Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

The WMF exploit that has been in the news so much..

January 1st 2006 in Uncategorized

Update: MS will be releasing a patch for this problem on 10 January.


What a mess.  I’ve been sitting back waiting for information to soldify about what works, and what doesn’t work before posting.  First it was said that Software DEP (Data Execution Prevention) would work, and then it was said that it wouldn’t.  Same thing about hardware DEP.  First it was said that deregistering shimgvw.dll would make us safe, then it was discovered that it wouldn’t.


Very early on there was a Web forum that recommended replacing GDI32.DLL with a version supplied by a member of the forum.  But, to get the file to stick you had to mess around with cached copies of the file (gdi32.dll is protected by Windows File Protection).  The changed file was also causing Windows Update to offer old security patches.  Frankly, it was a good idea, but too messy in practice.


IMHO the best information on the net about this problem is at the Internet Storm Centre:
http://isc.sans.org/diary.php?storyid=994
And here:
http://isc.sans.org/diary.php?date=2006-01-01


One thing I see missing is instructions on how to reregister the DLL, which can be done using this command:
regsvr32 %windir%\system32\shimgvw.dll


Deregistering shimgvw.dll will stop Windows Picture and Fax viewer from working.


Early in the article it mentions ‘indexing software’.  What is that? Things like Google Desktop or MSN Desktop.


The article says that Hardware DEP will protect you from the exploit depending on hardware.  I am not convinced of the safety/accuracy of this claim.  One thing the article does not mention is that you must make sure you enable the option to “Turn on DEP for all programs and services except those I select”.   If you have DEP available, you will find it at Control Panel, System, Advanced.  Click on the Performance Settings button then navigate to the Data Execution Prevention tab.  If you do not have Hardware DEP there will be a warning at the bottom of that tab. 


The official Microsoft advisory can be found here:
http://www.microsoft.com/technet/security/advisory/912840.mspx


If somebody tells you to “dump IE and you’ll be safe”, hit them over the head with a cluestick.


Comments are closed.

You know, I love a challenge, but the whole idea of a challenge is that there should be the possibility of success at the end of our efforts.
The hardware at the place where I work is *old* .. seriously old.  I’m talking Windows 95 with IE3… boxes with 16 and 32 meg of RAM.  Because […]

Previous Entry

Here I am in Las Vegas to attend the Consumer Electronics Show.
So far, the trip has been charmed; free Business Class upgrade from Perth to Sydney, Exit Row Window from Sydney to LA, and First Class from LA to Las Vegas.
Getting off the plane in Las Vegas was like stepping into another world – slot […]

Next Entry

Archives