RE: WMF Exploit
> -----Original Message-----
> From: Hayes, Bill [mailto:Bill.Hayes@xxxxxxx]
> Sent: Wednesday, December 28, 2005 6:02 PM
> To: davidribyrne@xxxxxxxxx
> Cc: bugtraq@xxxxxxxxxxxxxxxxx
> Subject: RE: WMF Exploit
>
> CERT now has posted Vulnerability Note VU#181038, "Microsoft
> Windows may be vulnerable to buffer overflow via specially
> crafted WMF file"
> (http://www.kb.cert.org/vuls/id/181038). The note provides
> additional details about the exploit and its effects. Very
> few workarounds have been proposed other than blocking at the
> perimeter and possibly remapping the .wmf extension to some
> application other than the vulnerable Windows Picture and Fax
> Viewer (SHIMGVU.DLL).
>
> Bill...
F-Secure
(http://www.f-secure.com/weblog/archives/archive-122005.html#00000752)
mentioned a Microsoft workaround (which I actually did not see in the MS
TechNet bulliten they linked to):
----
Un-register the Windows Picture and Fax Viewer (Shimgvw.dll)
1. Click Start, click Run, type "regsvr32 -u
%windir%\system32\shimgvw.dll"
(without the quotation marks), and then click OK.
2. A dialog box appears to confirm that the un-registration process has
succeeded.
Click OK to close the dialog box.
Impact of Workaround: The Windows Picture and Fax Viewer will no longer
be started
when users click on a link to an image type that is associated with the
Windows Picture and Fax Viewer.
To undo this change, re-register Shimgvw.dll by following the above
steps.
Replace the text in Step 1 with "regsvr32 %windir%\system32\shimgvw.dll"
(without the quotation marks).
----
It's highly dumbed down but suitable for bulk distribution to the
average user =). Additionally F-Secure mentions sites related to the
attack, blocking them is an interim solution.
Derick Anderson