Wednesday, December 28, 2005

WMF Gator Alert!

Microsoft WMF Alligator Alert!.....Something bad is lurking in the internet waters! Beware!

So there I was, cruising the internet security sites I monitor during the day today, and I came across a warning on Alex Eckelberry's Sunbelt Blog. It described in pretty good detail the WMF exploit for Windows systems. Didn't Microsoft issue a recent patch for this? Well, yes, but this is slightly different and isn't covered in that patch. (New MS advisory information HERE.)

A jump over to SANS-ISC Storm Center confirmed they also were thinking it was going to be an issue. As the day developed, they bumped their threat status up to Yellow. That's never a good sign. A couple more security sites picked up the call and Dwight Silverman made a very good summary of the issue on the Chronicle's Tech Blog.

Later Alex posted an update that gave one, then two "temporary patches" as workarounds for the exploit, until it can be fixed. Quoting Alex:
1. Unregister SHIMGVW.DLL.

This is probably your best workaround for the time being.

From the command prompt, type REGSVR32 /U SHIMGVW.DLL. A reboot is recommended. (It works post reboot as well. It is a permanent workaround).

You can also do this by going to Start, Run and then pasting in the above command.

This effectively disables your ability to view images using the Windows picture and fax viewer via IE.

However, it is not the most elegant fix. YouĂ‚’re probably going to have all kinds of problems viewing images.

But, no biggie: Once the exploit is patched, you can simply do REGSVR32 SHIMGVW.DLL to bring back the functionality.

And, it is a preventative measure. If you are already infected, it will not help. Works for IE, should work fine for Firefox users as well.

2. Change file associations for WMF files.

An equally ugly fix (but perhaps preferable) is to do the following:

1. Go to My documents, Tools, Folder Options, File Types.
2. Change WMF Image to notepad and select Always Open with this.

Your WMF files will open in Notepad. Ugly, but it is a fix.
So why the Houston Zoo alligator picture? Well, because I still am dealing with alligator issues back from when I was taking high-school driver's ed one summer and the instructor had my car drive us out to an alligator farm nearabout Wallisville, Texas. We all had to get out of the car and go look at the 'gators behind the chicken wire fence. I can't belive we did that! Somewhere in there I think was a lesson about the dangers of driving being like a skinny high-school kid in a pit of alligators. I'm not really sure, but I still haven't forgotten that day's lesson. Don't remember much else from high-school. Anyway...I'm digressing. Sorry.

This exploit, and others like it (.MOVQuickTimee file exploit) are sitting all over the internet, just under the water. They are waiting for naive Gazelles (you and me) to come across them by accident or plan. When we dip our heads onto those pages, they jump up and catch you (your pc) and can really wreck your system and sometimes your personal identity or bank accounts.

What's the solution? Keep your system patched with updates (though that doesn't help right now with this one), be aware of what is going on (by reading Dwight's blog or other trusted security sites), and finally be very cautious on where you go on the web. The majority of sites Alex notes are from overseas. Click your links carefully. Even Firefox can't protect you from everything. You really need to use some common pc sense--and it doesn't hurt to keep a Crocodile Hunter nearby to keep an eye on you as well! (Sorry, Steve and Terri--I couldn't resist!)

Now the Sociologist in me is curious to see how this information spreads. It is a big deal to us in the IT security field. It is a kinda big deal to programmers and other "geeks". It should be a big deal to everyone with a (Windows) pc. So far, no "public" media reports/notices except for a few online newspapers. Is this going to be a ho-hum story for everyone but the sysadmins who have to fix all these bork'ed pcs (an our parents')? Will the mass media even care? Don't know. Time will tell. I'll be watching the blog-o-sphere and the mass media very carefully for the next couple of days on this story....

Free Fun Bonus Link

Ok, with all this scarey pc exploit talk, I just have to lighten up the mood. What do you do with an eighth of a ton bulk order of Silly Putty? I'm not sure either, but the Google gang is having fun finding out!

Please keep safe in the skies.

No comments: