Scott's Weblog The weblog of an IT pro specializing in virtualization, networking, open source, and cloud computing

Windows Metafile Flaw Already Being Exploited

Two separate reports (this article from eWeek and this article from ComputerWorld) have risen today regarding a “zero-day” exploit of a vulnerability in Windows’ handling of WMF (Windows Metafile) images. According to the reports, simply viewing a WMF file (such as from a web site) can infect your computer. Sunbelt Software’s blog also offers more details on the vulnerability as well. Here’s more information from SecurityFocus as well.

According to the reports, this newly discovered WMF vulnerability will allow crackers to run the code of their choice on the affected system(s). So far, the exploit has been limited to installing spyware, adware, and keyloggers, but there is little doubt in anyone’s mind that the attackers will grow much worse very quickly. The vulnerability can be exploited in a variety of ways, such as visiting hostile web sites (using either Internet Explorer, Opera, or Firefox); opening an affected WMF file in Windows Picture and Fax Viewer; or previewing an affected file in Windows Explorer. It’s important to note that this vulnerability affects even fully patched systems with all available patches installed.

Apparently, the only workaround is to uninstall Windows from your computer and immediately install Linux. OK, just kidding. Seriously, though, the only known workaround at this time is to unregister the affected DLL using this command:

regsvr32 /u shimgvw.dll

Click OK when prompted. This unregisters the affected DLL and eliminates the vulnerability; however, this may also affect the viewing and previewing of many other types of images.

It’s still early yet in the discovery process, so I fully anticipate that more workarounds and more information will emerge as the security researchers continue their work.

Be social and share this post!