimgvw.dll) on Windows XP Service Pack 1;
Windows XP Service Pack 2; Windows Server 2003 and Windows Server 2003
Service Pack 1"
--
p
Kerry Brown
As an addendum. This exploit is being used right now. I just received a
customer's computer that was infected with Spy Sherriff by this method. The
exploit was in a spam email. Turn off the preview pane in OE (always a good
idea) and turn off the Windows picture and fax viewer until Microsoft has a
fix.
Kerry
Stephen Howe
> article. However, in true MS fashion, it is hidden several layers deep.
You
> have to click on the + to expand "Suggested Actions," then click on the +
> next to "Workarounds" and finally, click on the + next to "Un-register the
> Windows Picture and Fax Viewer (Shimgvw.dll) on Windows XP Service Pack 1;
> Windows XP Service Pack 2; Windows Server 2003 and Windows Server 2003
> Service Pack 1"
Yeah your right. Sorry. I missed all those level of +'s
Stephen Howe
PA Bear
There is in fact anecdotal evidence to suggest that this might indeed be the
case.
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE, Shell/User, Security), Aumha.org VSOP, DTS-L.org
PA Bear
PA Bear
Followup-to: WinXP General
> As an addendum. This exploit is being used right now. I just received a
> customer's computer that was infected with Spy Sherriff by this method.
> The exploit was in a spam email. Turn off the preview pane in OE (always
> a good idea) and turn off the Windows picture and fax viewer until
> Microsoft has a fix.
Preview Pane should be OK if...
OE: Tools > Options > Read > Read all messages in Plain Text (check)
OE: Tools>Options>Security>Download images... (check)
See
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2email.mspx
David H. Lipman
I received a a sample. the following is a report.
Note that Microsoft's AV solution ( is it really one ? ) doesn't recognize this as a threat.
AntiVir 6.33.0.70 12.29.2005 TR/Dldr.WMF.Agent.D
Avast 4.6.695.0 12.29.2005 Win32:Exdown
AVG 718 12.29.2005 Downloader.Agent.13.AI
Avira 6.33.0.70 12.29.2005 TR/Dldr.WMF.Agent.D
BitDefender 7.2 12.29.2005 Exploit.Win32.WMF-PFV.C
CAT-QuickHeal 8.00 12.29.2005 WMF.Exploit
ClamAV devel-20051123 12.29.2005 Exploit.WMF.A
DrWeb 4.33 12.29.2005 Exploit.MS05-053
eTrust-Iris 7.1.194.0 12.29.2005 Win32/Worfo.C!Trojan
eTrust-Vet 12.4.1.0 12.29.2005 Win32/Worfo
Ewido 3.5 12.29.2005 Downloader.Agent.acd
Fortinet 2.54.0.0 12.29.2005 W32/WMF-exploit
F-Prot 3.16c 12.29.2005 security risk or a "backdoor" program
Ikarus 0.2.59.0 12.29.2005 Trojan-Downloader.Win32.Agent.ACD
Kaspersky 4.0.2.24 12.29.2005 Trojan-Downloader.Win32.Agent.acd
McAfee 4662 12.29.2005 Exploit-WMF
Microsoft ?? 12.29.2005 no virus found
NOD32v2 1.1343 12.28.2005 Win32/TrojanDownloader.Wmfex
Norman 5.70.10 12.29.2005 no virus found
Panda 9.0.0.4 12.28.2005 Exploit/Metafile
Sophos 4.01.0 12.29.2005 Troj/DownLdr-NK
Symantec 8.0 12.29.2005 Download.Trojan
TheHacker 5.9.1.064 12.28.2005 Exploit/WMF
Trend Micro 135 12.29.2005 TROJ_NASCENE.D
UNA 1.83 12.29.2005 no virus found
VBA32 3.10.5 12.28.2005 no virus found
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
jacec...@gmail.com
What happened to DEP in XP SP2?
If this is a buffer overflow exploit, why then isn't DEP in XP SP2
shutting down the malicious code before it can run?
I would think that an image file would be marked as "data" in memory,
not as an executable image, although WMF might be different than say a
jpg or bmp, does anyone know for sure?
I keep my DEP setting on "Turn on DEP for all programs and services
except those I select"
http://www.microsoft.com/technet/security/prodtech/windowsxp/depcnfxp.mspx
"Microsoft Windows XP Service Pack 2 (SP2) helps protect your computer
against the insertion of malicious code into areas of computer memory
reserved for non-executable code by implementing a set of hardware and
software-enforced technologies called Data Execution Prevention (DEP).
Hardware-enforced DEP is a feature of certain processors that prevents
the execution of code in memory regions that are marked as data
storage. This feature is also known as No-Execute and Execution
Protection. Windows XP SP2 also includes software-enforced DEP that is
designed to reduce exploits of exception handling mechanisms in
Windows.
Unlike an antivirus program, hardware and software-enforced DEP
technologies are not designed to prevent harmful programs from being
installed on your computer. Instead, they monitor your installed
programs to help determine if they are using system memory safely. To
monitor your programs, hardware-enforced DEP tracks memory locations
declared as "non-executable". To help prevent malicious code, when
memory is declared "non-executable" and a program tries to execute code
from the memory, Windows will close that program. This occurs whether
the code is malicious or not."
PA Bear
the exploit. YMMV.
--
~PA Bear
Tom [Pepper] Willett
Tom
"PA Bear" <PABe...@gmail.com> wrote in message
news:ePRDdkLD...@TK2MSFTNGP15.phx.gbl...
Stephen Howe
> customer's computer that was infected with Spy Sherriff by this method.
> The exploit was in a spam email. Turn off the preview pane in OE (always a
> good idea) and turn off the Windows picture and fax viewer until Microsoft
> has a fix.
It certainly is. I watched it in action. One inadvertent web site visit, a
popup box where I observed "WMF" in title and it closed in 1/2 second, and
yup, mscornet.exe and a tmp file in the windows system32 directory. 1 second
later, ZoneAlarm kicked in asking whether I should allow an unknown program
to send packets over the Internet (denied).
Time to reboot in Safe mode and disinfect and kick in with that temp fix.
I have been here before.
Stephen Howe
Matt Thompson
be stopped.
Windows 2003 Server defaults for hardware or software DEP to be on for all
software, but can be changed.
Windows XP defaults to having DEP on just system services, which does not
protect against this threat.
McAfee VirusScan 8.0i and Entercept Buffer Overflow protection also stop
this threat.
"Tom [Pepper] Willett" <tomp...@mvps.invalid> wrote in message
news:%235p9FAN...@TK2MSFTNGP09.phx.gbl...
Karl Levinson, mvp
"Lem" <lem...@hotmail.com> wrote in message
news:43B3FFEB...@hotmail.com...
> > Here is a workaround:
> >
> > Run
> > regsvr32 /u shimgvw.dll
> >
> > Stephen Howe
>
> The advice to unregister shimgvw.dll is indeed in the originally-posted MS
> article. However, in true MS fashion, it is hidden several layers deep.
You
> have to click on the + to expand "Suggested Actions," then click on the +
> next to "Workarounds"
I have to agree. I read those security articles religiously, and I missed
the workaround as well. Apparently I'm far from the only one that missed
this. This could be done better.
PA Bear
The FAQ section of
http://www.microsoft.com/technet/security/advisory/912840.mspx has been
updated.
Fully expand Suggest Actions > Workarounds subsection to see steps you can
take to "help block known attack vectors".
Additional Resources:
Protect Your PC
http://www.microsoft.com/athome/security/protect/
Microsoft Security Home Page
http://www.microsoft.com/security/default.mspx
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE, Shell/User, Security), Aumha.org VSOP, DTS-L.org
Stephen Howe
McAfees intercepted and killed it.
(sorry: XP Professional, SP2, all mods, McAfees latest, ZoneAlarm, MS
Anti-Spyware Beta, SpyBot 1.4, 2nd recent MVP HOSTS, Ad-Aware SE 1.06).
It is evident that the Malware writers have known about this exploit for
sometime.
Stephen Howe
MAP
Here is a good article about this.
http://www.updatexp.com/wmf-exploit.html
I geuss I should get off my behind and install SP2
--
Mike Pawlak
Stephen Howe
> http://www.microsoft.com/technet/security/advisory/912840.mspx has been
> updated.
>
> Fully expand Suggest Actions > Workarounds subsection to see steps you can
> take to "help block known attack vectors".
What about Windows 2000 Professional SP4?
Running that at work and that has
07/12/1999 12:00 52,496 shimgvw.dll
Is the workaround useless for Windows 2000?
According to here
http://www.updatexp.com/wmf-exploit.html
ME & 2000 are vulnerable
Cheers
Stephen Howe
David H. Lipman
As of Today, Microsft now recognizes this.
Microsoft ?? 12.30.2005 Exploit:Win32/Wmfap
Additionally
VBA32 3.10.5 12.30.2005 Trojan-Downloader.Win32.Agent.acd
Notan
>
> <snip>
Interesting. Where'd you get this list?
Notan
Mike U
Would this be equal to (or even better than) unregistering the fax/picture
viewer DLL?
I assume it would result in the user being prompted to specify a program to
open the file.
Thanks.
====
Mike
Stephen Howe
>>
>> Notan
Probably from submitting a sample at
http://www.virustotal.com/flash/index_en.html
Stephen Howe
Stephen Howe
>
> Would this be equal to (or even better than) unregistering the fax/picture
> viewer DLL?
From what I understand this vulnerability can occur with the extension JPGs,
JPEGs, PNGs, GIFs, TIFFs
so, no, the original suggestion is no good.
Good thought.
Stephen Howe
Mike U
If that's the case, then the recommended action from CERT of blocking access
to windows metafiles at the network perimeter is just as useless.
CERT: www.kb.cert.org/vuls/id/181038
====
Mike
PA Bear
Duh!
How to configure and use Automatic Updates in Windows XP:
http://support.microsoft.com/?kbid=306525
Top 10 Reasons to Install Windows XP Service Pack 2 (SP2)
http://www.microsoft.com/windowsxp/sp2/topten.mspx
Installing WinXP SP2
http://support.microsoft.com/default.aspx?scid=fh;ln;xpsp2getinstall
What to Know Before Downloading/Installing SP2
http://www.microsoft.com/windowsxp/sp2/sp2_whattoknow.mspx
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE, Shell/User, Security), Aumha.org VSOP, DTS-L.org
PA Bear
<QP>
This advisory discusses the following software.
Related Software
Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and
Microsoft Windows Millennium Edition (ME)
</QP>
Source: http://www.microsoft.com/technet/security/advisory/912840.mspx
--
~PA Bear
Ken Blake, MVP
Not removing it, but changing it to Notepad, is one of the suggestions made
here:
http://sunbeltblog.blogspot.com/2005/12/workaround-for-wmf-exploit.html
--
Ken Blake - Microsoft MVP Windows: Shell/User
Please reply to the newsgroup
David H. Lipman
|
| Probably from submitting a sample at
| http://www.virustotal.com/flash/index_en.html
|
| Stephen Howe
|
Yes and running Trend Sysclean and using the MS AV
web site;
http://safety.live.com/site/en-US/default.htm
Gary Smith
> > The FAQ section of
> > http://www.microsoft.com/technet/security/advisory/912840.mspx has been
> > updated.
> >
> > Fully expand Suggest Actions > Workarounds subsection to see steps you can
> > take to "help block known attack vectors".
> What about Windows 2000 Professional SP4?
> Running that at work and that has
> 07/12/1999 12:00 52,496 shimgvw.dll
> Is the workaround useless for Windows 2000?
So it would appear, since the article specifically states, "Un-register
the Windows Picture and Fax Viewer (Shimgvw.dll) on Windows XP Service
Pack 1; Windows XP Service Pack 2; Windows Server 2003 and Windows Server
2003 Service Pack 1." No mention of Windows 2000 or ME.
> According to here
> http://www.updatexp.com/wmf-exploit.html
> ME & 2000 are vulnerable
--
Gary L. Smith
Columbus, Ohio
Tom [Pepper] Willett
little-known program called "Imaging" that was really a third-party program
from Kodak that allowed you to view image files such as .BMP, .JPG, .TIF,
and .PCX. This program could be installed from the Control Panel, Add
Windows Components under Accessories, and was very handy for viewing scanned
FAX documents.
In Windows XP, this program has been replaced by "Windows Picture and Fax
Viewer."
"Gary Smith" <bitb...@example.com> wrote in message
news:%23yEBcjZ...@TK2MSFTNGP14.phx.gbl...
David H. Lipman
| In some older versions of Windows (Windows 2000 and Windows ME) there was a
| little-known program called "Imaging" that was really a third-party program
| from Kodak that allowed you to view image files such as .BMP, .JPG, .TIF,
| and .PCX. This program could be installed from the Control Panel, Add
| Windows Components under Accessories, and was very handy for viewing scanned
| FAX documents.
|
| In Windows XP, this program has been replaced by "Windows Picture and Fax
| Viewer."
shimgvw.dll was found on both my Win2K SP4 PC and my WinME PC :-)
Tom [Pepper] Willett
Tom
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:eIU1pvZD...@TK2MSFTNGP10.phx.gbl...
Gary Smith
same module with different functions, or what? Your posts are related to
the topic but don't appear to address it in any obvious way.
--
David H. Lipman
| So are you saying that it's a different module with the same name, or the
| same module with different functions, or what? Your posts are related to
| the topic but don't appear to address it in any obvious way.
|
If your PC has shimgvw.dll registerd with the MS GDI graphic renderer then your PC is
vulnerable.
That's it.
Therefore if your PC has shimgvw.dll installed then it is likely you are vulnerable.
Gallagher@discussions.microsoft.com Bill Gallagher
JPG, the file would go into the graphics renderer and there it would try to
open as JPG, fail, then figure out it was a WMF file by the header info in
the file, and run the WMF rendering code. Blammo.
Bill
Gary Smith
> From: "Gary Smith" <bitb...@example.com>
> | So are you saying that it's a different module with the same name, or the
> | same module with different functions, or what? Your posts are related to
> | the topic but don't appear to address it in any obvious way.
> |
> If your PC has shimgvw.dll registerd with the MS GDI graphic renderer then your PC is
> vulnerable.
> That's it.
> Therefore if your PC has shimgvw.dll installed then it is likely you are vulnerable.
Okay, I un-registered it. I don't have any real way of knowing whether
that makes me more secure, but I suspect that I'm not using it anyway.
Ian
Was just looking at the option of putting this into the logon script,
however I notice that it also breaks quite a bit of the Explorer
functionality in relation to other types of images, and it's the kind of
functionality that is heavily relied-on by the less computer-literate users.
This point might need to be carefully evaluated before rolling-out, to avoid
disruption.
Ken Blake, MVP
> That might work in some cases, but if an infected WMF file was
> renamed as JPG, the file would go into the graphics renderer and
> there it would try to open as JPG, fail, then figure out it was a WMF
> file by the header info in the file, and run the WMF rendering code.
> Blammo.
Yes, that's pointed ot on the page I cited below. As the page says "it's a
pretty weak workaround."
--
Ken Blake - Microsoft MVP Windows: Shell/User
Please reply to the newsgroup
PA Bear
The Advisory as updated on 30 Dec-05 now states that Software DEP does *not*
block the exploit.
http://www.microsoft.com/technet/security/advisory/912840.mspx
<QP>
I have DEP enabled on my system, does this help mitigate the
vulnerability?
Software based DEP does not mitigate the vulnerability. However,
Hardware based DEP may work when enabled: please consult with your
hardware manufacturer for more information on how to enable this and
whether it can provide mitigation.
</QP>
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE, Shell/User, Security), Aumha.org VSOP, DTS-L.org
PA Bear wrote:
> In fact, there are various recent posts elsewhere stating that DEP blocked
> the exploit. YMMV.
cquirke (MVP Windows shell/user)
>That might work in some cases, but if an infected WMF file was renamed as
>JPG, the file would go into the graphics renderer and there it would try to
>open as JPG, fail, then figure out it was a WMF file by the header info in
>the file, and run the WMF rendering code. Blammo.
A generic reason to KILL file interpretation based on hidden internal
information. The risks go beyond this particular WMF mess.
>---------- ----- ---- --- -- - - - -
Don't pay malware vendors - boycott Sony
>---------- ----- ---- --- -- - - - -
Mike U
Apparently, it works by patching the Escape() function in gdi32.dll -
disabling the SETABORT sequence. Of course, it is "use-at-your-own-risk" but
the site where it can be downloaded indicates that it does have a useful
silent install and can also be removed from Add/Remove Programs.
Computerworld, SANS & F-Secure have written about it - not in that order
<g>. SANS states that they have vetted the code and provides links to it.
http://www.hexblog.com/2005/12/wmf_vuln.html
http://isc.sans.org/
http://www.f-secure.com/weblog/
====
Mike
~greg
Does anyone know of a script (in perl, or whatever)
to check image files already on a hard drive
to see if any of them are actually renamed .wmf files?
~greg
"cquirke (MVP Windows shell/user)" <cquir...@nospam.mvps.org> wrote in message news:54kgr1hih7vq5t4qp...@4ax.com...
Terry Pinnell
seems to prevent my viewing photos (JPGs) in Thumbnail mode. I have
re-instated it with
Run | regsvr32 shimgvw.dll and immediately got thumbnails back. Anyone
else able to confirm this please?
--
Terry, West Sussex, UK
Tom [Pepper] Willett
Tom
"Terry Pinnell" <terrypi...@THESEdial.pipex.com> wrote in message
news:doqir1hq5nskt8tfd...@4ax.com...
Jim Byrd
also written a Vulnerablility Tester, available here:
http://www.hexblog.com/2006/01/wmf_vulnerability_checker.html
Read carefully! Use of both the patch and the tester (before and after
installing the patch) is Highly Recommended until MS comes out with a
permanent fix.
--
Regards, Jim Byrd, MS-MVP/DTS/AH-VSOP
My Blog, Defending Your Machine, here:
http://DefendingYourMachine.blogspot.com/
"Mike U" <Mi...@discussions.microsoft.com> wrote in message
news:1F6C084C-EE51-4F56...@microsoft.com
PA Bear
Stephen Howe
Of course. That is a natural consequence.
What did you expect - unregistering a DLL would have _NO_ downside?
It is temporary - while we are all waiting for Microsoft to issue a patch
which should be any day now.
Stephen Howe
Stephen Howe
You are better off downloading Ilfak Guilanov's patch which is 100%
effective after reboot (you can uninstall it in the normal manner from
Control Panel when the official patch turns up).
See here
http://www.hexblog.com/security/files/wmffix_hexblog13.exe
and see information here:
http://www.grc.com/sn/notes-020.htm
Best of all, once the patch is installed, you can re-register shimgvw.dll
Stephen Howe
Tom [Pepper] Willett
the vulnerability. http://www.f-secure.com/weblog/
Tom
"Stephen Howe" <sjhoweATdialDOTpipexDOTcom> wrote in message
news:O8fGox$DGHA...@TK2MSFTNGP15.phx.gbl...
Terry Pinnell
>> One downside of using regsvr32 /u shimgvw.dll here seems to be that it
>> seems to prevent my viewing photos (JPGs) in Thumbnail mode. I have
>> re-instated it with
>> Run | regsvr32 shimgvw.dll and immediately got thumbnails back. Anyone
>> else able to confirm this please?
>
>You are better off downloading Ilfak Guilanov's patch which is 100%
>effective after reboot (you can uninstall it in the normal manner from
>Control Panel when the official patch turns up).
I'd done that too.
>See here
>http://www.hexblog.com/security/files/wmffix_hexblog13.exe
>
>and see information here:
>http://www.grc.com/sn/notes-020.htm
>
>Best of all, once the patch is installed, you can re-register shimgvw.dll
That's what I did anyway (largely because I can't manage without
thumbnails). But it's unclear to me whether you are correct on this
point. In his follow-up, Tom appears to be recommending *both* steps
are necessary.
Jon
making any permanent changes to the gdi32.dll file on disk.
It installs a small dll "wmfhotfix.dll" in C:\WINDOWS\system32, which does
the work of maintaining the patched version of gdi32.dll in memory, and is
loaded via the registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows\AppInit_DLLs
More details here
http://www.grc.com/groups/securitynow:423
Jon
"Jim Byrd" <jrb...@spamlessadelphia.net> wrote in message
news:e3GlqT9D...@TK2MSFTNGP14.phx.gbl...
cquirke (MVP Windows shell/user)
>That's how it works, Terry.
It's also risk-significant, if the process of building or showing
thumbnails triggers the exploit, remembering that the OS is likely to
process WMF content within a ".JPG" file as WMF.
So I'd forego that functionality in the interests of risk management.
Stephen Howe
> thumbnails). But it's unclear to me whether you are correct on this
> point. In his follow-up, Tom appears to be recommending *both* steps
> are necessary.
Having read what Tom read, I change my mind. Best keep both steps.
Stephen Howe
Jon
http://www.microsoft.com/technet/security/advisory/912840.mspx
From the updated site......
Microsoft has completed development of the security update for the
vulnerability. The security update is now being localized and tested to
ensure quality and application compatibility. Microsoft’s goal is to release
the update on Tuesday, January 10, 2006, as part of its monthly release of
security bulletins. This release is predicated on successful completion of
quality testing.
The update will be released worldwide simultaneously in 23 languages for all
affected versions of Windows once it passes a series of rigorous testing
procedures. It will be available on Microsoft’s Download Center, as well as
through Microsoft Update and Windows Update. Customers who use Windows’
Automatic Updates feature will be delivered the fix automatically.
Jon
"Jon" <Email_...@SomewhereOrOther.com> wrote in message
news:eK2CPCEE...@tk2msftngp13.phx.gbl...
Opinicus
> Looks like an official patch is on its way
> http://www.microsoft.com/technet/security/advisory/912840.mspx
MS should hire people who come up with exploits like this to work for
them...
--
Bob
http://www.kanyak.com
Phillip Windell
news:11rljbj...@news.supernews.com...
> MS should hire people who come up with exploits like this to work for
> them...
That used to be the "going wisdom" during the 80's and 90's,...then they
discovered that this was how companies end up with a workforce of "shady"
employees that they cannot trust.
--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
David H. Lipman
| "Opinicus" <gez...@spamcop.net> wrote in message
| news:11rljbj...@news.supernews.com...
>> MS should hire people who come up with exploits like this to work for
>> them...
|
| That used to be the "going wisdom" during the 80's and 90's,...then they
| discovered that this was how companies end up with a workforce of "shady"
| employees that they cannot trust.
|
Sounds like the CIA Today ! :-)
Kerry Brown
> "Jon" <Email_...@SomewhereOrOther.com> wrote
>> Looks like an official patch is on its way
>> http://www.microsoft.com/technet/security/advisory/912840.mspx
>
> MS should hire people who come up with exploits like this to work for
> them...
Actually that's how Bill Gates got his start according to at least one
biography.
http://ei.cs.vt.edu/~history/Gates.Mirick.html
Kerry
Rosanne
>
> You are better off downloading Ilfak Guilanov's patch which is 100%
> effective after reboot (you can uninstall it in the normal manner from
> Control Panel when the official patch turns up).
>
> See here
> http://www.hexblog.com/security/files/wmffix_hexblog13.exe
>
> and see information here:
> http://www.grc.com/sn/notes-020.htm
>
> Best of all, once the patch is installed, you can re-register shimgvw.dll
>
> Stephen Howe
>
>
The hexblog site was never intended for so much traffic, and has been
overwhelmed and suspended. These are the big-name mirrors I've seen so far:
http://castlecops.com/a6436-Newest_WMF_Exploit_Patch_Saves_the_Day.html
(http://castlecops.com/t143213-Hexblog_WMF_FAQ.html)
http://www.grc.com/sn/notes-020.htm
http://handlers.sans.org/tliston/wmffix_hexblog14.exe
(this is a direct link to the executable - there's nothing on his index
page)
http://sunbeltblog.blogspot.com/2006/01/alternate-download-for-unofficial.html
--
~ Rosanne
Don’t save my sneakemail address – when it gets spammed, it gets changed.
Patrick Dickey
> Thanks.
>
> If that's the case, then the recommended action from CERT of blocking access
> to windows metafiles at the network perimeter is just as useless.
>
> CERT: www.kb.cert.org/vuls/id/181038
>
> ====
> Mike
>
>
>
>
> "Stephen Howe" wrote:
>
>
>>>Has anyone just removed the .wmf file type?
>>>
>>>Would this be equal to (or even better than) unregistering the fax/picture
>>>viewer DLL?
>>
>>From what I understand this vulnerability can occur with the extension JPGs,
>>JPEGs, PNGs, GIFs, TIFFs
>>so, no, the original suggestion is no good.
>>
>>Good thought.
>>
>>Stephen Howe
>>
>
>
Not necessarily. The reason that removing wmf won't work, is because
Windows looks at the header information inside of the file--not the file
type. You would probably have to block all image files, or set up
traffic blocks based on the snort signatures from Bleeding Edge Snort.
(You can get these by checking http://isc.sans.org and going through
their daily diaries).
--
Patrick Dickey <pd1c...@removethis.msn.com>
http://www.pats-computer-solutions.com
Smile.. someone out there cares deeply for you.
Patrick Dickey
Microsoft should repair the holes quicker. That's just my personal
opinion, based on a PC World article that I read. The "Gentleman's
Agreement" between security researchers and vendors is 60 days.
Microsoft takes anywhere from 10 days to 6 months, if not longer.
Makes you wonder why the last two exploits were "0-Day" exploits. I
would venture that people are getting pissed that Microsoft isn't
following the agreement, so they are forcing Microsoft to.
Again, it's my personal opinion based on an article that I read. I
could be wrong, and probably am.
GRRrr
*another* patch requiring a reboot?!?
U R seriously eating into my server uptime!
GRRrr
"Trax" wrote:
> "PA Bear" <PABe...@gmail.com> wrote:
>
> |>X-post to Security, Security.Homeusers, IE6 & WinXP General newsgroups.
> |>Followup set to microsoft.public.security.
> |>
> |>Microsoft Security Advisory (912840): Vulnerability in Graphics
> |>Rendering Engine Could Allow Remote Code Execution
> |>http://www.microsoft.com/technet/security/advisory/912840.mspx
> |>
> |>Welcome to the Microsoft Security Response Center Blog!
> |>New Security Advisory for Possible Windows Vulnerability
> |>http://blogs.technet.com/msrc/archive/2005/12/29/416569.aspx
>
> Digg.com has an article on this, few of the posters have been bit by
> this one.
> http://digg.com/technology/New_exploit_blows_by_fully_patched_Windows_XP_systems
> Shorter link http://tinyurl.com/cb3x9
>
> I'm not vulnerable to this one <VBG> One of the first things I do
> after a XP installation is disable the "Windows Picture and Fax
> Viewer"
> http://www.annoyances.org/exec/show/article03-201
>
>
> --
> Puzzle break.
> http://219.101.39.52/~nanahiro/main.html
>