Exploits are spreading rapidly that take advantage of a vulnerability in Microsoft's Graphics Rendering Engine. The exploits typically use specially crafted metafiles (.wmf) to run arbitrary code on vulnerable systems. Complicating matters is the fact that Internet Explorer users need only visit a site with a malicious metafile to become infected. Infection might also occur by simply clicking on an infected file while using Windows Explorer.
The vulnerability was first made known December 27 in an anonymous post to the Bugtraq mailing list where someone allegedly came across the vulnerability on a Web site. Secunia quickly posted an advisory about the problem, labeling the vulnerability as extremely critical.
Microsoft confirmed that the problem affects Windows 98, Windows Millennium Edition (ME), Windows 2000, Windows XP, Windows Server 2003 -- each with the latest service packs and patches installed. Microsoft has not released a patch to correct the problem, however the company will undoubtedly produce one in the near future. The company did however release an advisory, " Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution ," which explains the problem in some amount of detail. The article offers a simple workaround that can protect systems until a patch is available. The workaround involves unregistering a DLL where the impact of doing so is that the Windows Picture and Fax Viewer will not starting, thus protecting a system from exploits. In a DOS command Window, enter the following command:
regsvr32 -u %windir%\system32\shimgvw.dll
Later when a patch becomes available you can re-register the DLL with the following command:
The number of exploits is sure to arise while Microsoft works to produce a patch. Simple filtering based on the .WMF file extension doesn't work as a method of protection. At least one person reported that even if an infected .WMF file is renamed to have a different extension (such as BMP, DIB, EMF, GIF, ICO, JPG, JPEG, JPE, JFIF, PNG, RLE, TIF, or TIFF) an affected system will still parse the file and launch an exploit -- unless the DLL mentioned above is unregistered.
According to Microsoft an alternative method of protection on Windows XP systems is to use Data Execution Prevention (DEP). Microsoft's article, "How to Configure Memory Protection in Windows XP SP2," describes how to enable the protection. But keep in mind that only hardware-based DEP will protect systems -- software-based DEP won't protect a system against exploits using this vulnerability.
Security vendors moved fast to integrate protection into their products. One company, Websense claims that they are tracking thousands of sites that are currently distributing exploits. Example screen capture images on the company's Web site show that at least two exploits change a user's desktop background image to an alert stating that the computer has been infected with spyware. A prompt then tries to coax the person into entering credit card information in order to obtain a method of removing the alleged spyware. The company also posted a video that shows a machine becoming infected.
F-Secure warned that systems might become infected through other methods. For example, infection could occur by using a text-based Web browser or tools such as WGET and CURL, which are designed to download Web content from a DOS command shell. Infection through those methods might occur if other tools, such as file indexing engines, are active on the desktop. Some search tools, such as Google Desktop, index files in realtime, which means that when an infected file is downloaded then Google Desktop will immediately index the file, thereby launching any exploit code contained in the infected file. Your best defense in any case is to unregister the DLL or enable DEP as recommended by Microsoft, if your CPU supports it.