Tuesday, January 03, 2006

What you need to know about the Windows WMF flaw

From Microsoft Security Advisory #912840:

Microsoft has completed development of the security update for the vulnerability. The security update is now being localized and tested to ensure quality and application compatibility. Microsoft’s goal is to release the update on Tuesday, January 10, 2006, as part of its monthly release of security bulletins. This release is predicated on successful completion of quality testing.

Thanks to Brandon Paddock I heard about it before I got the e-mail.

Good news, but what do I do until January 10th? Well, I did some research and here is what I found.

If you are a Windows OneCare user and your current status is green, you are already protected from known malware that uses this vulnerability to attempt to attack systems.

I am and everything is green, so I am good, but what if I wasn't?

Computerworld gave the following advice to do one or all of the following:

Unregister the Windows shimgvw.dll file. The command regsvr32 -u %windir%\system32\shimgvw.dll at the command-line prompt should do this on an individual system. "This workaround is better than just trying to filter files with a WMF extension," according to security firm F-Secure Corp., since some malicious WMF files are being disguised with other file extensions.

Ilfak Guilfanov, "the main author of Interactive Disassembler Pro and ... arguably one of the best low-level Windows experts in the world," F-Secure says, has posted a temporary fix at hexblog.com. Security firm iDefense Inc. says it tested the patch and verified that it's effective and doesn't seem to include malicious code. But it notes that the patch "is still from an independent source and not the actual vendor, and should be treated as such." SANS Institute also says that it has "reverse engineered, reviewed and vetted" the fix. Guilfanov recommends uninstalling his workaround once Microsoft issues an official fix.

"Configure Internet Explorer to a HIGH security level," iDefense suggests in a listing of several protection strategies.

Block several IP addresses that have been associated with malicious activity in the past, according to Johannes Ullrich at SANS.

This is some really good advice. If you are a Windows user who also uses the Internet it would be good to follow this advice. I hope this helps everyone and I hope the fix comes out from Microsoft before the 10th.

Please note, the WMF flaw can happen on the following software:

Microsoft Windows 2000 Service Pack 4

Microsoft Windows XP Service Pack 1

Microsoft Windows XP Service Pack 2

Microsoft Windows XP Professional x64 Edition

Microsoft Windows Server 2003

Microsoft Windows Server 2003 for Itanium-based Systems

Microsoft Windows Server 2003 Service Pack 1

Microsoft Windows Server 2003 with SP1 for Itanium-based Systems

Microsoft Windows Server 2003 x64 Edition

Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)

Note Microsoft Windows Server 2003 Service Pack 1 and Microsoft Windows Server 2003 x64 Edition also refer to Microsoft Windows Server 2003 R2.