"Madame, bear in mind That princes govern all things--save the wind." -Victor Hugo, The Infanta's Rose

Saturday, January 07, 2006

Windows Metafile security alert

Here's important information for those who use the Windows operating system, myself included. A vulnerability has been discovered in the graphics rendering engine associated with Windows Metafile images, or files with a .wmf extension. It is possible for hackers to maliciously construct a .wmf file to execute arbitrary code without your knowledge when the file is viewed, either on a web page or as an e-mail attachment. Computer security professionals say there's no need to become unduly alarmed; this is not yet a common threat, and chances are relatively slim that any one particular computer will be compromised. From an article in PC World magazine:
"As far as we're concerned, the threat is being vastly overblown," says Russ Cooper, editor of the NTBugtraq mailing list and a scientist at security vendor Cybertrust. "It's not being massively exploited."

Just two months ago, Microsoft fixed three other problems with the way Windows processes WMF images, and those vulnerabilities were not widely used with any success, Cooper says. "We've had image rendering problems in the base operating system for a long time, and still nothing massive has happened."
Nevertheless, reports of attacks specific to this exploit are increasing, so in my opinion it's better to be safe than sorry; you just never know when someone will see a golden opportunity for mischief on a wider scale. Microsoft Corp. is rating this alert "critical" and advising anyone using Windows 2000, Windows 2003 Server, or Windows XP with Service Pack 1 or 2 installed to read security bulletin MS06-001. (Windows 98 or ME is not vulnerable.) The Redmonders had scheduled the release of an update to fix this problem for January 10th, but have pushed the date up in response to public demand. That patch (KB912919) is available now, and you can download and install it from the Microsoft link above. If for some reason you can't install the fix, the following simple registry tweak to disable the Windows Picture and Fax Viewer (shimgvw.dll) can be used as a workaround:

Microsoft has tested the following workaround. While this workaround will not correct the underlying vulnerability, it helps block known attack vectors. When a workaround reduces functionality, it is identified in the following section.

Note: The following steps require Administrative privileges. It is recommended that the machine be restarted after applying this workaround. It is also possible to log out and log back in after applying the workaround. However, the recommendation is to restart the machine.

To un-register shimgvw.dll, follow these steps:
1. Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK.
2. A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.

To undo this change after the update has been applied, re-register shimgvw.dll by following the above steps. Replace the text in Step 1 with "regsvr32 %windir%\system32\shimgvw.dll" (without the quotation marks).

For more information, visit any of these sites:

Windows Security Blog
Computer Associates
Windows IT Pro


Or, as someone never fails to point out at times like these, you could always just get a Mac.


Post a Comment

<< Home