Wednesday, December 28, 2005

WMF File Exploits

The WMF file exploits are in the wild. For those who don't know what they are, a metafile is a collection of structures that store a picture in a device-independent format (according to Microsoft). Security professionals have been hearing rumors of the vulnerabilities in these metafile for probably the next month, but now the vulnerability is in the wild.

What can it do to your computer? See this link to open a Windows Movie about what happens to your computer. From what I understand, the only real way to irradicate this intrusion is to rebuild your machine.

The SANS Institute has moved their infocon level to yellow, indicating an increased vulnerability level on the internet. See the daily diary for more information.

One workaround being passed around the internet is as follows:
According to iDefense, Windows users can disable the rendering of WMF files using the following hack:

1. Click on the Start button on the taskbar.
2. Click on Run...
3. Type "regsvr32
/u shimgvw.dll" to disable.
4. Click ok when the change dialog appears.

iDefense notes that this workaround may interfere with certain thumbnail images loading correctly, though I have used the hack on my machine and haven't had any problems yet. The company notes that once Microsoft issues a patch, the WMF feature may be enabled again by entering the command "regsvr32 shimgvw.dll" in step three above.

There still may be metafiles not associated with this dll, so YMMV.

Update - 2200 ET - Microsoft has confirmed much of this information with the following advisory:


Post a Comment

<< Home