main

F-Secure Issues Warning on XP SP2 WMF Vulnerability

Shane Pitman   on 29 December 2005 - 03:30 · 23 comments & 6272 views

Advertisement (Why?)
Antivirus and security experts F-Secure have issued a warning to users of Microsoft Windows XP that includes fully patched Service Pack 2 machines. The exploit is carried out via WMF files carrying a zero-day WMF exploit detected as W32/PFV-Exploit A, B, and C. According to F-Secure it is very easy to fall victim to this exploit, especially if you are using Internet Explorer. It's as simple as visiting an infected web site or viewing a folder with infected files with Windows Explorer. F-Secure has informed Microsoft and while a patch is expected to be issued quickly, they warn that Windows administrators and/or users may want to filter all WMF files until a patch is released.

News source: F-Secure





Post a comment · Send to friend Comments · There are 23 additional comments
#1 Ely on 29 Dec 2005 - 04:01
Finally this makes it in front page news on Neowin! This is a really really nasty exploit and its out in the open.
#2 Kurono on 29 Dec 2005 - 04:07
Hmm... Heard something similar today on a computer talk show... Didn't think much of it until I read this...
(1 reply) #3 Windam on 29 Dec 2005 - 04:57
what does this do?
#3.1 sizza on 29 Dec 2005 - 05:34
read news source
#4 SkyyPunk on 29 Dec 2005 - 05:36
lol what a coincidence...i went to a site earlier today that popped up a thing that was about to run a wmf file...i cancelled it before it ran though...tricky tricky
#5 pallavsuri on 29 Dec 2005 - 08:22
just switched over to firefox after a long time. last time it was at 0.9! 1.5 seems good!
(1 reply) #6 whitedragon on 29 Dec 2005 - 08:40
&nbsp;Open your Run dialogue and enter this: &nbsp; regsvr32 /u shimgvw.dll<br>that'll disable the WMF handler as a temporary fix.<img src="images/smilies/cool.gif"><br>

#6.1 jwjw1 on 29 Dec 2005 - 09:10
Here's a good tutorial for added the register/unregister dll to the 'right click'

http://www.codeproject.com/w2k/reg dllxp.asp

neowin wants to add a space after the reg..but its all one word regdllxp.asp

Last edited by jwjw1 on 29 Dec 2005 - 09:18
(1 reply) #7 Fr0stbite1 on 29 Dec 2005 - 09:29
this has caused the worse syware infection i have ever had on my pc

on visiting a website a cmd box pops up, runs the exploit and starts downloading more and more spyware

over 15 programs were downloaded, including fake spyware scanners, hard to remove everything, the machine now needs a format

Last edited by #7.1 capeche on 29 Dec 2005 - 09:54
what site were you visiting?
#8 Croquant on 29 Dec 2005 - 11:17
See, this is why I don't use IE anymore. Too many undocumented vulnerabilites. Seems like every month we learn about another one.
#9 Jugalator on 29 Dec 2005 - 12:44
As F-Secure says on that blog, it's extremely easy to get infected by this until there's a patch out. Even downloading it with Firefox (or whatever way) and merely hovering your mouse on the file is enough, even if it's right on the desktop and not in an Explorer window.

I wouldn't recommend anyone to download these files on Windows machines at all, much less visit the known websites involved, because it's not a "regular" problem where you're busted only if you actively execute a file.
#10 Ely on 29 Dec 2005 - 12:50
This has been confirmed to momentarily fix the vulnerability while Microsoft puts out a patch:

1. Click on the Start button on the taskbar.
2. Click on Run...
3. Type "regsvr32 /u shimgvw.dll" to disable.
4. Click ok when the change dialog appears.

iDefense notes that this workaround may interfere with certain thumbnail images loading correctly, though I have used the hack on my machine and haven't had any problems yet. The company notes that once Microsoft issues a patch, the WMF feature may be enabled back by entering the command:

"regsvr32 shimgvw.dll"

Microsoft has put out a statement regarding this vulnerability but Neowin will not allow me to post the link for some reason.

Last edited by Ely on 29 Dec 2005 - 13:06
(3 replies) #11 tunafish on 29 Dec 2005 - 13:37
it seems sad that everyone is saying only IE is affected, well thats total FOD, as i got infected usinf firefox
#11.1 M2Ys4U on 29 Dec 2005 - 13:48
From what I've read you need to download the file in Firefox and open it on your machine to become infected, whilst you only need to open a page containing an embedded file in IE to do so.

Correct me if I'm wrong.
#11.2 DJ_Myth on 29 Dec 2005 - 13:57
M2Ys4U I think you are correct...
#11.3 theyarecomingforyou on 29 Dec 2005 - 14:00
It's a Windows flaw... using Firefox is irrelevant, though using it reduces the risk.
(1 reply) #12 tunafish on 29 Dec 2005 - 15:20
yes but firefox is set to download must files anyway...
as i got infected with it without downloading anything and i had it set on default ff settings
#12.1 mrk on 29 Dec 2005 - 18:07
most firefox users change the degault settings

Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!

Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.

Advertisement (Why?)