homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Microsoft / Microsoft Windows OS (XP/NT/Vista/Windows 7/8/9/10)
Forum Library, Charter, Moderators: bill

Microsoft Windows OS (XP/NT/Vista/Windows 7/8/9/10) Forum

"Extremely Critical " Secunia Advisory
Extremely Critical Windows WMF Handling Arbitrary Code Execution

 11:15 am on Dec 28, 2005 (gmt 0)

http://secunia.com/advisories/18255/ [secunia.com]



 12:09 pm on Dec 28, 2005 (gmt 0)

Very odd description.....

As described, I would expect the problem to affect all browsers including Opera and Firefox rather than be limited to IE as implied.



 10:21 pm on Dec 28, 2005 (gmt 0)

My reading says that it is a 'Windows' OS flaw and that IE with security set lower than 'high' will auto open/run a wmf file. As other browsers are (unlikely?) set to autorun an encountered wmf they are not mentioned.

So: set IE security to 'highest' and be inconvenienced all over the web or run an alternate browser and never open a wmf unless you are absolutely totally certain that is is not infected.

And wait for a Windows fix.
Shall we start a pool on when a quick and dirty fix is available?
When a comprehensive fix is available?


 9:23 am on Dec 29, 2005 (gmt 0)

As described, I would expect the problem to affect all browsers including Opera and Firefox rather than be limited to IE as implied.


Mentions Firefox but nothing about Opera is mentioned yet.


 6:16 pm on Dec 29, 2005 (gmt 0)

Microsoft have a workaround: [microsoft.com...]

To un-register Shimgvw.dll, follow these steps:

1. Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK.

2. A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.

To undo this change, re-register Shimgvw.dll by following the above steps. Replace the text in Step 1 with “regsvr32 %windir%\system32\shimgvw.dll” (without the quotation marks).

The flaw is in Shimgvw.dll which is a system component. Therefore, lots of products are vulnerable (including Google Desktop). It is reported to be extremely easy to infect your PC. You don't even need to open the WMF file - just having it on your system may well trigger Shimgvw.dll loading up if it does any file operation on the WMF file at all.

In a corporate environment, it could potentially spread very quickly through network shares.

It's not just a browser thing. Hopefully, most of us have safe enough browsing habits to ensure that we don't get hit.. but it CAN be spread through email too. Since WMF files can be embedded in many types of email message, you don't need to click on an attachment.. simply viewing the mail will infect the PC, and that includes viewing it in a preview screen. In other words, there's the potential for this to spread in a virus with little or no user intervention.

Because the exploit code is now available for this, you can expect to see other variants. At the moment it seems to be web based, but I can't imaging it'll be long until someone does something else with it.

I should imagine that it's theoretically possible to infect a Windows-based web server by using this exploit too.

Here's a couple of useful resources:
[isc.sans.org...] is a great place to look for any emerging threats. (Including vulnerabilities in web applications)
You can download a little toolbar icon called ISCalert (see [isc.sans.org...] which will check the current ISC alert status for you and flash if something really important happens.

Also [f-secure.com...] is a good place to check regularly. At the moment it lists the "infected" websites with the trojan, so if you want you can block access to the sites at your firewall.


 7:11 pm on Dec 29, 2005 (gmt 0)

Mentions Firefox but nothing about Opera is mentioned yet.

Can't find it now, but earlier today I saw an article that specifically mentioned Opera as being vulnerable to this one.



 7:30 pm on Dec 29, 2005 (gmt 0)

I've done the regsvr32 -u %windir%\system32\shimgvw.dll thing but can't see that actualy mentioned in the microsoft site link [microsoft.com...] . Seems that if the instructions were there before, they've gone now...hope this doesn't mean it doesn't solve the problem.

Apparently if you use Opera or Firefox you'll get a prompt before the browser opens the file (according to the bottom 28th december entry at the [f-secure.com...] already mentioned).


 8:36 pm on Dec 29, 2005 (gmt 0)

You need to drill down and click Suggested Actions -> Workarounds -> Unregister etc etc and it's there.

I had to hunt around for it the first tieme too!


 10:38 pm on Dec 29, 2005 (gmt 0)

Oh man, with the workaround in you can't even see thumbnails, ouch!


 12:03 am on Dec 30, 2005 (gmt 0)

There's a tool named Microsoft® Windows AntiSpyware (Beta). Does it work against this threat?


 12:34 am on Dec 30, 2005 (gmt 0)

You can watch it spread here:



 4:21 pm on Dec 30, 2005 (gmt 0)

Most vendors anti-virus products can detect the current range of exploits - but that doesn't mean that there won't be new versions out that AV software won't be able to detect. Most likely, AV and anti-spyware apps will detect some of the stuff dowloaded AFTER your machine becomes infected.

Personally, I believe that anti-spyware and anti-virus apps should be your LAST line of defence. If you've got a proper patching regime, a good firewall and email filtering and steer clear of vulnerable products such as Internet Explorer, then normally you would be OK. The problem with this flaw is that there are so many ways to exploit it, so the usual precautions are not enough.

Until MS come out with a patch, it's gonna be a struggle to keep this one out.


 4:41 pm on Dec 30, 2005 (gmt 0)

I just had a quick look at registry stuff (mime types, etc.) and it looks to me that .BMP, .ICO, .GIF, and .JPG files might also be affected (under XP - haven't checked other versions).

If I am correct, you would not even have to visit a website to get infected - if the favicon of a website were downloaded and rendered (e.g. by opening a bookmarks menu) then that would be sufficient - it's scary stuff! This might mean that IE is actually more secure than Firefox (since IE doesn't bother downloading icons very often) - now that really would be ironic if true.



 6:25 pm on Dec 30, 2005 (gmt 0)

Firefox shouldn't be inherently vulnerable to this exploit. It uses its own cross-platform image rendering library, which does not support WMF files. Obviously, you can use Fx to download a corrupted file, which might infect your machine if you haven't taken appropriate precautions, but Firefox won't trigger the payload.

Of course, if you're running as an unprivileged user, this exploit would have a much harder time getting a foothold on your machine. Sadly that's not too common -- hands up all those who're logged in as an Administrator as you read this...


 11:29 pm on Dec 30, 2005 (gmt 0)

You need to drill down and click Suggested Actions -> Workarounds -> Unregister etc etc and it's there.

Thanks Dynamoo - I'd clicked on just the plus by "suggested actions" previously but had missed the further plus by "workarounds". They don't make things easy to find do they.


 6:01 pm on Jan 1, 2006 (gmt 0)

I would suggest re alerting yourself to the situation here.
Hot fixes and registry disabling...


Happy and save computing

edited for the below info...

Three easy steps to the process to protect yourself.
1. Setup a restore point (XP users)...
Click "Start ---> "Programs" ----> "Accessories" -----> "System Tools" ---- "System Restore"
follow the instructions.
2. Click "Start" ----> "Run" then in the box cut and paste the following which will disable part one
of the ability of the virus to be exectued/spreading:

regsvr32 -u %windir%\system32\shimgvw.dll

This disables the file shimgvw.dll but if you read extensively the link above for SANS (Internet Storm Center) many programs and windows will re-enable the file, and the bad guys will for sure.

3. Download and run the patch from here:
Windows WMF Metafile Vulnerablity HotFix1.1

[edited by: bill at 2:48 am (utc) on Jan. 2, 2006]
[edit reason] de-linked HotFix URL [/edit]


 3:02 am on Jan 4, 2006 (gmt 0)

Secunia has offered the name EXTREMELY CRITICAL and so this means that all browsers are affected as with all windows versions
On Firefox, it will ask you before choosing to show a .wmf file, Microsoft AntiSpyware Beta will help to prevent this but will by no means stop it, it must be fully up-to-date and I must remind you that all antivirus companies have tracked articles but none have done anything, there is an unofficial one (supposed to be great but the one below is great too). out from a guy but I dont know where to go for it.
Microsoft are just as worried about it as we are.
If you are running from a system with the word windows in it, be careful
Favicons or Icons in a web site are ONLY .Ico files and have not been confirmed to affect/infect your computer
I feel this my duty to inform you that if you have WINDOWS you are Affected but if you are stupid you are Infected.
I am new here but wise to the net, set your IE explorer to high security and take head of whatever Firefox says to you.
Microsoft are issuing a patch next week providing that tests go well and if they dont, thats our problem and I am sure that this patch will be installed on Vista (longhorn).
Some articles are just read ups and reports whilst others explain, but for you and me the last is the most important











P.S. Some are small, yet useless articles, the last is the most important as it is an unofficial workaround.
I never used code 'caus it never works for me so Copy&Paste into your browser and from what I experienced, none are infected :)


 2:54 pm on Jan 4, 2006 (gmt 0)

Linux and Mac users are laughing.


 12:48 am on Jan 6, 2006 (gmt 0)

MS has released their patches [microsoft.com] for this problem (select the proper version for your operating system).



 1:08 am on Jan 6, 2006 (gmt 0)

Not all versions of doze are vulnerable ..my XP had the file "shimgvw.dll" ( dealt with ) ..my 98II ( which is the only doze box allowed to talk to the outside doesn't have the affected .dll anyway ) ..the other 98II's didnt either

( interesting that although MS think they shipped the 98 series with this defect /hole ..they refuse to support their products in this series ..they weren't sold with "may contain unsafe and crappily done code" on the box )

again regmon and worm watchers will save you lots of grief ..as will running "out of date doze" to access the net.

the now two running ubuntu let me laugh with the others


 9:26 am on Jan 6, 2006 (gmt 0)

OK, I've installed the official patch from Microsoft this morning. Do I now have to uninstall the unofficial patch I downloaded from Steve Gibson's site (wmffix_hexblog14.exe), or is it OK to leave it as it is?


 12:30 pm on Jan 6, 2006 (gmt 0)

>>Oh man, with the workaround in you can't even see thumbnails, ouch!

I'd like them back too.

I know this will reinstall the XP viewer dll: regsvr32 -i %windir%\system32\shimgvw.dll

...but does this compromise the system?


 1:55 pm on Jan 6, 2006 (gmt 0)

The proper sequence would seeem to be to remove the unofficial patch, then re-register shimgvw.dll, then install the official patch. In other words, reverse the installation order of the unofficial patch, and then add the official one.

You won't get your thumbnails back until shimgvw.dll is re-registered, and the unofficial patch had some confirmed negative effects on spooling to some printers on some systems.



 3:17 pm on Jan 6, 2006 (gmt 0)

I'm sure the website I saw said it was safe to keep the unofficial patch installed while I ran the official update.

I never lost use of thumbnails or the windows viewer. I assume that only happens with the manual registry edit, not the .exe file.

Well I'm glad MS have released the patch early anyway. It seems crazy having an official release day (Tuesdays) for updates when Mozilla etc release a patch as soon as they can. (Often within 24 hours.) Although I understand the need for much wider testing by MS.

Global Options:
 top home search open messages active posts  

Home / Forums Index / Microsoft / Microsoft Windows OS (XP/NT/Vista/Windows 7/8/9/10)
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved