Workaround, Protections Emerge for WMF Exploit
Cybersecurity
SHARE
Facebook X Pinterest WhatsApp

Workaround, Protections Emerge for WMF Exploit

Written By
Larry Seltzer
Larry Seltzer
Dec 31, 2005
2 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

Anti-virus and intrusion protection firms are reacting quickly to a new zero-day exploit for Windows, and a workaround has been devised by an independent researcher.

According to AV-Test, an anti-virus research firm, numerous anti-virus firms were detecting some of the four exploits for the vulnerability that they had at that point. AntiVir, Avast!, BitDefender, Ewido, F-Secure, Fortinet, Ikarus, Kaspersky, McAfee and NOD32 detected all four.

By the same token, many products, such as ClamAV and Trend Micro, had no protection. The situation is very fluid, so by the time you read this, more protection and more exploits will likely be available.

Many other companies are still in the process of implementing protection and have deployed it only for some of the available exploits.

And a workaround has been posted by Jerome Athias to the Full-Disclosure security mailing list. The workaround disables WMF parsing in two different ways.

First, you can unregister the specific DLL that implements the vulnerable code from the system using a command line program. To disable the DLL click Start, then Run, then enter the following command:

regsvr32 /u shimgvw.dll

To re-enable the same DLL, click Start, then Run, then enter the following command:

regsvr32 shimgvw.dll

The workaround has been confirmed by iDEFENSE as effective in preventing the current versions of the exploit, with a caveat. Previous vulnerabilities in the parsing of WMF files have led to additional vulnerabilities in EMF files, a later version of the metafile format. iDEFENSE warns that this workaround may not be effective against such future attacks.

Athias warns that if you unregister shimgvw.dll, Windows Explorer will not display thumbnails anymore. So the registry operation is a much better way.

Editors Note: This story has been modified to remove a registry modification which had been reported effective against the vulnerability. Subsequent testing shows that it is not effective against the vulnerability.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
Larry Seltzer
eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

facebook
linkedin
youtube
rss
x

Company

About us Contact us Advertise with us

Categories

Latest News Resources Artificial Intelligence Video Big Data & Analytics Cloud Networking

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

Terms of Service Privacy Policy California - Do Not Sell My Information