Wednesday 4 January 2006

WMF security hole: take action!

Update: get the patch now from Microsoft Update. (Do not pass Go. Do not collect 200 pieces of silver.)

Late last year, Microsoft released advisory 912840 - Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution. Summary: there's a problem with displaying pictures that can give the bad guys the keys to your PC. Ouch.

Make sure your anti-virus and anti-spyware definitions are up-to-date!

While there is no patch yet, Microsoft suggests a workaround -- Start|Run and then type this:

regsvr32 -u %windir%\system32\shimgvw.dll

The vulnerability appears to be in gdi32.dll and can even be triggered if a full-text indexing engine such as Google Desktop scans a saved WMF (Windows Metafile).

Microsoft's official position is that there's no patch until Patch Tuesday, January 10. Its statement notes that:

Creating security updates that effectively fix vulnerabilities is an extensive process ... it must be tested with the different operating systems and applications it affects, then localized for many markets and languages across the globe.

Note that security researcher Ilfak Guilfanov has released an unofficial patch, which has been approved by the Internet Storm Center and F-Secure, among others. Microsoft's official position on what it calls "third-party patches" amounts to:

It is a best practice to utilize security updates for software vulnerabilities from the original vendor of the software.

Even Scobe seems to be toeing the party line.

However, as F-Secure points out:

Ilfak Guilfanov isn't just anybody. He's the main author of IDA (Interactive Disassembler Pro) and is arguably one of the best low-level Windows experts in the world.

Be careful out there.

Tags: , , , .

No comments:

Post a Comment