Microsoft Windows Security Warning

  sjbell 16:57 28 Dec 2005

Just seen this over on the Secunia website (click here)

A vulnerability has been discovered in Microsoft Windows, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to an error in the handling of corrupted Windows Metafile files (".wmf"). This can be exploited to execute arbitrary code by tricking a user into opening a malicious ".wmf" file in "Windows Picture and Fax Viewer" or previewing a malicious ".wmf" file in explorer (i.e. selecting the file). This can also be exploited automatically when a user visits a malicious web site using Microsoft Internet Explorer.

NOTE: Exploit code is publicly available. This is being exploited in the wild.

The vulnerability has been confirmed on a fully patched system running Microsoft Windows XP SP2. Microsoft Windows XP SP1 and Microsoft Windows Server 2003 SP0 / SP1 are reportedly also affected. Other platforms may also be affected.

Do not open or preview untrusted ".wmf" files and set security level to "High" in Microsoft Internet Explorer.

  sjbell 17:07 28 Dec 2005

'J B' has further details in his post (click here)

  sjbell 17:41 28 Dec 2005

More at about. com click here

  Number 7 18:52 28 Dec 2005

NOD32 has patched the expliot, and no doubt the the other AV vendors have/will do the same.

Reference for NOD32 users: click here

  SG Atlantis® 19:34 28 Dec 2005

I have nero photosnap as my default image viewer.

so am I safe?

  Number 7 20:51 28 Dec 2005

No, you're not.

The exploit is in the operating system.

It doesn't matter which App you use.

  SG Atlantis® 20:58 28 Dec 2005

:( following the above guidelines. thanks sjbell for making us aware.

  PaulB2005 23:17 28 Dec 2005

No they haven't. It just detects the corrupted files and stops them. The OS is still vulnerable if NOD32 is removed.

  Number 7 23:52 28 Dec 2005

Windows XP is more vulnerable if SP2 is removed, never mind an AV.

A user's AV doesn't detect the "corrupted" files by the way, the AV detetcts the use of the particular exploit.

Your AV will probably detect the exploit as Trojan something or other- that's the way AV's deal with OS exploits.

  sjbell 08:58 29 Dec 2005


  J B 11:16 29 Dec 2005

This is a work-around that I found at click here You can either read it here or go to the website to verify. Update: One way to prevent this exploit from working is to disable the Windows Picture and Fax Viewer component. To do so, click Start, Run. In the Open box, type the following command:

regsvr32 /u shimgvw.dll

Press Enter to make the change.

This measure isn’t without side effects. Disabling this component eliminates the capability to view thumbnails of all image types (not just WMF files) in Windows Explorer folders, and it zaps the Preview command for images as well. You can work around these limitations by using a graphics viewing/editing program.

To re-enable the Windows Picture and Fax Viewer, issue this command:

regsvr32 shimgvw.dll Hope this little copy and paste helps. J.B.

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

iMac Pro review

Illustrator Charles Williams on how to create magazines and book covers

iMac Pro review

Les meilleures prises CPL (2018)