• Information Security Office
• Secure Computing
• Security Alerts
• Critical "WMF" Vulnerability and Zero-Day Exploit

Security Alerts

Search Security Alerts:

January 4, 2006

Critical "WMF" Vulnerability and Zero-Day Exploit

Summary

On Dec 28, 2005 a remote exploit for a previously unknown vulnerability in Microsoft Windows was reported on several security mailing lists. The vulnerability affects all current versions of Windows, and it has been confirmed that exploits are circulating.

An official patch for the vulnerability is expected from Microsoft on January 10. However, because of the immediate threat, the vendor has recommended that a workaround be deployed in the mean time for Windows XP and 2003 systems.

The workaround may cause some graphic elements of Windows and its applications to render improperly, but it is not expected to cause any damage. When an official patch is available, removing the workaround should restore proper functioning.

What to Do

The administrators of Stanford's central patch management system BigFix are being encouraged to deploy the workaround as soon as they can determine that it will not interfere with operations in their areas.

Please be sure to reboot your machine when prompted to do so by your BigFix administrator.

If you are the system administrator of a Windows XP or 2003 machine that does not have BigFix installed, see below for instructions on how to apply the workaround manually. This alert will be updated if special removal procedures are necessary after Microsoft releases their official patch.

If you are an end user without BigFix and without administrative privileges, the best advice currently available boils down to "be careful". The most likely avenues of attack are through malicious web pages, e-mail, instant messaging, and file-sharing. We recommend you try to keep these activities to the minimum necessary until Microsoft's patch becomes available through Windows Update.

Manual Remediation

The Microsoft-recommended workaround can be applied manually to Windows XP and Windows 2003 systems. The procedure requires that you be logged in with administrative privileges.

1. Click Start, click Run, type: regsvr32 -u %windir%\system32\shimgvw.dll and then click OK.
2. A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.
3. Reboot the computer.

To undo the workaround, the procedure is almost the same; just remove the "-u".

1. Click Start, click Run, type: regsvr32 %windir%\system32\shimgvw.dll and then click OK.
2. A dialog box appears to confirm that the registration process has succeeded. Click OK to close the dialog box.

The "Unofficial Patch"

Independent researcher Ilfak Guilfanov has created a patch that addresses this vulnerability in Windows 2000, XP, and 2003. This patch is not supported or endorsed by Microsoft. It has been vetted by the SANS Internet Storm Center, and we have had several reports that it installs with no ill effects.

Since it is not supported by Microsoft, we have no way of knowing how it may interfere with the upcoming official patch. System administrators who elect to install this patch should be aware that it is unsupported and may need to be removed when official updates become available.

The patch installer is available from SANS here: WMFHotfix-1.1.14.msi. Its MD5 hash is 0dd56dac6b932ee7abf2d65ec34c5bec and its SHA1 hash is 62a323595a2989eba3eef3151b488ecb012e8b61.

Additional Information

• Microsoft's advisory for this issue: http://www.microsoft.com/technet/security/advisory/912840.mspx
• The SANS Internet Storm Center's FAQ: http://handlers.dshield.org/jullrich/wmffaq.html
• Ilfak Guilfanov's page, containing the unofficial patch, a vulnerability checker, and FAQ: http://www.hexblog.com/

The Information Security Office would like to thank the Windows Systems Team in ITS for their assistance in producing this alert.