Information Security Office
Security Alert: Windows -
Critical "WMF" Vulnerability and Zero-Day Exploit
4 Jan 2006
Update
5 Jan 2006
Microsoft has released an official patch for this vulnerability.
The alert for this patch release is available here.
With the new patch, the workaround described in this alert is no longer
necessary.
If you have already applied the workaround described below, you should
undo it after your machine has
been updated with the new patch. |
Summary
On Dec 28, 2005 a remote exploit for a previously unknown vulnerability
in Microsoft Windows was reported on several security mailing
lists. The vulnerability affects all current versions of Windows,
and it has been confirmed that exploits are circulating.
An official patch for the vulnerability is expected from Microsoft on
January 10. However, because of the immediate threat, the vendor
has recommended that a workaround be deployed in the mean time for
Windows XP and 2003 systems.
The workaround may cause some graphic elements of Windows and its
applications to render improperly, but it is not expected to cause any
damage. When an official patch is available, removing the
workaround should restore proper functioning.
What to Do
The administrators of Stanford's central patch management system BigFix
are being encouraged to deploy the workaround as soon as they can
determine that it will not interfere with operations in their areas.
Please be sure to
reboot your machine when prompted to do so by your BigFix
administrator.
If you are the system administrator of a Windows XP or 2003 machine
that does not have BigFix installed, see below for instructions on how
to apply the workaround manually. This alert will be updated if
special removal procedures are necessary after Microsoft releases their
official patch.
If you are an end user without BigFix and without administrative
privileges, the best advice currently available boils down to "be
careful". The most likely avenues of attack are through malicious
web pages, e-mail, instant messaging, and file-sharing. We
recommend you try to keep these activities to the minimum necessary
until Microsoft's patch becomes available through Windows Update.
Manual
Remediation
The Microsoft-recommended workaround can be applied manually to Windows
XP and Windows 2003 systems. The procedure requires that you be
logged in with administrative privileges.
- Click Start,
click Run, type:
regsvr32 -u
%windir%\system32\shimgvw.dll
and then click OK.
- A dialog box appears to confirm that the
un-registration process has succeeded. Click OK to close the dialog box.
- Reboot the computer.
To undo the workaround, the procedure is almost the same; just remove
the "-u".
- Click Start,
click Run, type:
regsvr32
%windir%\system32\shimgvw.dll
and then click OK.
- A dialog box appears to confirm that the
registration process has succeeded. Click OK to close the dialog box.
The
"Unofficial Patch"
Independent researcher Ilfak Guilfanov has created a patch that
addresses this vulnerability in Windows 2000, XP, and 2003. This
patch is not supported or endorsed by Microsoft. It has been
vetted by the SANS Internet Storm Center,
and we have had several reports that it installs with no ill effects.
Since it is not supported by Microsoft, we have no way of knowing how
it may interfere with the upcoming official patch. System
administrators who elect to install this patch should be aware that it
is unsupported and may need to be removed when official updates become
available.
The patch installer is available from SANS here: WMFHotfix-1.1.14.msi.
Its MD5 hash is 0dd56dac6b932ee7abf2d65ec34c5bec and its SHA1
hash is 62a323595a2989eba3eef3151b488ecb012e8b61.
Additional
Information
The Information Security Office would like to
thank the Windows Systems Team in ITS for their assistance in producing
this alert.
Last
modified Wednesday, 08-Feb-2006 11:46:37 PST
© 2006, Stanford University. All rights reserved.
Need computing help? Visit HelpSU or call 5-HELP (650-725-4357). |
|
