Welcome to WebmasterWorld Guest from 22.214.171.124
Forum Moderators: bill
So: set IE security to 'highest' and be inconvenienced all over the web or run an alternate browser and never open a wmf unless you are absolutely totally certain that is is not infected.
And wait for a Windows fix.
Shall we start a pool on when a quick and dirty fix is available?
When a comprehensive fix is available?
As described, I would expect the problem to affect all browsers including Opera and Firefox rather than be limited to IE as implied.
Mentions Firefox but nothing about Opera is mentioned yet.
To un-register Shimgvw.dll, follow these steps:
1. Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK.
2. A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.
Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.
To undo this change, re-register Shimgvw.dll by following the above steps. Replace the text in Step 1 with “regsvr32 %windir%\system32\shimgvw.dll” (without the quotation marks).
The flaw is in Shimgvw.dll which is a system component. Therefore, lots of products are vulnerable (including Google Desktop). It is reported to be extremely easy to infect your PC. You don't even need to open the WMF file - just having it on your system may well trigger Shimgvw.dll loading up if it does any file operation on the WMF file at all.
In a corporate environment, it could potentially spread very quickly through network shares.
It's not just a browser thing. Hopefully, most of us have safe enough browsing habits to ensure that we don't get hit.. but it CAN be spread through email too. Since WMF files can be embedded in many types of email message, you don't need to click on an attachment.. simply viewing the mail will infect the PC, and that includes viewing it in a preview screen. In other words, there's the potential for this to spread in a virus with little or no user intervention.
Because the exploit code is now available for this, you can expect to see other variants. At the moment it seems to be web based, but I can't imaging it'll be long until someone does something else with it.
I should imagine that it's theoretically possible to infect a Windows-based web server by using this exploit too.
Here's a couple of useful resources:
[isc.sans.org...] is a great place to look for any emerging threats. (Including vulnerabilities in web applications)
You can download a little toolbar icon called ISCalert (see [isc.sans.org...] which will check the current ISC alert status for you and flash if something really important happens.
Also [f-secure.com...] is a good place to check regularly. At the moment it lists the "infected" websites with the trojan, so if you want you can block access to the sites at your firewall.
Apparently if you use Opera or Firefox you'll get a prompt before the browser opens the file (according to the bottom 28th december entry at the [f-secure.com...] already mentioned).
Personally, I believe that anti-spyware and anti-virus apps should be your LAST line of defence. If you've got a proper patching regime, a good firewall and email filtering and steer clear of vulnerable products such as Internet Explorer, then normally you would be OK. The problem with this flaw is that there are so many ways to exploit it, so the usual precautions are not enough.
Until MS come out with a patch, it's gonna be a struggle to keep this one out.
If I am correct, you would not even have to visit a website to get infected - if the favicon of a website were downloaded and rendered (e.g. by opening a bookmarks menu) then that would be sufficient - it's scary stuff! This might mean that IE is actually more secure than Firefox (since IE doesn't bother downloading icons very often) - now that really would be ironic if true.
Of course, if you're running as an unprivileged user, this exploit would have a much harder time getting a foothold on your machine. Sadly that's not too common -- hands up all those who're logged in as an Administrator as you read this...
You need to drill down and click Suggested Actions -> Workarounds -> Unregister etc etc and it's there.
Happy and save computing
edited for the below info...
Three easy steps to the process to protect yourself.
1. Setup a restore point (XP users)...
Click "Start ---> "Programs" ----> "Accessories" -----> "System Tools" ---- "System Restore"
follow the instructions.
2. Click "Start" ----> "Run" then in the box cut and paste the following which will disable part one
of the ability of the virus to be exectued/spreading:
regsvr32 -u %windir%\system32\shimgvw.dll
This disables the file shimgvw.dll but if you read extensively the link above for SANS (Internet Storm Center) many programs and windows will re-enable the file, and the bad guys will for sure.
3. Download and run the patch from here:
Windows WMF Metafile Vulnerablity HotFix1.1
[edited by: bill at 2:48 am (utc) on Jan. 2, 2006]
[edit reason] de-linked HotFix URL [/edit]
THIS IS A MUST READ
P.S. Some are small, yet useless articles, the last is the most important as it is an unofficial workaround.
I never used code 'caus it never works for me so Copy&Paste into your browser and from what I experienced, none are infected :)
( interesting that although MS think they shipped the 98 series with this defect /hole ..they refuse to support their products in this series ..they weren't sold with "may contain unsafe and crappily done code" on the box )
again regmon and worm watchers will save you lots of grief ..as will running "out of date doze" to access the net.
the now two running ubuntu let me laugh with the others
You won't get your thumbnails back until shimgvw.dll is re-registered, and the unofficial patch had some confirmed negative effects on spooling to some printers on some systems.
I never lost use of thumbnails or the windows viewer. I assume that only happens with the manual registry edit, not the .exe file.
Well I'm glad MS have released the patch early anyway. It seems crazy having an official release day (Tuesdays) for updates when Mozilla etc release a patch as soon as they can. (Often within 24 hours.) Although I understand the need for much wider testing by MS.