Workaround, Protections Emerge for WMF Exploit

Updated: Anti-malware products deploy detection signatures as exploits multiply, and a registry-based workaround has been developed.

Anti-virus and intrusion protection firms are reacting quickly to a new zero-day exploit for Windows, and a workaround has been devised by an independent researcher.

According to AV-Test, an anti-virus research firm, numerous anti-virus firms were detecting some of the four exploits for the vulnerability that they had at that point. AntiVir, Avast!, BitDefender, Ewido, F-Secure, Fortinet, Ikarus, Kaspersky, McAfee and NOD32 detected all four.

By the same token, many products, such as ClamAV and Trend Micro, had no protection. The situation is very fluid, so by the time you read this, more protection and more exploits will likely be available.

Many other companies are still in the process of implementing protection and have deployed it only for some of the available exploits.

And a workaround has been posted by Jerome Athias to the Full-Disclosure security mailing list. The workaround disables WMF parsing in two different ways.

First, you can unregister the specific DLL that implements the vulnerable code from the system using a command line program. To disable the DLL click Start, then Run, then enter the following command:

regsvr32 /u shimgvw.dll
To re-enable the same DLL, click Start, then Run, then enter the following command:
regsvr32 shimgvw.dll

The workaround has been confirmed by iDEFENSE as effective in preventing the current versions of the exploit, with a caveat. Previous vulnerabilities in the parsing of WMF files have led to additional vulnerabilities in EMF files, a later version of the metafile format. iDEFENSE warns that this workaround may not be effective against such future attacks.

Athias warns that if you unregister shimgvw.dll, Windows Explorer will not display thumbnails anymore. So the registry operation is a much better way.

Editors Note: This story has been modified to remove a registry modification which had been reported effective against the vulnerability. Subsequent testing shows that it is not effective against the vulnerability.


Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.