[41875] in bugtraq
RE: WMF Exploit
daemon@ATHENA.MIT.EDU (Derick Anderson)
Fri Dec 30 14:25:06 2005
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Date: Thu, 29 Dec 2005 12:57:06 -0500
Message-ID: <FAC4E024BF776842876169173CE2F01313B80D@mailbox.vikus.com>
From: "Derick Anderson" <danderson@vikus.com>
To: <bugtraq@securityfocus.com>
Content-Transfer-Encoding: 8bit
> -----Original Message-----
> From: Hayes, Bill [mailto:Bill.Hayes@owh.com]
> Sent: Wednesday, December 28, 2005 6:02 PM
> To: davidribyrne@yahoo.com
> Cc: bugtraq@securityfocus.com
> Subject: RE: WMF Exploit
>
> CERT now has posted Vulnerability Note VU#181038, "Microsoft
> Windows may be vulnerable to buffer overflow via specially
> crafted WMF file"
> (http://www.kb.cert.org/vuls/id/181038). The note provides
> additional details about the exploit and its effects. Very
> few workarounds have been proposed other than blocking at the
> perimeter and possibly remapping the .wmf extension to some
> application other than the vulnerable Windows Picture and Fax
> Viewer (SHIMGVU.DLL).
>
> Bill...
F-Secure
(http://www.f-secure.com/weblog/archives/archive-122005.html#00000752)
mentioned a Microsoft workaround (which I actually did not see in the MS
TechNet bulliten they linked to):
----
Un-register the Windows Picture and Fax Viewer (Shimgvw.dll)
1. Click Start, click Run, type "regsvr32 -u
%windir%\system32\shimgvw.dll"
(without the quotation marks), and then click OK.
2. A dialog box appears to confirm that the un-registration process has
succeeded.
Click OK to close the dialog box.
Impact of Workaround: The Windows Picture and Fax Viewer will no longer
be started
when users click on a link to an image type that is associated with the
Windows Picture and Fax Viewer.
To undo this change, re-register Shimgvw.dll by following the above
steps.
Replace the text in Step 1 with "regsvr32 %windir%\system32\shimgvw.dll"
(without the quotation marks).
----
It's highly dumbed down but suitable for bulk distribution to the
average user =). Additionally F-Secure mentions sites related to the
attack, blocking them is an interim solution.
Derick Anderson
