main

Microsoft Confirms WMF Vulnerability, Plans for Patch

Shane Pitman   on 29 December 2005 - 15:45 · 46 comments & 20179 views

Advertisement (Why?)
Microsoft has issued a Security Advisory (912840) concerning the recent WMF vulnerability exploit. Microsoft also confirmed the REGSVR32 workaround as a viable solution to protect your PC until they have had time to fully research the vulnerability and issue a patch. The following is a quote from the Microsoft Security Advisory.

Un-register the Windows Picture and Fax Viewer (Shimgvw.dll)

1. Click Start, click Run, type " regsvr32 -u %windir%/system32/shimgvw.dll" (without the quotation marks), and then click OK.

2. A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer. To undo this change, re-register Shimgvw.dll by following the above steps. Replace the text in Step 1 with “regsvr32 %windir%/system32/shimgvw.dll” (without the quotation marks).

Antivirus and Security Experts at F-Secure advise that this method is more secure than simply filtering WMF content, as many types of image files (.GIF, .BMP, .JPG, .TIF, etc...) could be used in this exploit. F-Secure warns that to date they have only experienced spyware and fake antispyware / antivirus installations with this exploit but that more serious infections may be coming soon.

View: F-Secure WMF Vulnerability Update
News source: Microsoft Security Advisory 912840





Share this Article

About the Author

Full name: Shane Pitman
User name: Shane Pitman
Contact: via forum PM
Submissions: View All
More: View Bio   New!

Related news

Post a comment · Send to friend Comments · There are 46 additional comments
#1 Rytis on 29 Dec 2005 - 15:55
We're missing slashes in the command.

#2 TomAL on 29 Dec 2005 - 15:56
note: the command for unregistering should be "regsvr32 -u %windir%\system32\shimgvw.dll" (without quotes)... Similarly to re-register "regsvr32 %windir%\system32\shimgvw.dll"& lt;br/>

edit: eh... the slashes didnt come out in my post, how does that work?

EDIT2: Wooaa the HTML parser really doesnt like slashes in here!

Last edited by TomAL on 29 Dec 2005 - 16:08
#3 kirk26 on 29 Dec 2005 - 15:59
You've been slashdotted.... :p
(4 replies) #4 briley on 29 Dec 2005 - 16:00
regsvr32 -u %windir%/system32/shimgvw.dll

Hopefully those slashes will show up...

Last edited by briley on 29 Dec 2005 - 16:06
#4.1 Frost_311 on 29 Dec 2005 - 16:01
I tried to post a correction but it didn't show up, that one worked; thanks briley
#4.2 TomAL on 29 Dec 2005 - 16:04
should be backslashes...see post above...
#4.3 briley on 29 Dec 2005 - 16:06
You're right TomAL, but the forward-slashes work just as well (or they did for me), and I wasn't sure how to get backslashes to show up ... good job
#4.4 TomAL on 29 Dec 2005 - 16:11
Fair enough... Seems like their system is having a few problems with backslashes! If I try and edit my post to get rid of the errors that are added there are 6 or 7 spaces for every 1!!!
(1 reply) #5 Sawyer12 on 29 Dec 2005 - 16:28
One of the symptoms is that all the icons on the desktop have blue lines round them right?
#5.1 Banzai on 29 Dec 2005 - 16:43
blue lines humm not really, with the copy ive been looking at you lost use of the taskmanager, the wallpaper is changed to say you have been infected and ull get a cross down by the clock telling you, you have been infected.
#6 thenay on 29 Dec 2005 - 16:35
regsvr32 -u %windir%/system32/shimgvw.dll worked for me
thanks neowin
(1 reply) #7 Tungsten T on 29 Dec 2005 - 17:26
Just download InfranView and use as a replacement
#7.1 Jugalator on 30 Dec 2005 - 08:01
It doesn't help against the "put mouse pointer over corrupted file in the Explorer/Desktop and you'll still be infected". Windows will still load that code to retrieve special information about the picture. It also doesn't help against any other program on your computer making use of that DLL, such as Google Desktop. There's probably more too...
#8 Julius Caro on 29 Dec 2005 - 18:06
I can't believe that the real meaning of WMF is not even mentioned in the article.
For those who, like me, where wondering:
WMF = windows meta file
#9 Banzai on 29 Dec 2005 - 18:19
for anyone who is trying to remove the "virus" from an infected system look at my post here http://www.neowin.net/forum/index.php?showtopic=413457&st=60
(5 replies) #10 Stunna on 29 Dec 2005 - 19:15
since its the windows meta file does it have anything to do with the searching ablilites ?
and how are so many peopple getting the virus
isnt it just certain websites that spread it?
and can windows 2003 server users get this virus?
#10.1 Burl Pitman on 29 Dec 2005 - 19:33
Yes, Windows 2003 Server is vulnerable to this as well. According to Secunia all versions of Windows XP and Windows 2003 Server are vulnerable.

Edit: Ack, posted as my Dad rather than myself (this is Shane, I'm at my parents house).
#10.2 raskren on 29 Dec 2005 - 20:11
WMF is an image format that store both vector and bitmap data in the same file. That's where the "meta" comes from. If you use IE and visit a site that contains an infected WMF image, you will get infected immediately. If you use Firefox or some other browser, you have to save the image and then open it.

Read the security advisory...mmmkay?!?!
#10.3 threedaysdwn on 29 Dec 2005 - 20:31
Has nothing to do with searching.

It's an image format, and I've always heard it was "Windows Media Format" or something like that - basically a Windows Media image file (as opposed to audio or video).
#10.4 em_te on 30 Dec 2005 - 03:04
Lol. Your dad uses Neowin?
#10.5 shanepitman on 30 Dec 2005 - 03:32
Yep, and he stalks my posts sometimes too, although I don't know if he's ever posted on one. I've seen him reading my posts before though. My Dad and I are pretty tight, always have been.
(1 reply) #11 Eric Gisin on 29 Dec 2005 - 21:23
Note that WMF will be displayed in email by Outlook (Express) too.

I did unregister the Microsoft DLL, but I still get WMF preview. Checking HKEY_CLASSES_ROOT.wmf shows Nero Digital has also installed a handler. How do I get rid of that?
#11.1 ian on 02 Jan 2006 - 11:09
Try regsvr32 -u shimgvw.dll (instead of ...%windir%/system32/shimgvw.dll). It happened the same to me at work.
(1 reply) #12 dmaji1 on 30 Dec 2005 - 01:56
how do i re-enable Picture Viewer, i just copied and pasted that code into run and it took it off. is there a way i can enable it again
#12.1 shanepitman on 30 Dec 2005 - 01:59
It's in the article.

To undo this change, re-register Shimgvw.dll by following the above steps. Replace the text in Step 1 with “regsvr32 %windir%/system32/shimgvw.dll” (without the quotation marks).


Last edited by #13 dragonfixed on 30 Dec 2005 - 04:10
if you unregester the dll in the post you will lose all saving and viewing functions via windows explorer and photoshop
#14 hardgiant on 30 Dec 2005 - 04:39
Seems like a drastic step.....
(1 reply) #15 jivemastert on 30 Dec 2005 - 05:06
This would explain why when I went to a website last night, windows picture and fax viewer popped up and then windows told me it was closing the program because a dll could potentially do damage to my system. Guess I keep up on my updates? Or is this something different?
#15.1 andy89 on 30 Dec 2005 - 09:10
thats DEP doing good work
#16 LazyGamer on 30 Dec 2005 - 06:45
Can anyone name off some replacement preview viewers till this stuff is fixed?
#17 dmaji1 on 30 Dec 2005 - 07:15
IrfanVeiw, and thanx for the help before shanepitman, but i did a system restore before u could answer me. and it made my windowblinds 5 go all funny when i unregistered that dll as well, like my transparency was all f*cked up and stuff. so i suggest anyone with Windowblinds 5 does not unregister this dll or you will have transperancy problems
#18 andy89 on 30 Dec 2005 - 09:15
Probably the best way to avoid this exploit if you dont want to unregister Picture and Fax Viewer, is to block .wmf files and use an alternative web browser, also uninstall Google Desktop Search or stop it indexing .WMF files.

I can tell you now that you dont want to get this spyware/adware/malware crap that it puts on your system, I spent hours trying to remove it and ended up reinstalling Windows.
#19 madnuke on 30 Dec 2005 - 10:23
W00t DEP blocked it for me!
#20 Ely on 30 Dec 2005 - 14:47
DEP works if its hardware based, but if it is software based it will NOT work for this vulnerability.
(2 replies) #21 CabiMan on 30 Dec 2005 - 15:47
Correct me if i'm wrong, but unregging the dll also effects the background on desktop fonts. Sometimes only seen if the wallpaper is changed. Just spent ages trying all the usual things after changing the wallpaper and getting that aweful background behind the fonts. Then re-regged the dll, changed the walpaper and all is well again.
#21.1 Sawyer12 on 30 Dec 2005 - 18:24
Hmmmmm Strange thats what happened to me. Wonder if it was the same thing.
#21.2 RudyJ on 31 Dec 2005 - 04:42
It's a file association thing. After unregging the .dll I had the same problem untill I associated all image files with XnView (which I use as my main image viewer), then I had to reset my wallpaper with it (select your wallpaper image and choose 'set as background' ) and all the funky lines around my desktop icons dissapeared.
#22 Stunna on 30 Dec 2005 - 20:33
I think i'm just going to disconnect my pc from the internet
#23 DRAKE 360 on 30 Dec 2005 - 21:08
How do you reverse:
regsvr32 -u %windir%system32shimgvw.dll
#24 DRAKE 360 on 30 Dec 2005 - 21:11
nm, just have to remove the -u duh

regsvr32 %windir%system32shimgvw.dll
(2 replies) #25 Havin_it on 31 Dec 2005 - 21:51
Okay, small observation:

According to SANS Internet Storm Center, you need to actually delete/rename SHIMGVW.DLL to prevent it being re-registered by other programs. That's all very nice, but under Win XP we have the wondrous thing called Windows File Protection. In other words, as soon as I delete the DLL, it re-appears (similar to IEXPLORE.EXE if you've ever tried that one).

So, how do you get round that? I have spotted some pages referring to doing a regedit plus hex-editing another system DLL (SFC_OS.DLL) and have tried this approach, but it doesn't work for me. Can anyone explain a confirmed way to prevent the replacing of WFP-protected files?
#25.1 CNUTZ on 01 Jan 2006 - 13:58
#25.2 threedaysdwn on 03 Jan 2006 - 05:57
The issue isn't other apps re-registering it. The issue is that a malicious CMD script could do "regsvr32 SHIMGVW.DLL"

However, a malicious CMD script could do anything the user could do. So really I don't see that as a risk since running a CMD file requires user interaction.

If you run as a non-admin user, you won't be ablt to unregister or re-register the DLL. So once again, running non-admin makes you far more secure.

Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!

Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.

Advertisement (Why?)
News powered by Neowin Management System (Build - 5.0.879) © 2000 - 2008 Neowin.net