Be Smart About WMF Remediation

Opinion: Look to the network perimeter for ways to block malicious files.

One way to remedy Microsoft Corp. Windows insecure handling of WMF graphics files is to go machine-by-machine and unregister the regsvr32 DLL that is at the root of the problem.

However, until an effective patch is released or anti-virus vendors release signature files that catch the growing number of malicious files resulting from this vulnerability, another way for IT managers to handle the problem is by using an IDS or firewall to block WMF files. Keep in mind that malicious WMF files are easily changed to evade perimeter protection systems. However, for those sites that are still using unchanged WMF files, perimeter systems may provide a minimal level of protection.

The reason is simple enough: Filtering malicious content at the edge of the network is more cost-effective than making changes to individual machines (or even using Group Policy to change large numbers of systems).

/zimages/7/28571.gifHow serious is the WMF vulnerability? Click here to read more.

Further, it seems likely that once a patch is available, it will be easier to apply the patch to systems and then open the network perimeter at the convenience of the organization.

Managing in a crisis—and IT managers should first take steps to understand if the WMF vulnerability is indeed a crisis for the organization—means taking steps to create the time for rational decisions.

Editors Note: This story was updated because new information as of Jan. 4 showed that malicious WMF files can evade many perimeter defenses.

Technical Director Cameron Sturdevant can be reached at

/zimages/7/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.