Windows users, act NOW

by Volker Weber

Stop reading. And run this command now:

regsvr32 /u %windir%\system32\shimgvw.dll

This command will unregister a broken DLL responsible for rendering graphics. There are now hundreds of websites exploiting a vulnerability in this graphics rendering engine. This is not a theoretical threat. The exploit is in the wild and spreading fast.

You can reverse the temporary fix by registering the DLL once it has been fixed by Microsoft. Just issue the same command without the /u.

Update: Lotus Notes seems to call the DLL even if it has been unregistered. The only workaround to that would be to rename it.

Update: As Ken reports, there is a better solution now. Steve Gibson recommends to install Ilfak Guilfanov's Temporary WMF Patch. After you have successfully installed it, you can register the DLL that we unregistered above:

regsvr32 %windir%\system32\shimgvw.dll

Sven linked to an early version of the same fix.

Ilfak has also written a program that checks whether your system is safe or not.

Update: It's not a bug. It's a feature.

Comments

thanks. dll uninstalled on my machine and have passed the word to friends and family.

Joe Litton, 2005-12-30

Be warned though that this will break the "Filmstrip" View in Windows Explorer and for for Folders generally, in addition to removing the plain open function.

For the time beeing it is definitely the more secury way to run a Windows system.

Hilights the trouble with shared libraries/dlls in general. If one of the many that make up a modern system has a vulnerability, the system may be compromizable in oh so many ways.
However current unsave practizes in setting up and running Windows Systems certainly excerbate the problem.

Martin Forisch, 2005-12-30

done..

but a little but important detail i found on the f-secure-blog:

"What the workaround does not stop against is if you open an exploited file in MSPAINT (aka Paintbrush)."

gruss
michel

michel merz, 2005-12-30

regsvr32.exe is not avaliable on my iBook ;-)

According to heise.de Lotus Notes uses this lib even if the dll has been unregistered.
Is there a way to safe notes users?

Wolfgang Schmidetzki, 2005-12-30

Wolfgang, is this a trick question? Removing or renaming the DLL after unregistering should stop even Notes from using it ...

Stefan Rubner, 2005-12-31

Thanks for the advisory Volker. I just posted the information on my Website as well :-)

Alper Iseri, 2005-12-31

And now there is a patch, but not from MS...

http://handlers.sans.org/tliston/wmffix_hexblog11.exe

Sven Semel, 2006-01-01

Oh boy, and you would install a binary from an unknown source that patches Windows - just like that?

Why not keep the broken DLL unregistered and tugged away until Microsoft fixes it? Previewing images is hardly mission critical.

Volker Weber, 2006-01-01

Nope I would not without further checking. But if you have some users around which uses programms that need this dll, unregistering is only a quick hack to minimise the risk and depends how long you could bear the complaints of the users as the usual program is not working.

And waiting that Microsoft fixes it? Hmm, this could take a long time compared to the risk.

Apart from that, the source is not totally unknown and just have a look what Tom Liston writes on the sans.org about this issue: http://isc.sans.org/diary.php

Sven Semel, 2006-01-01

Well, you provided a link to the binary only. That is why I wrote "without further checking".

Volker Weber, 2006-01-01

o.k. you are right...didn't get this seems to be some afterefect from tonight ;-)

Sven Semel, 2006-01-01

Steve Gibson of Gibson Research Corporation recommends that all Windows users use the Ilfak's Temporary WMF Patch to protect themselves from this vulnerability.

Steve's website has a page describing his research of this patch utility here.

From that page:

This safely and "dynamically patches" the vulnerable function in Windows to neuter it and, after rebooting, renders any Windows 2000, XP, 64-bit XP and 2003 systems completely invulnerable to exploitation of the Windows Metafile vulnerability.
Please Note: Unlike the "DLL unregister" recommendation offered by Microsoft (see RED box below) Ilfak's patch completely eliminates the vulnerability. Therefore, until Microsoft is able to update and repair their vulnerable GDI32.DLL, this is what you should use. You do NOT need to unregister the DLL as described in the RED box below.
You SHOULD REMOVE THIS PATCH to restore full functionality to Windows Metafile processing once WIndows has been officially updated and repaired.
To Remove: Simply open the Windows Control Panel "Add/Remove Programs", where you will find the "Windows WMF Metafile Vulnerability HotFix" listed. Remove it, then reboot.


Steve Gibson also talks about this patch in the most recent Security Now podcast. The podcast site does not yet list the most recent episode, but it is available in the RRS feed. You can subscribe to the Podcast here: http://www.grc.com/securitynow.htm

Ken Porter, 2006-01-02

Incidentally, WinXP will automatically replace this file if you attempt to rename it. It replaces it from the hidden "Dllcache" directory under the System32 directory. You need to rename it in the dllcache first, then rename it in the system32 dir. WinXP will then tell you that the file is missing, and will prompt you for your WinXP CD. Just cancel and tell it you want to keep the "bad" file.

Rocky Oliver, 2006-01-02

Here is an InfoWorld article about Microsoft's response to the 3rd party WMF patches:

http://www.infoworld.com/article/06/01/03/HNmssayswait_1.html

The article talks specifically about the patch provided by Iifak Guilfanov, which I talked about in my post above, and how his patch has won support of many security researchers like F-Secure Corp.

Ken Porter, 2006-01-04

how exactly would one explain this vulnerability in this graphics rendering engine to a non computer literate person?

joe djamasi, 2006-01-04

I think you'd simply say "Buy A Mac" to them.

Seriously, in a corporate environment we can make sure that everyone's AV updates are protecting them, but I've been getting so many questions from people about their home machines, that this is now my answer, especially if they have kids.

Jon Johnston, 2006-01-04

Joe, let me make an attempt to describe "the WMF vulnerability to a non computer literate person" here.

Ken Porter, 2006-01-07

After some months of distress why I couldn't view thumbnails nor open images anymore, today I remembered I had activated this safeguard and found the antidote. Thanks for keeping the archive...

Matthias Ernst, 2006-05-01

Recent comments

Martin Funk on The Neighbor’s Window :: Oscar Winning Short Film at 00:00
Sven Bühler on I am not ready for a foldable phone at 22:03
Andreas Imnitzer on The Neighbor’s Window :: Oscar Winning Short Film at 21:48
Roland Dressler on I am not ready for a foldable phone at 15:02
Daniel Seiler on I am not ready for a foldable phone at 13:51
Roland Dressler on I am not ready for a foldable phone at 12:55
Hubert Stettner on I am not ready for a foldable phone at 10:51
Matthias Welling on Tools and Weapons #nowreading at 09:05
Ingo Harpel on You may secretly be a Bing user at 20:01
Amy Blumenfield on Tools and Weapons #nowreading at 19:44
Horia Stanescu on You are famous on Botnet at 12:33
Volker Weber on You are famous on Botnet at 20:17
Dr. Kurt Glasner on You are famous on Botnet at 17:29
Mathias Ziolo on You are famous on Botnet at 14:12
Stephan Herz on You may secretly be a Bing user at 13:45
Volker Weber on Man stelle sich vor, es ist MWC, und keiner geht hin at 20:19
Andy Mell on Man stelle sich vor, es ist MWC, und keiner geht hin at 19:53
Volker Weber on You may secretly be a Bing user at 19:09
René Fischer on You may secretly be a Bing user at 19:02
Roland Dressler on Man stelle sich vor, es ist MWC, und keiner geht hin at 13:00
Tobias Müller on Man stelle sich vor, es ist MWC, und keiner geht hin at 09:22
Karl Heindel on Man stelle sich vor, es ist MWC, und keiner geht hin at 09:58
Bernhard Kockoth on Man stelle sich vor, es ist MWC, und keiner geht hin at 09:18
Jochen Kattoll on Surface Pro X vs Surface Pro 7 vs iPad Pro vs iPad at 16:56
Andreas Eldrich on Man stelle sich vor, es ist MWC, und keiner geht hin at 13:46

Ceci n'est pas un blog

I explain difficult concepts in simple ways. For free, and for money. Clue procurement and bullshit detection.

vowe

Contact
Publications
Stuff that works
Amazon Wish List
Frequently Asked Questions

rss feed  twitter  amazon

Local time is 05:02

visitors.gif

Paypal vowe