Bugtraq mailing list archives
RE: WMF Exploit
From: "Derick Anderson" <danderson () vikus com>
Date: Thu, 29 Dec 2005 12:57:06 -0500
-----Original Message----- From: Hayes, Bill [mailto:Bill.Hayes () owh com] Sent: Wednesday, December 28, 2005 6:02 PM To: davidribyrne () yahoo com Cc: bugtraq () securityfocus com Subject: RE: WMF Exploit CERT now has posted Vulnerability Note VU#181038, "Microsoft Windows may be vulnerable to buffer overflow via specially crafted WMF file" (http://www.kb.cert.org/vuls/id/181038). The note provides additional details about the exploit and its effects. Very few workarounds have been proposed other than blocking at the perimeter and possibly remapping the .wmf extension to some application other than the vulnerable Windows Picture and Fax Viewer (SHIMGVU.DLL). Bill...
F-Secure (http://www.f-secure.com/weblog/archives/archive-122005.html#00000752) mentioned a Microsoft workaround (which I actually did not see in the MS TechNet bulliten they linked to): ---- Un-register the Windows Picture and Fax Viewer (Shimgvw.dll) 1. Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK. 2. A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box. Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer. To undo this change, re-register Shimgvw.dll by following the above steps. Replace the text in Step 1 with "regsvr32 %windir%\system32\shimgvw.dll" (without the quotation marks). ---- It's highly dumbed down but suitable for bulk distribution to the average user =). Additionally F-Secure mentions sites related to the attack, blocking them is an interim solution. Derick Anderson
Current thread:
- WMF Exploit davidribyrne (Dec 28)
- <Possible follow-ups>
- WMF Exploit davidribyrne (Dec 28)
- RE: WMF Exploit Hayes, Bill (Dec 29)
- RE: WMF Exploit Bill Busby (Dec 30)
- Re: WMF Exploit Paul Laudanski (Dec 30)
- RE: WMF Exploit Bill Busby (Dec 30)
- WMF exploit ninjapicook (Dec 29)
- RE: WMF Exploit Derick Anderson (Dec 30)