WMF exploit

Microsoft has still have to produce a patch for this exploit, but here you can find some information and a provisional patch.

Things can get ugly here in Ireland where a lot of businesses are back from holidays starting tomorrow morning. Hope an official update will be made available quickly.

Source: ISC

  • What can I do to protect myself?
  1. Microsoft has not yet released a patch. An unofficial patch was made available by Ilfak Guilfanov. Our own Tom Liston reviewed the patch and we tested it. The reviewed and tested version is available here (now at v1.3, MD5: 14d8c937d97572deb9cb07297a87e62a), PGP signature (signed with ISC key) here. THANKS to Ilfak Guilfanov for providing the patch!!
  2. You can unregister the related DLL.
  3. Virus checkers provide some protection.

To unregister the DLL:

  • Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK.
  • A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

    Our current "best practice" recommendation is to both unregister the DLL and to use the unofficial patch.

    Read more…

    1 Comment

    • Why not enable DEP for all programs and services? That ought to mitigate the problem.

      Unregistering shimgvw.dll won't help for wmf aware applications since the underlying problem is gdi32.

      This would be a non issue if MS wouldn't have the default account as an Administrator or if every blog/article would advise users to start using a restricted user account for daily work!

    Comments have been disabled for this content.