RE: WMF Exploit Dec 29 2005 05:57PM
Derick Anderson (danderson vikus com)


> -----Original Message-----
> From: Hayes, Bill [mailto:Bill.Hayes (at) owh (dot) com [email concealed]]
> Sent: Wednesday, December 28, 2005 6:02 PM
> To: davidribyrne (at) yahoo (dot) com [email concealed]
> Cc: bugtraq (at) securityfocus (dot) com [email concealed]
> Subject: RE: WMF Exploit
>
> CERT now has posted Vulnerability Note VU#181038, "Microsoft
> Windows may be vulnerable to buffer overflow via specially
> crafted WMF file"
> (http://www.kb.cert.org/vuls/id/181038). The note provides
> additional details about the exploit and its effects. Very
> few workarounds have been proposed other than blocking at the
> perimeter and possibly remapping the .wmf extension to some
> application other than the vulnerable Windows Picture and Fax
> Viewer (SHIMGVU.DLL).
>
> Bill...

F-Secure
(http://www.f-secure.com/weblog/archives/archive-122005.html#00000752)
mentioned a Microsoft workaround (which I actually did not see in the MS
TechNet bulliten they linked to):

----

Un-register the Windows Picture and Fax Viewer (Shimgvw.dll)

1. Click Start, click Run, type "regsvr32 -u
%windir%\system32\shimgvw.dll"
(without the quotation marks), and then click OK.

2. A dialog box appears to confirm that the un-registration process has
succeeded.
Click OK to close the dialog box.

Impact of Workaround: The Windows Picture and Fax Viewer will no longer
be started
when users click on a link to an image type that is associated with the
Windows Picture and Fax Viewer.

To undo this change, re-register Shimgvw.dll by following the above
steps.
Replace the text in Step 1 with "regsvr32 %windir%\system32\shimgvw.dll"
(without the quotation marks).

----

It's highly dumbed down but suitable for bulk distribution to the
average user =). Additionally F-Secure mentions sites related to the
attack, blocking them is an interim solution.

Derick Anderson

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus