Windows WMF flaw: How to protect against attacks
There is no vendor-sanctioned fix yet for the Windows Metafile vulnerability
January 2, 2006 12:00 PM ETComputerworld -
With Microsoft promising a security update "upon completion of [an] investigation" of the WMF security flaw, there's currently no vendor-sanctioned fix for the Windows Metafile vulnerability (see "Risk of Windows WMF attacks jumps 'significantly,' security firm warns").
However, there are ways to protect your system and network from potential attack.
"If you are a Windows OneCare user and your current status is green, you are already protected from known malware that uses this vulnerability to attempt to attack systems," according to Microsoft. If not, there are several other defense strategies, including the following:
- Unregister the Windows shimgvw.dll file. The command regsvr32 -u %windir%\system32\shimgvw.dll at the command-line prompt should do this on an individual system. "This workaround is better than just trying to filter files with a WMF extension," according to security firm F-Secure Corp., since some malicious WMF files are being disguised with other file extensions.
- Ilfak Guilfanov, "the main author of Interactive Disassembler Pro and ... arguably one of the best low-level Windows experts in the world," F-Secure says, has posted a temporary fix at hexblog.com. Security firm iDefense Inc. says it tested the patch and verified that it's effective and doesn't seem to include malicious code. But it notes that the patch "is still from an independent source and not the actual vendor, and should be treated as such." SANS Institute also says that it has "reverse engineered, reviewed and vetted" the fix. Guilfanov recommends uninstalling his work-around once Microsoft issues an official fix.
- "Configure Internet Explorer to a HIGH security level," iDefense suggests in a listing of several protection strategies.
- Block several IP addresses that have been associated with malicious activity in the past, according to Johannes Ullrich at SANS. Details are posted on the SANS Internet Storm Center diary.
"WMF exploitation has rapidly become a major threat, especially as the work week resumes after a long holiday weekend," iDefense spokesman Ken Dunham said in an e-mail advisory. "The situation is rapidly escalating now with hundreds of hostile sites purported, dozens confirmed, and more from public and private data shared to date. ...Traditionally, any rapid exploitation on a widespread basis within seven days or less has led to a major meta-event."
The following resources provide more information on the WMF vulnerability:
- F-Secure's blog
- Hexblog
- Steve Gibson's explainer of the fix on Hexblog
- SANS Internet Storm Center diary
- Microsoft's initial security advisory
For additional Computerworld coverage, see
- "WMF flaw can't wait for Microsoft fix, researchers say"
- "Risk of Windows WMF attacks jumps 'significantly,' security firm warns"
Read more about spam, malware and vulnerabilities in Computerworld's Spam, Malware and Vulnerabilities Knowledge Center.
Viruses
Additional Resources



White Papers & Webcasts
The Tangled Web: Silent Threats & Invisible Enemies
Download Now
Can Heuristic Technology Help Your Company Fight Viruses?
What is Heuristic Technology and how can it help safeguard your business against viruses? Learn more.
Best Practices for Log Monitoring
Watch Now!
US Military Command Prevents Zero Day Attack with Application Whitelisting
Download this Whitepaper Today!
Data in Action: Making the Planet Smarter
Register Now
Employee Web Use and Misuse
Download this new White Paper today!
The Workday User Experience Video
Watch Workday's Creative Director, Scott Lietzke, discuss the business-centered design philosophy at Workday.
Get More from Your IT Budget
Download this new white paper today!
Business Process Framework Demo
Learn about Configurable Business Processes and Calculated Fields. Watch Now!

