> -----Original Message----- > From: Hayes, Bill [mailto:Bill.Hayes@xxxxxxx] > Sent: Wednesday, December 28, 2005 6:02 PM > To: davidribyrne@xxxxxxxxx > Cc: bugtraq@xxxxxxxxxxxxxxxxx > Subject: RE: WMF Exploit > > CERT now has posted Vulnerability Note VU#181038, "Microsoft > Windows may be vulnerable to buffer overflow via specially > crafted WMF file" > (http://www.kb.cert.org/vuls/id/181038). The note provides > additional details about the exploit and its effects. Very > few workarounds have been proposed other than blocking at the > perimeter and possibly remapping the .wmf extension to some > application other than the vulnerable Windows Picture and Fax > Viewer (SHIMGVU.DLL). > > Bill... F-Secure (http://www.f-secure.com/weblog/archives/archive-122005.html#00000752) mentioned a Microsoft workaround (which I actually did not see in the MS TechNet bulliten they linked to): ---- Un-register the Windows Picture and Fax Viewer (Shimgvw.dll) 1. Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK. 2. A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box. Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer. To undo this change, re-register Shimgvw.dll by following the above steps. Replace the text in Step 1 with "regsvr32 %windir%\system32\shimgvw.dll" (without the quotation marks). ---- It's highly dumbed down but suitable for bulk distribution to the average user =). Additionally F-Secure mentions sites related to the attack, blocking them is an interim solution. Derick Anderson
