The Antivirus Guy Blog

Keeping people up to date with antivirus and security information

SANS – Internet Storm Center – Updated WMF FAQ

I tired out the unofficial patch on my home machine without any problems. We will see if I can get approval to deploy this at my company, I don’t see any other choice.

SANS – Internet Storm Center – Cooperative Cyber Threat Monitor And Alert System.

Handler’s Diary January 1st 2006


Published: 2006-01-03,
Last Updated: 2006-01-03 08:55:06 UTC by Johannes Ullrich (Version:
3(click to highlight changes))
[a few users offered translations of this FAQ into various languages. Obviously, we can not check the translation for accuracy, nor can we update them. So use at your own risk: Deutsch and Deutsch (pdf), Catalan , Español , Italiana and Italiana, Polski, Suomenkielinen, Danish, Japanese, Slovenian, Chinese, Norwegian and Nederlands (in progress) ]

  • Why is this issue so important?
The WMF vulnerability uses images (WMF images) to execute arbitrary code. It will execute just by viewing the image. In most cases, you don’t have click anything. Even images stored on your system may cause the exploit to be triggered if it is indexed by some indexing software. Viewing a directory in Explorer with ‘Icon size’ images will cause the exploit to be triggered as well.
  • Is it better to use Firefox or Internet Explorer?
Internet Explorer will view the image and trigger the exploit without warning. New versions of Firefox will prompt you before opening the image. However, in most environments this offers little protection given that these are images and are thus considered ‘safe’.
  • What versions of Windows are affected?
All. Windows 2000, Windows XP, (SP1 and SP2), Windows 2003. All are affected to some extent. Mac OS-X, Unix or BSD is not affected.Note: If you’re still running on Win98/ME, this is a watershed moment: we believe (untested) that your system is vulnerable and there will be no patch from MS. Your mitigation options are very limited. You really need to upgrade.
  • What can I do to protect myself?
  1. Microsoft has not yet released a patch. An unofficial patch was made available by Ilfak Guilfanov. Our own Tom Liston reviewed the patch and we tested it. The reviewed and tested version is available here (now at v1.4, MD5: 15f0a36ea33f39c1bcf5a98e51d4f4f6), PGP signature (signed with ISC key) here. THANKS to Ilfak Guilfanov for providing the patch!!
  2. You can unregister the related DLL.
  3. Virus checkers provide some protection.

To unregister the DLL:

  • Click Start, click Run, type “regsvr32 -u %windir%system32shimgvw.dll” (without the quotation marks… our editor keeps swallowing the backslashes… its %windir%(backslash)system32(backslash)shimgvw.dll), and then click OK.
  • A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

    Our current “best practice” recommendation is to both unregister the DLL and to use the unofficial patch.

    • How does the unofficial patch work?
    The wmfhotfix.dll is injected into any process loading user32.dll. The DLL then patches (in memory) gdi32.dll’s Escape() function so that it ignores any call using the SETABORTPROC (ie. 0x09) parameter. This should allow Windows programs to display WMF files normally while still blocking the exploit. The version of the patch located here has been carefully checked against the source code provided as well as tested against all known versions of the exploit. It should work on WinXP (SP1 and SP2) and Win2K.
    • Will unregistering the DLL (without using the unofficial patch) protect me?
    It might help. But it is not foolproof. We want to be very clear on this: we have some very stong indications that simply unregistering the shimgvw.dll isn’t always successful. The .dll can be re-registered by malicious processes or other installations, and there may be issues where re-registering the .dll on a running system that has had an exploit run against it allowing the exploit to succeed. In

    January 3, 2006 - Posted by | Antivirus News, Security News

    No comments yet.

    Leave a Reply

    Please log in using one of these methods to post your comment: Logo

    You are commenting using your account. Log Out /  Change )

    Google+ photo

    You are commenting using your Google+ account. Log Out /  Change )

    Twitter picture

    You are commenting using your Twitter account. Log Out /  Change )

    Facebook photo

    You are commenting using your Facebook account. Log Out /  Change )


    Connecting to %s

    %d bloggers like this: