Papa6 Posted December 30, 2005 Share Posted December 30, 2005 *** PLEASE READ THIS CAREFULLY**** I've come across some info about an exploit in windowsXP.You will have to unregister your windows picture/fax viewer. see the details below on microsofts way to fix this exploit until MS can come up with a permanent fix; Microsoft has issued a Security Advisory (912840) concerning the recent WMF vulnerability exploit. Microsoft also confirmed the REGSVR32 workaround as a viable solution to protect your PC until they have had time to fully research the vulnerability and issue a patch. The following is a quote from the Microsoft Security Advisory. Un-register the Windows Picture and Fax Viewer (Shimgvw.dll) 1. Click Start, click Run, type " regsvr32 -u %windir%/system32/shimgvw.dll" (without the quotation marks), and then click OK. 2. A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box. Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer. To undo this change, re-register Shimgvw.dll by following the above steps. Replace the text in Step 1 with “regsvr32 %windir%/system32/shimgvw.dll†(without the quotation marks). The above information was taken from www.neowin.net Quote Link to comment Share on other sites More sharing options...
WhiteKnight77 Posted December 30, 2005 Share Posted December 30, 2005 Moved to proper forum. Quote Link to comment Share on other sites More sharing options...
Papa6 Posted December 30, 2005 Author Share Posted December 30, 2005 Thanx Quote Link to comment Share on other sites More sharing options...
Colin Posted December 30, 2005 Share Posted December 30, 2005 This is more info on this exploit. Exploits are spreading rapidly that take advantage of a vulnerability in Microsoft's Graphics Rendering Engine. The exploits typically use specially crafted metafiles (.wmf) to run arbitrary code on vulnerable systems. Complicating matters is the fact that Internet Explorer users need only visit a site with a malicious metafile to become infected. Infection might also occur by simply clicking on an infected file while using Windows Explorer. The vulnerability was first made known December 27 in an anonymous post to the Bugtraq mailing list where someone allegedly came across the vulnerability on a Web site. Secunia quickly posted an advisory about the problem, labeling the vulnerability as extremely critical. Microsoft confirmed that the problem affects Windows 98, Windows Millennium Edition (ME), Windows 2000, Windows XP, Windows Server 2003 -- each with the latest service packs and patches installed. Microsoft has not released a patch to correct the problem, however the company will undoubtedly produce one in the near future. The company did however release an advisory, " Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution ," which explains the problem in some amount of detail. The article offers a simple workaround that can protect systems until a patch is available. The workaround involves unregistering a DLL where the impact of doing so is that the Windows Picture and Fax Viewer will not starting, thus protecting a system from exploits. In a DOS command Window, enter the following command: regsvr32 -u %windir%\system32\shimgvw.dll Later when a patch becomes available you can re-register the DLL with the following command: regsvr32 %windir%\system32\shimgvw.dll The number of exploits is sure to arise while Microsoft works to produce a patch. Simple filtering based on the .WMF file extension doesn't work as a method of protection. At least one person reported that even if an infected .WMF file is renamed to have a different extension (such as BMP, DIB, EMF, GIF, ICO, JPG, JPEG, JPE, JFIF, PNG, RLE, TIF, or TIFF) an affected system will still parse the file and launch an exploit -- unless the DLL mentioned above is unregistered. According to Microsoft an alternative method of protection on Windows XP systems is to use Data Execution Prevention (DEP). Microsoft's article, "How to Configure Memory Protection in Windows XP SP2," describes how to enable the protection. Security vendors moved fast to integrate protection into their products. One company, Websense claims that they are tracking thousands of sites that are currently distributing exploits. Example screen capture images on the company's Web site show that at least two exploits change a user's desktop background image to an alert stating that the computer has been infected with spyware. A prompt then tries to coax the person into entering credit card information in order to obtain a method of removing the alleged spyware. The company also posted a video that shows a machine becoming infected. F-Secure warned that systems might become infected through other methods. For example, infection could occur by using a text-based Web browser or tools such as WGET and CURL, which are designed to download Web content from a DOS command shell. Infection through those methods might occur if other tools, such as file indexing engines, are active on the desktop. Some search tools, such as Google Desktop, index files in realtime, which means that when an infected file is downloaded then Google Desktop will immediately index the file, thereby launching any exploit code contained in the infected file. Your best defense in any case is to unregister the DLL or enable DEP, as recommended by Microsoft. All info here is Microsoft. Thanks Papa6 for finding this its a nasty exploit. Colin Quote Link to comment Share on other sites More sharing options...
Papa6 Posted December 30, 2005 Author Share Posted December 30, 2005 Yeah i performed this fix as soon as I read it. Some people just can't play nice with others... Quote Link to comment Share on other sites More sharing options...
halo_jones Posted December 30, 2005 Share Posted December 30, 2005 Security vendors moved fast to integrate protection into their products. One company, Websense claims that they are tracking thousands of sites that are currently distributing exploits. Example screen capture images on the company's Web site show that at least two exploits change a user's desktop background image to an alert stating that the computer has been infected with spyware. A prompt then tries to coax the person into entering credit card information in order to obtain a method of removing the alleged spyware. The company also posted a video that shows a machine becoming infected. F-Secure warned that systems might become infected through other methods. For example, infection could occur by using a text-based Web browser or tools such as WGET and CURL, which are designed to download Web content from a DOS command shell. Infection through those methods might occur if other tools, such as file indexing engines, are active on the desktop. Some search tools, such as Google Desktop, index files in realtime, which means that when an infected file is downloaded then Google Desktop will immediately index the file, thereby launching any exploit code contained in the infected file. Your best defense in any case is to unregister the DLL or enable DEP, as recommended by Microsoft. Colin ← YUp its a nasty one all right i got it googling random images the other day...was hellish to get rid of as the "spy sherif" auto installed GRRRRRRL...it was only the trackback option in XP that let me get AVG on it hackers Quote Link to comment Share on other sites More sharing options...
WytchDokta Posted December 30, 2005 Share Posted December 30, 2005 In a DOS command Window, enter the following command: regsvr32 -u %windir%\system32\shimgvw.dll Later when a patch becomes available you can re-register the DLL with the following command: regsvr32 %windir%\system32\shimgvw.dll How would I go about opening a DOS command window? Quote Link to comment Share on other sites More sharing options...
Dannik Posted December 30, 2005 Share Posted December 30, 2005 How would I go about opening a DOS command window?← To be a zealot for a moment, it's not a DOS window, it's a command line window. Start -> Run -> "cmd" (no quotes) should open a black and white command line shell box. Quote Link to comment Share on other sites More sharing options...
WytchDokta Posted December 30, 2005 Share Posted December 30, 2005 Thanks for that. Now it's successfully been unregistered. I wasn't infected in the first place, I just wanted to take precautinary measures to ensure I don't become infected. Quote Link to comment Share on other sites More sharing options...
CR6 Posted December 30, 2005 Share Posted December 30, 2005 Source link: http://www.microsoft.com/technet/security/...ory/912840.mspx Articles: http://news.yahoo.com/s/zd/20051229/tc_zd/168243 http://blogs.washingtonpost.com/securityfi...e_on_the_c.html Looks like this works too 1. Click on the Start button on the taskbar. 2. Click on Run... 3. Type "regsvr32 /u shimgvw.dll" to disable. 4. Click ok when the change dialog appears. Quote Link to comment Share on other sites More sharing options...
Papa6 Posted December 31, 2005 Author Share Posted December 31, 2005 I did mine by going to "start/run" and then typing the syntax as shown above, but either way do it for your own piece of mind Quote Link to comment Share on other sites More sharing options...
Colin Posted January 2, 2006 Share Posted January 2, 2006 Temp Fix This is an Exe and does the same as above. Colin Quote Link to comment Share on other sites More sharing options...
Colin Posted January 3, 2006 Share Posted January 3, 2006 Microsoft will have a patch fix for this by the 10th Jan. Quote Link to comment Share on other sites More sharing options...
CR6 Posted January 3, 2006 Share Posted January 3, 2006 Microsoft will have a patch fix for this by the 10th Jan. ← Good news. I was hoping they'd have a patch soon (they usually release patches on the second Tues of the month). With little warning of this exploit, the M$ folks must be working lots of overtime to test and deploy this patch with such a short turnaround time. Unfortunately next week might still be a little late as there's malicious code popping up - first worm on MSN Messenger: http://news.com.com/Windows+flaw+spawns+do...ml?tag=nefd.top Interesting fix that won't disable your thumbnails: http://www.f-secure.com/weblog/archives/ar...5.html#00000756 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.