Serious Windows bug…fix it now, before the universities and high schools go online tomorrow

Edit to add: Wikipedia pulls tons of info together.

I’ve been following this exploit since it was first reported, but things are about to hit critical mass. The problem is this, there is a file type in windows that ends in the extension .wmf, but can also appear to be a gif, jpg, bmp, doc, etc. This file, which appears to be a graphics file, can also carry an executable payload, which means that if you view one of these images, an attacker can gain complete control of your system. This is really a pretty big deal, primarily because someone released the exploit code into the wild, before giving it to antivirus vendors.

Here’s a vulnerability scanner.

Here’s a hotfix patch from Ilfak Guilfanov. The fix works by injecting itself to all processes loading USER32.DLL. It patches the Escape() function in GDI32.DLL, revoking WMF’s SETABORT escape sequence that is the root of the problem.

I would almost never recommend a security patch that is not coming from the original vendor. But Ilfak Guilfanov isn’t just anybody. He’s the main author of IDA (Interactive Disassembler Pro) and is arguably one of the best deep code Windows experts in the world.

F-Secure’s info about this whole mess. Please block the sites they mention at your firewall. Also, ISC recommends blocking the following IP netblocks at your firewall/router:

InterCage Inc.: 69.50.160.0/19 (69.50.160.0 – 69.50.191.255)
Inhoster: 85.255.112.0/20 (85.255.112.0 – 85.255.127.255)

Here’s what VirusList has to say about the exploit.

Here is the FAQ from the Internet Storm Center.

Microsoft has not released a patch (naturally), but they have an advisory that tells you how to unregister the related dll. Microsoft has tested the following workaround. While this workaround will not correct the underlying vulnerability, it helps block known attack vectors.

Note The following steps require Administrative privileges. It is recommended that the machine be restarted after applying this workaround. It is also possible to log out and log back in after applying the workaround. However, the recommendation is to restart the machine.

To un-register Shimgvw.dll, follow these steps:

1.Click Start, click Run, type “regsvr32 -u %windir%\system32\shimgvw.dll” (without the quotation marks), and then click OK.

2.A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.

To undo this change, re-register Shimgvw.dll by following the above steps. Replace the text in Step 1 with “regsvr32 %windir%\system32\shimgvw.dll” (without the quotation marks).

However, tests suggest that this will not stop about half of the known 70 varients making the rounds of the web right now. Make sure you disable any desktop search applications, like google desktop. It can trigger the wmf code when it indexes a contaminated file.

I also unassociated the file type, and reassociated it with notepad. Let me know if you need help walking through that.

Although I almost never recommend that anyone do anything to their kernel, I still think that applying the “unofficial” patch until MS gets their act together is the best way to plug the hole. Just remember to uninstall the patch when MS finally comes up with one of their own. Here’s f-secure’s info on vetting the patch, and what the patch fixes.

For those of my friends in tech support…I recommend taking asprin with you to work for a couple of days…cause users are gonna be very confused and almost completely incapable of understanding how a web image just installed code on their boxes that almost nothing short of fdisk can fix.

Here’s more info and links from MeFi.

Comments are disabled for this post