New Windows exploit, unpatched.

LiamC

Storage Is My Life
Joined
Feb 7, 2002
Messages
2,016
Location
Canberra
Le Inq said:
Fully patched Windows XP SP2 machines are vulnerable and there's no known fix as yet.

A number of trojans are being distributed using the vulnerability, related to Windows' image rendering.

Have a look, for example, at the F-Secure site, here, for more information.

The exploit uses vulnerabilities in WMF and (possibly) EMF files.

IE is automatically vulnerable, FF users have to do something stupid. Opera users are (apes) ignored. :) Sorry Tea.

http://www.theinquirer.net/?article=28590[/quote]
 

Groltz

My demeaning user rank is
Joined
Jan 15, 2002
Messages
1,295
Location
Pierce County, WA
Work-around found:

http://www.eweek.com/print_article2/0,1217,a=168161,00.asp

Either unregister a .dll or perform a registry tweak.

First, you can unregister the specific DLL that implements the vulnerable code from the system using a command line program. To disable the DLL click Start, then Run, then enter the following command:

regsvr32 /u shimgvw.dll

To re-enable the same DLL, click Start, then Run, then enter the following command:

regsvr32 shimgvw.dll

The same effect may be obtained with a registry change. In the Regedit program go to the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes
\SystemFileAssociations\image
\ShellEx\ContextMenuHandlers
\ShellImagePreview


Then delete the default value. To re-enable the feature, go to the same key and set the default value as a REG_SZ to "{e84fda7c-1d6a-45f6-b725-cb260c236066}". You may download .REG files that perform these tasks from Athias's message.

The workaround has been confirmed by iDEFENSE as effective in preventing the current versions of the exploit, with a caveat. Previous vulnerabilities in the parsing of WMF files have led to additional vulnerabilities in EMF files, a later version of the metafile format. iDEFENSE warns that this workaround may not be effective against such future attacks.

Athias warns that if you unregister shimgvw.dll, Windows Explorer will not display thumbnails anymore. So the registry operation is a much better way.
 

LunarMist

I can't believe I'm a Fixture
Joined
Feb 1, 2003
Messages
17,497
Location
USA
How do I know if there are WMF and EMF files on my system?
 

LunarMist

I can't believe I'm a Fixture
Joined
Feb 1, 2003
Messages
17,497
Location
USA
D'OH! There are thousands of .wfm files under C:\Program Files\Common Files\Microsoft Shared\Clipart\autoshap and C:\Program Files\Common Files\Microsoft Shared\Clipart\cagcat50. Most of the files are dated ~1998. Should I delete them to be on the safe side or are the old .wmf files OK?
 

Handruin

Administrator
Joined
Jan 13, 2002
Messages
13,931
Location
USA
I don't think there is anything wrong with wmf files. You just need to be careful not to view new infected ones. :)

grc said:
Do not open any "WMF" — Windows Metafiles — you receive by eMail, and reports are that other file types may also be dangerous.
 
Top