The Antivirus Guy Blog

Keeping people up to date with antivirus and security information

SANS – Internet Storm Center – Musings and More WMF Information – Urgent Updated Info

Looks like renaming the dll temporarily is the only option now.

SANS – Internet Storm Center – Cooperative Cyber Threat Monitor And Alert System.

Handler’s Diary December 30th 2005

Musings and More WMF Information (NEW)

Published: 2005-12-30,
Last Updated: 2005-12-30 20:10:48 UTC by Scott Fendley (Version: 1)
Websense released some more information about their investigation in some website exploitation that involves IFRAMEs and WMF vulnerability. My fellow handler Lorna said recently, “IFrames are always suspect in my eyes.” In light of this information, I have to agree with her. Take a look at Websense Security Labs website for details of their investigation including a nice movie file showing the exploitation at work.As a side note, I am quite thankful that most university and K-12 schools are still on holiday until next week. This will hopefully give enough lead time for the mass media to report on this issue, and maybe, just maybe, Microsoft will have a better solution for the home users and our student populations. *crossing his fingers that MS will release a preliminary update quickly*

One reader send us the following summary, which pretty nicely outlines the issues with this vulnerability:

  1. Filename extension filtering will not work.
  2. Even if you un-register the DLL, some programs may re-register it by invoiking it (shimgvw.dll) directly.
  3. you have to delete or rename the DLL to protect yourself. However, remember to undo this once there is a patch.
  4. While images embedded into docuements may not immediately trigger the exploit, they may once saved into their own file.

The readers goes on to note that whatever mitigation is offered in Microsoft’s advisory is not much more then a quick temporary bandaid. What we need is a patch and we need it quick.

Scott Fendley
Handler on Duty


December 30, 2005 - Posted by | Security News, Virus Removal Tools

No comments yet.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: