Skip to main content

How-to Protect your PC against WMF exploit

A recently discovered IE .WMF Exploit in Microsoft Windows can be used to infect a PC with spyware and currently there is no official patch available for the flaw. This is a so-called "0-day vulnerability" because exploits for the vulnerability appeared before any updates or patches were available.

Windows WMF Metafile Vulnerability HotFix
It is advisable to turn off automatic downloads of internet images in email messages. Microsoft recommends switching off the Windows Picture and Fax Viewer in Windows XP.

Since Microsoft has not released an official patch, the best workaround is to disable all actions associated with WMF extension.

Goto MyComputer -> Tools -> FolderOptions ->FileType Now select WMF (Windows Meta File) filetype and click Delete.

To un-register the Windows Picture and Fax Viewer (Shimgvw.dll) : on the Start menu, choose Run, type
regsvr32 -u %windir%\system32\shimgvw.dll
Visiting an infected webpage with Internet Explorer on a fully-patched XP Service Pack 2 computer causes immediate infection. Earlier Firefox users are vulnerable but they are first prompted to display the WMF image. If a filesystem indexing service (such as Google Desktop) is installed, users of Firefox and even text-based browsers can become infected.

Numerous websites are already taking advantage of the flaw to sneak into computers and install spyware. The spyware tries to trick people into handing over their credit card details as well as installing software to send thousands of spam e-mails

This flaw is due to an error in the rendering of Windows Metafile (WMF) image formats by "Windows Picture and Fax Viewer" (shimgvw.dll), which could be exploited by attackers to remotely take complete control of an affected system by convincing a user to view a malicious WMF file, or visit a specially crafted Web page that is designed to automatically exploit this vulnerability through Internet Explorer.

Computers running Windows XP, ME, 2000 and Windows Microsoft Windows Server 2003 are possibly affected by this flaw. Oreilly has already posted the code and detailed procedure for exploiting the Windows XP/2003 Picture and Fax Viewer Metafile Overflow Vulnerability.

Unfortunately, Microsoft hasn’t released an Official patch for WMF exploit yet. Until Microsoft acts, take advantage of a temporary hotfix made available by Steve Gibson, a security expert based in Irvine, California. When the official Microsoft hotfix becomes available,use Windows' Control Panel's "Add/Remove Programs" to remove his hotfix.

This WMF unofficial patch safely and "dynamically patches" the vulnerable function in Windows to neuter it and, after rebooting, renders any Windows 2000, XP, 64-bit XP and 2003 systems completely invulnerable to exploitation of the Windows Metafile vulnerability.

Update: Microsoft has completed development of the security update for the vulnerability. The security update is now being localized and tested to ensure quality and application compatibility. Microsoft’s goal is to release the update on Tuesday, January 10, 2006, as part of its monthly release of security bulletins. This release is predicated on successful completion of quality testing.

The update will be released worldwide simultaneously in 23 languages for all affected versions of Windows once it passes a series of rigorous testing procedures. It will be available on Microsoft’s Download Center, as well as through Microsoft Update and Windows Update. Customers who use Windows’ Automatic Updates feature will be delivered the fix automatically. Microsoft Security Advisory (912840)

Source: 1 | 2 | 3 | 4 | 5 | 6