HomeWe make house calls.
The Doctor is in. Web HostingExcellent support and great rates. Lets talk. Web DesignAsk us about our layouts.
We customize to your needs. PortfolioSites we have done. DoctorWe care about our clients.
We explain so you understand. ProfileA little on why we like to help people.

Free Software Free Links Graphic Stuff Linux Stuff Products FAQ Network Stuff Rootkits Security GRC Podcast FLOSS Podcast

Windows Metafile Backdoor?

Security Issue - Meta file WINDOWS VULNERABILITY

A serious new remotely exploitable vulnerability has been discovered in Microsoft Windows' image processing code.

UNTIL THIS IS REPAIRED BY MICROSOFT, ANY ATTEMPT TO DISPLAY A MALICIOUS IMAGE IN WINDOWS COULD INSTALL MALICIOUS SOFTWARE INTO THE COMPUTER.

This is a so-called "0-day vulnerability" because exploits for the vulnerability appeared before any updates or patches were available. All versions of Windows from Windows 98 through ME, NT, 2000, XP, and 2003 are known to be vulnerable, and a large and rapidly growing number of malicious exploits (57 at last count) are already circulating in the wild. They are being actively used to install malware and Trojans into user's machines. Viruses and worms are expected to appear shortly. Although NOT a complete solution, Microsoft has recommended temporarily disabling the automatic display of some images by the operating system and web browser. This can be done, as detailed below, by "unregistering" the "SHIMGVW.DLL" Windows DLL. THIS IS NOT A COMPLETE SOLUTION, but it significantly lowers the risk from this vulnerability from web surfing. Do not open any "WMF" — Windows Metafiles — you receive by eMail, and reports are that other file types may also be dangerous. Anti-virus companies have responded to this, so update your anti-virus signature files for updated protection. You should IMMEDIATELY disable Windows' use of this vulnerable DLL until patches from Microsoft are available. Note that this WILL temporarily disable the "Thumbnail" view in Windows Explorer and Window's Image and FAX viewer. This is by design, since these viewers are no longer safe to use until a non-vulnerable file has been produced by Microsoft and installed. To immediately disable the vulnerable Windows component: Logon as a user with full administrative rights. Click the Windows "Start" button and select "Run..." Enter the following string into the "Open" field: regsvr32 -u shimgvw.dll (You can copy/paste from this page using Ctrl-C/Ctrl-V) Click "OK" to unregister the vulnerable DLL. If all goes well, you will receive a confirmation prompt, and your system is now safe. No need to reboot, but you might want to just to be sure that any possible currently loaded instance is flushed out. To eventually re-enable the "SHIMGVW.DLL" component: Logon as a user with full administrative rights. Click the Windows "Start" button and select "Run..." Enter the following string into the "Open" field: regsvr32 shimgvw.dll (You can copy/paste from this page using Ctrl-C/Ctrl-V) Same as the one above, but no "-u" for "uninstall". Click "OK" to re-register the (hopefully) non-vulnerable DLL.

Additional reading and information: http://www.f-secure.com/weblog/archives/archive-122005.html#00000754 http://secunia.com/advisories/18255/ http://vil.mcafeesecurity.com/vil/content/v_137760.htm http://www.securityfocus.com/bid/16074/info http://sunbeltblog.blogspot.com/2005/12/new-exploit-blows-by-fully-patched.html http://redxii.blogspot.com/2005/12/vulnerabilities-in-graphics-rendering.html http://www.microsoft.com/technet/security/advisory/912840.mspx