Windows users, act NOW

by Volker Weber

Stop reading. And run this command now:

regsvr32 /u %windir%\system32\shimgvw.dll

This command will unregister a broken DLL responsible for rendering graphics. There are now hundreds of websites exploiting a vulnerability in this graphics rendering engine. This is not a theoretical threat. The exploit is in the wild and spreading fast.

You can reverse the temporary fix by registering the DLL once it has been fixed by Microsoft. Just issue the same command without the /u.

Update: Lotus Notes seems to call the DLL even if it has been unregistered. The only workaround to that would be to rename it.

Update: As Ken reports, there is a better solution now. Steve Gibson recommends to install Ilfak Guilfanov's Temporary WMF Patch. After you have successfully installed it, you can register the DLL that we unregistered above:

regsvr32 %windir%\system32\shimgvw.dll

Sven linked to an early version of the same fix.

Ilfak has also written a program that checks whether your system is safe or not.

Update: It's not a bug. It's a feature.

Comments

thanks. dll uninstalled on my machine and have passed the word to friends and family.

Joe Litton, 2005-12-30

Be warned though that this will break the "Filmstrip" View in Windows Explorer and for for Folders generally, in addition to removing the plain open function.

For the time beeing it is definitely the more secury way to run a Windows system.

Hilights the trouble with shared libraries/dlls in general. If one of the many that make up a modern system has a vulnerability, the system may be compromizable in oh so many ways.
However current unsave practizes in setting up and running Windows Systems certainly excerbate the problem.

Martin Forisch, 2005-12-30

done..

but a little but important detail i found on the f-secure-blog:

"What the workaround does not stop against is if you open an exploited file in MSPAINT (aka Paintbrush)."

gruss
michel

michel merz, 2005-12-30

regsvr32.exe is not avaliable on my iBook ;-)

According to heise.de Lotus Notes uses this lib even if the dll has been unregistered.
Is there a way to safe notes users?

Wolfgang Schmidetzki, 2005-12-30

Wolfgang, is this a trick question? Removing or renaming the DLL after unregistering should stop even Notes from using it ...

Stefan Rubner, 2005-12-31

Thanks for the advisory Volker. I just posted the information on my Website as well :-)

Alper Iseri, 2005-12-31

And now there is a patch, but not from MS...

http://handlers.sans.org/tliston/wmffix_hexblog11.exe

Sven Semel, 2006-01-01

Oh boy, and you would install a binary from an unknown source that patches Windows - just like that?

Why not keep the broken DLL unregistered and tugged away until Microsoft fixes it? Previewing images is hardly mission critical.

Volker Weber, 2006-01-01

Nope I would not without further checking. But if you have some users around which uses programms that need this dll, unregistering is only a quick hack to minimise the risk and depends how long you could bear the complaints of the users as the usual program is not working.

And waiting that Microsoft fixes it? Hmm, this could take a long time compared to the risk.

Apart from that, the source is not totally unknown and just have a look what Tom Liston writes on the sans.org about this issue: http://isc.sans.org/diary.php

Sven Semel, 2006-01-01

Well, you provided a link to the binary only. That is why I wrote "without further checking".

Volker Weber, 2006-01-01

o.k. you are right...didn't get this seems to be some afterefect from tonight ;-)

Sven Semel, 2006-01-01

Steve Gibson of Gibson Research Corporation recommends that all Windows users use the Ilfak's Temporary WMF Patch to protect themselves from this vulnerability.

Steve's website has a page describing his research of this patch utility here.

From that page:

This safely and "dynamically patches" the vulnerable function in Windows to neuter it and, after rebooting, renders any Windows 2000, XP, 64-bit XP and 2003 systems completely invulnerable to exploitation of the Windows Metafile vulnerability.
Please Note: Unlike the "DLL unregister" recommendation offered by Microsoft (see RED box below) Ilfak's patch completely eliminates the vulnerability. Therefore, until Microsoft is able to update and repair their vulnerable GDI32.DLL, this is what you should use. You do NOT need to unregister the DLL as described in the RED box below.
You SHOULD REMOVE THIS PATCH to restore full functionality to Windows Metafile processing once WIndows has been officially updated and repaired.
To Remove: Simply open the Windows Control Panel "Add/Remove Programs", where you will find the "Windows WMF Metafile Vulnerability HotFix" listed. Remove it, then reboot.


Steve Gibson also talks about this patch in the most recent Security Now podcast. The podcast site does not yet list the most recent episode, but it is available in the RRS feed. You can subscribe to the Podcast here: http://www.grc.com/securitynow.htm

Ken Porter, 2006-01-02

Incidentally, WinXP will automatically replace this file if you attempt to rename it. It replaces it from the hidden "Dllcache" directory under the System32 directory. You need to rename it in the dllcache first, then rename it in the system32 dir. WinXP will then tell you that the file is missing, and will prompt you for your WinXP CD. Just cancel and tell it you want to keep the "bad" file.

Rocky Oliver, 2006-01-02

Here is an InfoWorld article about Microsoft's response to the 3rd party WMF patches:

http://www.infoworld.com/article/06/01/03/HNmssayswait_1.html

The article talks specifically about the patch provided by Iifak Guilfanov, which I talked about in my post above, and how his patch has won support of many security researchers like F-Secure Corp.

Ken Porter, 2006-01-04

how exactly would one explain this vulnerability in this graphics rendering engine to a non computer literate person?

joe djamasi, 2006-01-04

I think you'd simply say "Buy A Mac" to them.

Seriously, in a corporate environment we can make sure that everyone's AV updates are protecting them, but I've been getting so many questions from people about their home machines, that this is now my answer, especially if they have kids.

Jon Johnston, 2006-01-04

Joe, let me make an attempt to describe "the WMF vulnerability to a non computer literate person" here.

Ken Porter, 2006-01-07

After some months of distress why I couldn't view thumbnails nor open images anymore, today I remembered I had activated this safeguard and found the antidote. Thanks for keeping the archive...

Matthias Ernst, 2006-05-01

Recent comments

Stefanie Wörtche on Vorteil Magenta :: Wenn die Telekom alles richtig macht at 09:24
Jochen Kattoll on Software Support for the Microsoft Surface Pro X at 16:42
Gaerttner Harald on Urbandoo :: Jetzt reservieren at 16:26
Nina Wittich on Klopapier gibt's :: Nur anderswo at 15:30
Markus philippi on Klopapier gibt's :: Nur anderswo at 15:01
Volker Weber on Vorteil Magenta :: Wenn die Telekom alles richtig macht at 14:49
Manfred Wiktorin on Urbandoo :: Jetzt reservieren at 14:45
Sven Bühler on Vorteil Magenta :: Wenn die Telekom alles richtig macht at 12:48
Jens Nullmeyer on Vorteil Magenta :: Wenn die Telekom alles richtig macht at 12:46
Marc Poppo on Klopapier gibt's :: Nur anderswo at 12:45
Armin Auth on Klopapier gibt's :: Nur anderswo at 12:39
Thilo-Alexander Ginkel on Vorteil Magenta :: Wenn die Telekom alles richtig macht at 12:38
Ben Uris on Klopapier gibt's :: Nur anderswo at 08:50
Thomas Mendorf on Klopapier gibt's :: Nur anderswo at 22:53
Volker Weber on Software Support for the Microsoft Surface Pro X at 22:00
Mariano Kamp on Logitech Zubehör für das Homeoffice at 21:58
Nina Wittich on Klopapier gibt's :: Nur anderswo at 21:26
Amy Blumenfield on Jitsi Meet Desktop Clients at 19:09
Jochen Schug on Logitech Zubehör für das Homeoffice at 18:43
Hermann Behrens on Klopapier gibt's :: Nur anderswo at 16:01
Friedrich Holstein on Klopapier gibt's :: Nur anderswo at 14:56
Mariano Kamp on Logitech Zubehör für das Homeoffice at 14:33
Jochen Kattoll on Software Support for the Microsoft Surface Pro X at 14:03
Volker Weber on Jitsi Meet Desktop Clients at 13:40
Uwe Papenfuss on Klopapier gibt's :: Nur anderswo at 13:19

Ceci n'est pas un blog

I explain difficult concepts in simple ways. For free, and for money. Clue procurement and bullshit detection.

vowe

Contact
Publications
Stuff that works
Amazon Wish List
Frequently Asked Questions

rss feed  twitter  amazon

Local time is 16:09

visitors.gif

Paypal vowe