RE: WMF Exploit

["Derick Anderson" <danderson () vikus com>]

> -----Original Message-----
> From: Hayes, Bill [mailto:Bill.Hayes () owh com] 
> Sent: Wednesday, December 28, 2005 6:02 PM
> To: davidribyrne () yahoo com
> Cc: bugtraq () securityfocus com
> Subject: RE: WMF Exploit
>
> CERT now has posted Vulnerability Note VU#181038, "Microsoft 
> Windows may be vulnerable to buffer overflow via specially 
> crafted WMF file"
> (http://www.kb.cert.org/vuls/id/181038). The note provides 
> additional details about the exploit and its effects. Very 
> few workarounds have been proposed other than blocking at the 
> perimeter and possibly remapping the .wmf extension to some 
> application other than the vulnerable Windows Picture and Fax 
> Viewer (SHIMGVU.DLL).
>
> Bill...

F-Secure
(http://www.f-secure.com/weblog/archives/archive-122005.html#00000752)
mentioned a Microsoft workaround (which I actually did not see in the MS
TechNet bulliten they linked to):

----

Un-register the Windows Picture and Fax Viewer (Shimgvw.dll)

1. Click Start, click Run, type "regsvr32 -u
%windir%\system32\shimgvw.dll"
(without the quotation marks), and then click OK.

2. A dialog box appears to confirm that the un-registration process has
succeeded.
Click OK to close the dialog box.

Impact of Workaround: The Windows Picture and Fax Viewer will no longer
be started
when users click on a link to an image type that is associated with the
Windows Picture and Fax Viewer.

To undo this change, re-register Shimgvw.dll by following the above
steps.
Replace the text in Step 1 with "regsvr32 %windir%\system32\shimgvw.dll"
(without the quotation marks).

----

It's highly dumbed down but suitable for bulk distribution to the
average user =). Additionally F-Secure mentions sites related to the
attack, blocking them is an interim solution.

Derick Anderson