Agam's Gecko
Tuesday, January 03, 2006

f you are running any version of Windows operating system, act fast to protect yourself against this latest security exploit. Microsoft has no patch available as yet, but there are some interim measures that should be used while MS gets its act together.

The exploit uses a vulnerability in "Windows Meta File" format image files, which can execute upon viewing in your browser or email program. These files normally end with the ".wmf" extension, but could also be carrying ".jpg" or ".bmp" extensions -- and be just as dangerous. Here's another good reason to be using the Firefox browser. Internet Explorer will execute the file automatically, while Firefox asks what you want to do with it. When I tried a test page containing one of these, Firefox popped up a dialog, and McAfee Anti-Virus caught it going into the cache. If one of these bad .wmf files exists on your machine, note that if you have the Google Desktop Search installed, the mere indexing of the file will set it off.

The first thing is to unregister the MS Picture and Fax viewer, by going to "Start" / "Run" and type:
regsvr32 -u %windir%\system32\shimgvw.dll
When MS provides a fix at some point, you can re-register this program with:
regsvr32 %windir%\system32\shimgvw.dll
A Windows ME machine I looked at this morning had the dll located in "system" directory, rather than "system32".

Next, apply the "unofficial fix" available here. This patch seems not able to install on Win98 or Win ME systems. The author has also written a small checker program which determines whether your system is at risk. This patch can be easily uninstalled once MS releases an official one.

Read more on this at the Internet Storm Center, on the F-Secure weblog and at the US Computer Emergency Readiness Team.

Powered by Blogger

blogspot counter