WMF Vulnerability in Windows

A new vulnerability is making the rounds, it affects Microsoft Windows 2000 Service Pack 4, Microsoft Windows XP Service Pack 1, Microsoft Windows XP Service Pack 2, Microsoft Windows XP Professional x64 Edition, Microsoft Windows Server 2003, Microsoft Windows Server 2003 for Itanium-based Systems, Microsoft Windows Server 2003 Service Pack 1, Microsoft Windows Server 2003 with SP1 for Itanium-based Systems, Microsoft Windows Server 2003 x64 Edition, Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME).

Straight from the Microsoft Security center;

Microsoft is investigating new public reports of a vulnerability in Windows. Microsoft is also aware of the public release of detailed exploit code that could be used to exploit this vulnerability. Based on our investigation, this exploit code could allow an attacker to execute arbitrary code on the user’s system by hosting a specially crafted Windows Metafile (WMF) image on a malicious Web site. Microsoft is aware that this vulnerability is being actively exploited.

Microsoft has determined that an attacker using this exploit would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker’s Web site. In an e-mail based attack, customers would have to be persuaded to click on a link within a malicious e-mail or open an attachment that exploited the vulnerability. In both the web and email based attacks, the code would execute in the security context of the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

I do this myself and need to quit it, as does everyone. Here are the situations in which it can affect you.

In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker’s Web site.

In an E-mail based attack of the current exploit, customers would have to be persuaded to click on a link within a malicious e-mail or open an attachment that exploited the vulnerability.

An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

By default, Internet Explorer on Windows Server 2003, on Windows Server 2003 Service Pack 1, on Windows Server 2003 with Service Pack 1 for Itanium-based Systems, and on Windows Server 2003 x64 Edition runs in a restricted mode that is known as Enhanced Security Configuration This mode mitigates this vulnerability where the e-mail vector is concerned although clicking on a link would still put users at risk. In Windows Server 2003, Microsoft Outlook Express uses plain text for reading and sending messages by default. When replying to an e-mail message that is sent in another format, the response is formatted in plain text.

Here is how Microsoft currently suggets you block this exploit, this will just keep Windows picture and fax viewer from automatically starting when an image is clicked.

Note The following steps require Administrative privileges.

To un-register Shimgvw.dll, follow these steps:

1.
Click Start, click Run, type “regsvr32 -u %windir%\system32\shimgvw.dll” (without the quotation marks), and then click OK.

2.
A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.

To undo this change, re-register Shimgvw.dll by following the above steps. Replace the text in Step 1 with ?regsvr32 %windir%\system32\shimgvw.dll? (without the quotation marks).

Click here for the article from Microsoft.