- The PC Doctor's blog - http://www.pcdoctor-guide.com/wordpress -

Indexing and the WMF exploit (plus some extra information)

It seems that indexing programs (that is, programs that index your hard drives to make searching faster, such as [tag]Google Desktop[/tag]) can, if they come across an infected [tag]WMF[/tag] file, run the file and trigger the exploit.  As such, SANS and F-Secure now recommend disabling (or removing) all such indexing programs.

Also, I need to point out that if you unregister the [tag]shimgvw.dll[/tag] file (Start > Run type - without the quotes - "regsvr32 /u shimgvw.dll" and click OK followed by OK) then you are still at risk from infested WMF if you open them in applications such as Microsoft Paint.  I have no precise details of what image editors are affected so it might be a good idea to avoid working with image files that aren't yours for a while.

(By the way, you can undo the unregistering of by typing "regsvr32 shimgvw.dll" in the Run dialog box and clicking OK followed by OK).

This vulnerability exists in all main versions of [tag]Windows[/tag] - Windows ME, Windows 2000, Windows XP and Windows 2003.

There's also a fix for the problem - this from F-Secure:

Here's an alternative way to fix the WMF vulnerability.

Ilfak Guilfanov has published a temporary fix which does not remove any functionality from the system (all pictures and thumbnails continue to work normally).

The fix works by injecting itself to all processes loading USER32.DLL. It patches the Escape() function in [tag]GDI32.DLL[/tag], revoking WMF's SETABORT escape sequence that is the root of the problem.

Now, we wouldn't normally blog about a security patch that is not coming from the original vendor. But [tag]Ilfak Guilfanov[/tag] isn't just anybody. He's the main author of IDA (Interactive Disassembler Pro) and is arguably one of the best low-level Windows experts in the world.

More details from Ilfak's blog: http://www.hexblog.com.

Ilfak recommends you to uninstall this fix and use the official patch from Microsoft as soon as it is available.