Workaround, Protections Emerge for WMF Exploit

By Larry Seltzer  |  Posted 2005-12-31 Print this article Print

Updated: Anti-malware products deploy detection signatures as exploits multiply, and a registry-based workaround has been developed.

Anti-virus and intrusion protection firms are reacting quickly to a new zero-day exploit for Windows, and a workaround has been devised by an independent researcher.

According to AV-Test, an anti-virus research firm, numerous anti-virus firms were detecting some of the four exploits for the vulnerability that they had at that point. AntiVir, Avast!, BitDefender, Ewido, F-Secure, Fortinet, Ikarus, Kaspersky, McAfee and NOD32 detected all four.

By the same token, many products, such as ClamAV and Trend Micro, had no protection. The situation is very fluid, so by the time you read this, more protection and more exploits will likely be available.

Many other companies are still in the process of implementing protection and have deployed it only for some of the available exploits.

And a workaround has been posted by Jerome Athias to the Full-Disclosure security mailing list. The workaround disables WMF parsing in two different ways.

First, you can unregister the specific DLL that implements the vulnerable code from the system using a command line program. To disable the DLL click Start, then Run, then enter the following command:
    regsvr32 /u shimgvw.dll
To re-enable the same DLL, click Start, then Run, then enter the following command:
    regsvr32 shimgvw.dll

The workaround has been confirmed by iDEFENSE as effective in preventing the current versions of the exploit, with a caveat. Previous vulnerabilities in the parsing of WMF files have led to additional vulnerabilities in EMF files, a later version of the metafile format. iDEFENSE warns that this workaround may not be effective against such future attacks.

Athias warns that if you unregister shimgvw.dll, Windows Explorer will not display thumbnails anymore. So the registry operation is a much better way.

Editors Note: This story has been modified to remove a registry modification which had been reported effective against the vulnerability. Subsequent testing shows that it is not effective against the vulnerability. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel