Jump to content
xisto Community
jedipi

Microsoft Confirms Wmf Vulnerability

Recommended Posts

Microsoft has issued a Security Advisory (912840) on 28 Dec.
It concerns the recent WMF vulnerability exploit.
Microsoft also gave a temp solution to protect your PC
until they issue a patch. It's a good idea to use this
before the patch comes out.

The following is a quote from the Microsoft Security Advisory.

Un-register the Windows Picture and Fax Viewer (Shimgvw.dll)
1. Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll"
(without the quotation marks), and then click OK.

2. A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.

To undo this change, re-register Shimgvw.dll by following the above steps.
Replace the text in Step 1 with âregsvr32 %windir%\system32\shimgvw.dllâ (without the quotation marks).


P.S.
WMF is an image format that store both vector and bitmap data
in the same file. If you use IE and visit a site that contains an
infected WMF image, you will get infected immediately. However,
if you use Firefox or some other browser, you are safe.

Share this post


Link to post
Share on other sites

if you use Firefox or some other browser, you are safe.


This is a Windows vulnerability, not an IE vulnerability.
Unfortunately, the fact that you are using Firefox or Opera does not make you automatically pure-white and clean, if you do not take the necessary precautions as should be taken with any other case.

Do not open, download files from untrustful sources. Do not click on "OK" without giving a moment to think over. That's all you need.

Share this post


Link to post
Share on other sites

Actually a number of security experts including the famous Steve Gibson (creator of Shields-Up!) are saying that merely de-registering the shimgvw.dll file isn't quite enough especially for users of the older Win 9x / Win ME OS.

 

Another user, Ilfak Guilfanov has written a patch that effectively neutralises the threat in a safe and easy to use manner.

 

Details here

 

Another good thing is that in case, the patch doesn't work, one can easily uninstall it by going to the CONTROL PANEL > ADD / REMOVE PROGRAMS applet and picking the Windows WMF Metafile Vulnerability HotFix as the prog to uninstall.

 

Note that a reboot is required to render this patch effective !

Share this post


Link to post
Share on other sites

After a week, Microsoft has announced that it will
test the patch with plans to release it on Tuesday,
January 10th as a part of it's routine monthly security bulletins.

http://www.microsoft.com/err/technet/security/


SANS / The Internet Storm Center are releasing a patch
for this problem. You can download it here (msi).
anyway, this patch is un-official, and is not endorsed by Microsoft.
use it with your own risk.

Share this post


Link to post
Share on other sites

The official patch from Microsoft to combat and plug the hole in the shimgvw.dll exploit is here. It was released five days before the initially scheduled date of 10 JAN, the regular patch-Tuesday for MS products.

 

Link here

 

To all who have already installed the previously mentioned un-official patch, please uninstall it from the Control Panel Add / Remove Programs applet and proceed to install this official patch.

Share this post


Link to post
Share on other sites

this vulnerability is rated critical for Windows XP,
Windows 2000 and Windows Server 2003.
but non crical for Windows 98 and Me, therefore
Microsoft will notwon't release any patch for this.

anyway, someone has released a unofficial patch
for windows 98 and me. you can download it here.
https://www.eset.com/int/

Share this post


Link to post
Share on other sites

The software giant finished up testing on the official patch for the vulnerability in the Windows Meta File (WMF) format on Thursday and began releasing the fix though Windows Update and its download sites around 2 p.m. PST.
Microsoft released the patch as security professionals started to take the software giant to task for what they perceive as a slow response to a critical security issue. The flaw in the WMF format concerned many security experts over the holidays because the vulnerability can be exploited in Internet Explorer by serving up specially-crafted images from a malicious Web site. The Mozilla Corporation's Firefox browser does not immediately run code but reportedly asks permission to display the malicious images.

Microsoft originally announced on Tuesday that, while a patch had been created for the issue, it would not be released until January 10 so that it could be further tested.

"The development and testing teams have put forth a considerable effort to address this issue and respond to the strong customer sentiment that the release should be made available as soon as possible," the software giant said in a statement sent to SecurityFocus.

An unofficial patch for the problem had been released by software developer Ilfak Guilfanov and had encountered enormous demand after security experts vetted the patch and declared it a good solution. According to the SANS Institutes's Internet Storm Center, the patch released by Microsoft uses essentially the same tactic as Guilfanov's patch but whereas Microsoft could recompile the affected module with the fix, Guilfanov could not.

At least one report of network printing problems caused by the Guilfanov's patch surfaced on Wednesday.


Share this post


Link to post
Share on other sites

Just days after Microsoft patched the critical vulnerability in WMF,
another two new flaws that affect WMF were found by a hacker .

The hacker, âconcoruderâ, posted the new vulnerabilities to the
Bugtraq security mailing list on Monday. Those two new WMF
ulnerabilities are not as serious as the one patched last week.
They would crash any WMF-viewing software, such as Microsoft's
Internet Explorer. And they can be found in the following OS
* Windows XP SP2,
*Windows XP SP1
* Windows Server 2003 SP1
* Windows Server 2003
* Windows ME
* Windows 98se
* Windows 98
* Windows 2000 SP4

Source:
http://forums.xisto.com/no_longer_exists/

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...

Important Information

Terms of Use | Privacy Policy | Guidelines | We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.