IMPORTANT Windows Metafile Exploit Info

**Azeke** · 03 January 2006, 11:31 Tuesday

Thanks for the update Kevin, I have notified my company of this possible vulnerability.

Peace and blessings,

Azeke

**George Bellefontaine** · 03 January 2006, 12:03 Tuesday

Any way of telling if a given graphic is a WMF file ? Unregistering the Shimgvw.dll sounds like the easiest route to go, but does that mean you won't see graphics ?

**Kevin P** · 03 January 2006, 12:06 Tuesday

WMF files normally have a .wmf suffix, but filtering on the suffix isn't sufficient since someone could rename it to a number of different suffixes such as .bmp or .gif and still trigger the exploit.

In Windows XP and 2003, the Windows Picture and Fax Viewer is used to view certain image types by default, when you click on them in Explorer, etc. Unregistering Shimgvw.dll disables this. You could associate another viewer with wmf files, but if it uses the same vulnerable code you could still get infected.

The best bet, beyond unregistering the dll, is to apply Ilfak Guilfanov's patch, until MS releases an official fix. This patch will allow images to still be viewed, while disabling the feature that allows the vulnerability to be exploited.

**Clive** · 03 January 2006, 14:00 Tuesday

Thanks Kevin,. We were already notified of the .WMF infection on our conputer a couple of days ago. I was successful in unregistering shimgvw today but I'm getting an DNS Error Msg cannot open the page.......... can you help?

**Kevin P** · 03 January 2006, 14:34 Tuesday

The site appears to be down right now. It was working earlier today when I posted the link. Try again in a little while.

**Chris D** · 03 January 2006, 22:04 Tuesday

This was on the radio news tonight here in the Seattle/Tacoma area. (home of MS) They said it could take a week to release a patch.

**Kevin P** · 03 January 2006, 22:10 Tuesday

I posted a new URL to read about and download the hotfix: http://castlecops.com/f212-Hexblog.html

Also: http://www.grc.com/sn/notes-020.htm

Apparently the original account got suspended due to bandwidth usage.

**Kevin P** · 05 January 2006, 21:56 Thursday

Official Microsoft patch is now available: MS06-001

This site has a good summary of the exploit:

http://www.pauldotcom.com/2006/01/wmf_vulnerability_exploits_jus.html

**Chris D** · 06 January 2006, 01:59 Friday

Just installed and restarted both of my computers...

**George Bellefontaine** · 06 January 2006, 12:27 Friday

Thanks for the Microsoft link, Kevin.

IMPORTANT Windows Metafile Exploit Info