Re: WMF Windows security flaw - change your browser

I was forwarded an alert on this from a friend at Lawrence Berkeley Labs today. See

http://www.lbl.gov/cyber/vulnerabilities/wmf_vuln.html

They are recommending the following "unofficial" patch, which has been tested and approved by a number of security organizations
including CERT, be downloaded and installed on all their windows computers until Microsoft comes out with something (expected next
Tuesday Jan 10):

http://www.lbl.gov/cyber/vulnerabilities/wmffix_hexblog14.exe

Not sure if this is the same patch described in the link below, but LBL wants their people to install this patch *instead of*
unregistering shimgvw.dll, which they believe to be ineffective.

Fred Thompson
ft at peoplepc dot com


"Jim Gilliland" <usemylastname@xxxxxxxxxxxx> wrote in message news:43ba779d$0$1665$c3e8da3@xxxxxxxxxxxxxxxxxxxx
> Mike Rivers wrote:
>> Jim Gilliland wrote:
>>
>>>Incidentally, I'm probably oversimplifying the mechansism in my
>>>description above, but that's the basic idea. And if I'm reading the
>>>situation correctly, the DLL that's causing all the trouble is actually
>>>obsolete. The functions that it provides are no longer the normal way
>>>to handle this - they only exist for backward compatibility.
>>
>> The Microsoft "temporary fix" is to unregister shimgvw.dll. Is that the
>> obsolete DLL?
>
> No, that's the DLL that is called by the application, but the actual problem code is located in a lower level DLL called GDI32.
> And I didn't mean to imply that the entire DLL was obsolete, just the particular function "Escape(SETABORTPROC)" that is causing
> all the trouble.
>
> Disabling the "shimgvw" DLL may solve the problem, but also removes some current Windows functionality. In addition, there is
> some concern that a "smart" virus may come along and re-register the DLL, then take advantage of its vulnerability. You could
> rename or delete the DLL, but Windows also has "file protection" - which will detect the missing file and replace it. So we
> really do need a fix from Microsoft to put this thing to bed.
>
> There is also some concern that there may be other routes within the myriad DLLs that make up Windows to allow a virus to exploit
> the Escape function of GDI32. The path through shimgvw.dll is the only one that has been discussed publicly, but it is certainly
> possible that there are other Windows functions that can also trigger the vulnerability. So unregistering shimgvw.dll isn't a
> surefire cure.
>
> Unregistering the DLL is certainly a smart move, though. You can also try using a temporary - and very unofficial, since it
> didn't come from Microsoft - patch that was referenced earlier in this thread. The patch simply adds a new DLL that intercepts
> the obsolete call and renders it harmless. The patch is described here:
>
> http://isc.sans.org/diary.php?rss&storyid=994
>
> The good thing about this patch is that it actually traps the specific function within GDI32. So even if some malicious coder
> discovers another path to reach it, this patch should protect you. But again, it's not official, and we really have no way of
> knowing how thoroughly it solves the problem - or if it really solves it at all!
>
>> Acccording to the Microsoft note, this disables the
>> thumbnail view in Windows Explorer (not Internet Explorer - I wish they
>> hadn't named them the same) and the Windows Image and Fax vierwer. I
>> don't know if I've ever used the Image and Fax Viewer, and I don't use
>> the thumbnail view in Explorer, so I guess I wouldn't miss it.
>>
>> But those sound like current functions and losing them might be
>> inconvenient or even traumatic for some. Perhaps there are two paths to
>> this view function, via shimgvw.dll and some other route.
>


.

Relevant Pages

  • Re: Is running a patch that changes something in Windows XP permis
    ... again for a Microsoft MVP: I have been trying to understand what the ... Windows XP versions before SP2 the system was recognised as SP2 RC1. ... > some things to quote here that tell us that the patch probably does not ... > change the value of TcpNumConnections in the registry and that there isn't ...
    (microsoft.public.windowsxp.general)
  • RE: WMF Exploit Patch Released
    ... it isn't so much Microsoft saying you should upgrade for this ... Will there be a WMF patch for Windows 95 as well? ... > The Norwich University program offers unparalleled Infosec management ...
    (Security-Basics)
  • So Windows Update is a dog, now what?
    ... extension, that means that the soon-to-be-released Windows Update, ... How about someone getting serious about patch management over at ... In their explanation of the severity rating scheme, the Microsoft ... incredibly reliable mechanism for getting patches onto systems, ...
    (NT-Bugtraq)
  • Re: Daylight Savings Time 2007 and Windows 2000 Server...
    ... Joe Richards Microsoft MVP Windows Server Directory Services ... support older versions of their software as well as Microsoft. ... patch for this problem but to also thoroughly test it and develop the ...
    (microsoft.public.windows.server.active_directory)
  • Re: Daylight Savings Time 2007 and Windows 2000 Server...
    ... support older versions of their software as well as Microsoft. ... patch for this problem but to also thoroughly test it and develop the ... Windows 98? ...
    (microsoft.public.windows.server.active_directory)
Loading