The SANS Internet Storm Center has put together a comprehensive FAQ about the recently announced WMF zero-day exploit that affects all Windows users. Windows XP, (SP1 and SP2), Windows 2003 are affected by the currently circulating exploits. Other versions may be affected to some extent. Mac OS-X, Unix or BSD is not affected.
The WMF vulnerability uses images (WMF images) to execute arbitrary code. It will execute just by viewing the image. In most cases, you don’t have to click anything. Even images stored on your system may cause the exploit to be triggered if it is indexed by some indexing software. Viewing a directory in Explorer with “Icon size” images will cause the exploit to be triggered as well. Microsoft announced that an official patch will not be available before January 10, 2006 (next regular update cycle).
If you don’t want to wait for Microsoft’s patch then you can download SANS unofficial patch that was developed by Ilfak Guilfanov here (now at v1.4, MD5: 15f0a36ea33f39c1bcf5a98e51d4f4f6). SANS is recommending that you unregister the .dll used to invoke the Windows Picture and Fax Viewer component and apply this unofficial patch for maximum protection. You can unregister the related DLL by going to Start, Run, and then typing regsvr32 -u %windir%\system32\shimgvw.dll. Keep in mind that if you un-register the DLL then make sure that you re-register it and uninstall this “unofficial” patch before applying Microsoft’s official patch.
Here’s the Microsoft’s side of the story…….
On Tuesday, December 27, 2005, Microsoft became aware of public reports of malicious attacks on some customers involving a previously unknown security vulnerability in the Windows Meta File (WMF) code area in the Windows platform. According to Microsoft’s press release, “…all Microsoft’s security updates must pass a series of quality tests, including testing by third parties, to assure customers that they can be deployed effectively in all languages and for all versions of the Windows platform with minimum down time.”
The official patch will be downloadable on January 10, 2006 from Microsoft’s Download Center as well as through Microsoft Update and Windows Update. Customers who use Windows’ Automatic Updates feature will be delivered the fix automatically.
