Indexing and the WMF exploit (plus some extra information)



December 31st, 2005

It seems that indexing programs (that is, programs that index your hard drives to make searching faster, such as [tag]Google Desktop[/tag]) can, if they come across an infected [tag]WMF[/tag] file, run the file and trigger the exploit.  As such, SANS and F-Secure now recommend disabling (or removing) all such indexing programs.

Also, I need to point out that if you unregister the [tag]shimgvw.dll[/tag] file (Start > Run type - without the quotes - "regsvr32 /u shimgvw.dll" and click OK followed by OK) then you are still at risk from infested WMF if you open them in applications such as Microsoft Paint.  I have no precise details of what image editors are affected so it might be a good idea to avoid working with image files that aren't yours for a while.

(By the way, you can undo the unregistering of by typing "regsvr32 shimgvw.dll" in the Run dialog box and clicking OK followed by OK).

This vulnerability exists in all main versions of [tag]Windows[/tag] - Windows ME, Windows 2000, Windows XP and Windows 2003.

There's also a fix for the problem - this from F-Secure:

Here's an alternative way to fix the WMF vulnerability.

Ilfak Guilfanov has published a temporary fix which does not remove any functionality from the system (all pictures and thumbnails continue to work normally).

The fix works by injecting itself to all processes loading USER32.DLL. It patches the Escape() function in [tag]GDI32.DLL[/tag], revoking WMF's SETABORT escape sequence that is the root of the problem.

Now, we wouldn't normally blog about a security patch that is not coming from the original vendor. But [tag]Ilfak Guilfanov[/tag] isn't just anybody. He's the main author of IDA (Interactive Disassembler Pro) and is arguably one of the best low-level Windows experts in the world.

More details from Ilfak's blog: http://www.hexblog.com.

Ilfak recommends you to uninstall this fix and use the official patch from Microsoft as soon as it is available.

This entry was posted on Saturday, December 31st, 2005 at 12:47 and is filed under In the News, Stay Secure. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

One Response to “Indexing and the WMF exploit (plus some extra information)”

  1. Spyware Informer Says:

    WMF Vulnerability Checker Ready for Download

    For those of you who don't want to have to use the workaround for the WMF Exploit, our friends over at HexBlog have a great new fix. Ilfak Guilfanov made the only legitimate patch for the WMF exploit. I highly recommend you apply this patch. It doesn...