Tuesday, January 03, 2006

The Windows Meta File (WMF) exploit

The Windows Meta File vulnerability, a problem that seems to be particularly bad in Windows XP, is without an official patch from Microsoft until next week. There is an unofficial patch which is available from the SANS Internet Storm Center, which I would recommend only for organizations that have the ability to install and uninstall patches on user desktops in an automated manner, as the unofficial patch will have to be uninstalled before installing the official patch. For ordinary users, it is an extremely bad habit to download patches from unofficial sources in response to an announcement of a vulnerability like this. It's a habit that is likely to be exploited in the future to get people to install malicious software, so it should be discouraged.

An alternative remedy is to unregister the vulnerable DLL, shimgvw.dll, until the official patch is out next week. This remedy will prevent the Windows Picture and Fax Viewer from being started when you click on an image that is associated with that application.

The WMF vulnerability is currently being exploited through the web, email, and instant messaging, but so far it looks like the main use has been to install spyware and adware on vulnerable machines. It could, however, just as easily be used to install bots or other more seriously damaging malware.

No comments: