December 30, 2005

Are you WMF'd to death yet?

Wondering why you haven't seen any feedback from me on the most recent 0-day exploit on Windows, which takes advantage of a vulnerability in the graphics rendering engine? I took a vacation away from the computer for a few days to catch up on some technical reading, and come back to a plethora of information that pretty much sums up anything I would say. In a blog post in the next few days, I will post just WHAT I was reading, as its pretty interesting. I'm shaking my head as I absorb some of this new stuff.

Anyways, as a summary of the past few days where the world has been screaming that the sky is falling, here is the nitty gritty that matters (at least from my POV)

  • Before you do anything, go read the Microsoft Security Advisory (MSA 912840) on the matter.
  • According to guys over at Sunbelt, Microsoft may be incorrectly stating that software DEP will help mitigate against this threat. Seems that hardware DEP works, software DEP from Microsoft does not. No one has reported if some of the other software DEP agents defend against this attack or not.
  • Susan has a great post on how to filter out WMF attachments on Exchange.
  • Jesper has an excellent post on how to block certain extensions with ISA. Even when he goes on holidays he has time to play with ISA :)
  • The easiest fix (temporarily) is to unregister the vulnerable code, using "REGSVR32 /U SHIMGVW.DLL" (without the quotes of course) from Start->Run

I disagree with Susan that it is too drastic to unregister the DLL. It's quite trival a fix to signficantly mitigate against this threat without impacting the rest of the system. So you don't get pretty thumbnails. But you do prevent the exploit through this attack vector (I will point out it won't stop against someone opening an exploited WMF in MS Paint etc). And with the ability to push this out to all the desktops pretty quickly with a script... it takes no time to toggle it on/off. YMMV of course.

That's pretty much all you will hear from me on the WMF issue for now. You can read the other 1,000,000 blog posts about it for more information.

Posted by SilverStr at December 30, 2005 03:29 PM | TrackBack
Comments

I wonder how many people have sort of missed out on this, since it happened over the holidays. I've been OOO for a week, as have quite a few people at my office. I wonder if IT organizations have the horsepower to roll out the fix you describe due to short staffing.

This makes a pretty good case for hardware DEP, at least for now (I feel sure someone will find a way around it soon).

Posted by: Steve Dispensa at December 30, 2005 04:16 PM

Any ideas on how to unregister the DLL using group policy?
Thanks

Posted by: Peter at January 1, 2006 10:34 PM

Peter,

The quickest way to do it through GPO might be to add a startup script in the "Scripts" section of the Windows Settings for Computer Configuration of your policy. If you google for "GPO startup scripts" you should find enough information on how to set this up.

I haven't tried this method, but it would seem to be the fastest method. YMMV of course.

Posted by: Dana Epp at January 2, 2006 02:26 AM

I put together a short login script to that will unregister the DLL, and then install the unofficial patch that was released by hexblog.com, if you havn't already installed it.

If you'd just prefer to unregister the DLL, then you can delete the extra stuff in the script and use it as a login or GPO startup script.

Check it out; http://addicted-to-it.blogspot.com/2006/01/patching-script-to-deploy-unofficial.html

Posted by: Nick at January 3, 2006 06:11 AM