Adam Fields (weblog)

This blog is largely deprecated, but is being preserved here for historical interest. Check out my index page at adamfields.com for more up to date info. My main trade is technology strategy, process/project management, and performance optimization consulting, with a focus on enterprise and open source CMS and related technologies. More information. I write periodic long pieces here, shorter stuff goes on twitter or app.net.

12/30/2005

Nasty MS Web Image Exploit

Filed under: — adam @ 10:01 am

There’s an exploit of the Windows code used to render WMF files (windows metafile – it’s an image format). There are multiple reports of sites in the wild exploiting this to drop trojans.

http://blogs.washingtonpost.com/securityfix/2005/12/exploit_release.html
http://sunbeltblog.blogspot.com/2005/12/new-exploit-blows-by-fully-patched.html
http://www.f-secure.com/weblog/archives/archive-122005.html#00000752

***All versions of IE are vulnerable to automatic infection.***
Earlier versions of Firefox (1.04) and all versions of Opera are still vulnerable, but they prompt you first. Firefox 1.5 is not vulnerable. Some email and IM programs may be vulnerable if they do previews or you click on a link that opens in a vulnerable browser or opens a vulnerable desktop program (Windows Picture and Fax Viewer).

Obviously, the best workaround for this is not to be using Windows.

If you can, disable all access to WMF files at the network level.

A temporary workaround (although it’s apparently still possible to get infected if you open a malicious file in mspaint):

A Microsoft spokesperson said the company is investigating, though no official word from them yet. A couple of security firms, including Verisign’s iDefense, have published workarounds that appear to mitigate the threat. According to iDefense, Windows users can disable the rendering of WMF files using the following hack:

1. Click on the Start button on the taskbar.
2. Click on Run…
3. Type “regsvr32 /u shimgvw.dll” to disable.
4. Click ok when the change dialog appears.

iDefense notes that this workaround may interfere with certain thumbnail images loading correctly, though I have used the hack on my machine and haven’t had any problems yet. The company notes that once Microsoft issues a patch, the WMF feature may be enabled again by entering the command “regsvr32 shimgvw.dll” in step three above.

Now’s a good time to point out that VMWare now has a free player that you can use to run pre-built machines, and also a “safe web browsing” machine that you can download that comes pre-configured with firefox 1.5 running on Ubuntu. If you have enough memory, this is not a bad thing to do for general web browsing.

http://www.vmware.com/download/player/
http://www.vmware.com/vmtn/vm/browserapp.html


Comments are closed.

Powered by WordPress