Windows users, act NOW
by Volker Weber
Stop reading. And run this command now:
regsvr32 /u %windir%\system32\shimgvw.dll
This command will unregister a broken DLL responsible for rendering graphics. There are now hundreds of websites exploiting a vulnerability in this graphics rendering engine. This is not a theoretical threat. The exploit is in the wild and spreading fast.
You can reverse the temporary fix by registering the DLL once it has been fixed by Microsoft. Just issue the same command without the /u.
Update: Lotus Notes seems to call the DLL even if it has been unregistered. The only workaround to that would be to rename it.
Update: As Ken reports, there is a better solution now. Steve Gibson recommends to install Ilfak Guilfanov's Temporary WMF Patch. After you have successfully installed it, you can register the DLL that we unregistered above:
regsvr32 %windir%\system32\shimgvw.dll
Sven linked to an early version of the same fix.
Ilfak has also written a program that checks whether your system is safe or not.
Update: It's not a bug. It's a feature.
Comments
thanks. dll uninstalled on my machine and have passed the word to friends and family.
Be warned though that this will break the "Filmstrip" View in Windows Explorer and for for Folders generally, in addition to removing the plain open function.
For the time beeing it is definitely the more secury way to run a Windows system.
Hilights the trouble with shared libraries/dlls in general. If one of the many that make up a modern system has a vulnerability, the system may be compromizable in oh so many ways.
However current unsave practizes in setting up and running Windows Systems certainly excerbate the problem.
done..
but a little but important detail i found on the f-secure-blog:
"What the workaround does not stop against is if you open an exploited file in MSPAINT (aka Paintbrush)."
gruss
michel
regsvr32.exe is not avaliable on my iBook ;-)
According to heise.de Lotus Notes uses this lib even if the dll has been unregistered.
Is there a way to safe notes users?
Wolfgang, is this a trick question? Removing or renaming the DLL after unregistering should stop even Notes from using it ...
Thanks for the advisory Volker. I just posted the information on my Website as well :-)
And now there is a patch, but not from MS...
http://handlers.sans.org/tliston/wmffix_hexblog11.exe
Oh boy, and you would install a binary from an unknown source that patches Windows - just like that?
Why not keep the broken DLL unregistered and tugged away until Microsoft fixes it? Previewing images is hardly mission critical.
Nope I would not without further checking. But if you have some users around which uses programms that need this dll, unregistering is only a quick hack to minimise the risk and depends how long you could bear the complaints of the users as the usual program is not working.
And waiting that Microsoft fixes it? Hmm, this could take a long time compared to the risk.
Apart from that, the source is not totally unknown and just have a look what Tom Liston writes on the sans.org about this issue: http://isc.sans.org/diary.php
Well, you provided a link to the binary only. That is why I wrote "without further checking".
o.k. you are right...didn't get this seems to be some afterefect from tonight ;-)
Steve Gibson of Gibson Research Corporation recommends that all Windows users use the Ilfak's Temporary WMF Patch to protect themselves from this vulnerability.
Steve's website has a page describing his research of this patch utility here.
From that page:
This safely and "dynamically patches" the vulnerable function in Windows to neuter it and, after rebooting, renders any Windows 2000, XP, 64-bit XP and 2003 systems completely invulnerable to exploitation of the Windows Metafile vulnerability.
Please Note: Unlike the "DLL unregister" recommendation offered by Microsoft (see RED box below) Ilfak's patch completely eliminates the vulnerability. Therefore, until Microsoft is able to update and repair their vulnerable GDI32.DLL, this is what you should use. You do NOT need to unregister the DLL as described in the RED box below.
You SHOULD REMOVE THIS PATCH to restore full functionality to Windows Metafile processing once WIndows has been officially updated and repaired.
To Remove: Simply open the Windows Control Panel "Add/Remove Programs", where you will find the "Windows WMF Metafile Vulnerability HotFix" listed. Remove it, then reboot.
Steve Gibson also talks about this patch in the most recent Security Now podcast. The podcast site does not yet list the most recent episode, but it is available in the RRS feed. You can subscribe to the Podcast here: http://www.grc.com/securitynow.htm
Incidentally, WinXP will automatically replace this file if you attempt to rename it. It replaces it from the hidden "Dllcache" directory under the System32 directory. You need to rename it in the dllcache first, then rename it in the system32 dir. WinXP will then tell you that the file is missing, and will prompt you for your WinXP CD. Just cancel and tell it you want to keep the "bad" file.
Here is an InfoWorld article about Microsoft's response to the 3rd party WMF patches:
http://www.infoworld.com/article/06/01/03/HNmssayswait_1.html
The article talks specifically about the patch provided by Iifak Guilfanov, which I talked about in my post above, and how his patch has won support of many security researchers like F-Secure Corp.
how exactly would one explain this vulnerability in this graphics rendering engine to a non computer literate person?
I think you'd simply say "Buy A Mac" to them.
Seriously, in a corporate environment we can make sure that everyone's AV updates are protecting them, but I've been getting so many questions from people about their home machines, that this is now my answer, especially if they have kids.
Joe, let me make an attempt to describe "the WMF vulnerability to a non computer literate person" here.
After some months of distress why I couldn't view thumbnails nor open images anymore, today I remembered I had activated this safeguard and found the antidote. Thanks for keeping the archive...
