Anti-Virus Protection for WMF Flaw Still Inconsistent

By Larry Seltzer  |  Posted 2005-12-31 Print this article Print

Updated: Many products provide complete protection against current WMF exploits, but others are less successful; Microsoft's workaround works, but has limits.

Days after the revelation of a flaw in Windows handling of WMF graphics files, dozens of exploits are being spread from thousands of adware sites. But good protection is available. At the same time, further testing confirms that a workaround issued by third parties and endorsed by Microsoft Corp. is effective in most regards, and in the most important circumstances, but not in all. Also, the workaround has side effects that could prove troublesome. AV-Test, which tests anti-malware products, has been tracking the situation closely and has, so far, analyzed 73 variants of malicious WMF files. Products from the following companies have identified all 73:
  • Alwil Software (Avast)
  • Softwin (BitDefender)
  • ClamAV
  • F-Secure Inc.
  • Fortinet Inc.
  • McAfee Inc.
  • ESET (Nod32)
  • Panda Software
  • Sophos Plc
  • Symantec Corp.
  • Trend Micro Inc.
  • VirusBuster
These products detected fewer variants:
  • 62 — eTrust-VET
  • 62 — QuickHeal
  • 61 — AntiVir
  • 61 — Dr Web
  • 61 — Kaspersky
  • 60 — AVG
  • 19 — Command
  • 19 — F-Prot
  • 11 — Ewido
  •  7 — eSafe
  •  7 — eTrust-INO
  •  6 — Ikarus
  •  6 — VBA32
  •  0 — Norman
The difference for the more effective products is likely to be heuristic detection, tracking the threat by identifying the basic techniques of the exploit, rather than looking for specific patterns for specific exploits. The latter technique leaves users vulnerable to threats that the vendor has not yet identified and protected against. Mikko Hypponen of F-Secure, when asked about the matter, said, "Heuristic detection rocks." After some concern was expressed about the efficacy of the workaround proposed by third parties and endorsed by Microsoft, it appears that it is basically effective at preventing exploitation in the most common circumstances, but not in all. For advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub. The registry fix discussed in a previous article does not work effectively, however, and users who have been relying on it will need to switch to other measures. Why does Security Editor Larry Seltzer say WMF stands for "Windows Major Foul-Up." Click here to read more. The effective fix de-registers a DLL from the system relied on by the Windows Picture and Fax Viewer program. To effect the change, click Start, then Run, then enter the following command:
    regsvr32 /u %windir%\system32\shimgvw.dll
To re-enable the same DLL, click Start, then Run, then enter the following command:
    regsvr32 %windir%\system32\shimgvw.dll
This fix prevents exploitation when a WMF file is loaded from Windows Explorer or Internet Explorer. Enterprises looking for a more manageable solution may want to investigate using an Active Directory Software Restriction Policy to set a path restriction, blocking all execution of the shimgvw.dll file. Click here for background and instructions on Software Restriction Policies on Windows Server 2003. Some sources are recommending this, although nobody will admit to actually having tested it with the WMF vulnerability. Next Page: Problems with the Windows fix.

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel