Wednesday, January 04, 2006

UPDATED: Major Windows Vulnerability (with unofficial patch)

Update 1/5/05: Microsoft has released the official patch for this flaw early. It is available from Windows/Microsoft Update. If you have installed the patch and/or unregistered the dll, you should reverse the process before installing the official patch. The unofficial patch can be uninstalled from Add/Remove Programs under W, and the dll can be re-registered using the old command without the -u.

As many of you may know, a major flaw was found in Windows OS a few weeks ago involving *.WMF files. This flaw can be exploited just by visiting a website, rather than even having to click anything there. There is also an IM worm which exploits the vulnerability. It bypasses most antivirus and firewall software. There is a quick registry hack to disable *.WMF files and thus work around the flaw, as well as an unsupported patch (article linked in title, patch linked below). Microsoft plans to release an official patch on Patch Tuesday January 10th (next Tuesday), but that's a long way off at the rate this is spreading.

Breakdown: You can't trust your AV and firewall software to block this, and it is a huge vulnerability. A week is a long time with something like this, and this patch has been tested and analyzed. Both unregistering the dll and installing the patch will make you most secure, and you rarely need to see*.WMF images anyway.

FAQ: http://handlers.dshield.org/jullrich/wmffaq.html
Command to unregister *.WMF dll (type in Start>Run...): regsvr32 -u %windir%\system32\shimgvw.dll
Patch Link: http://handlers.sans.org/tliston/wmffix_hexblog14.exe

No comments: