Windows Metafile (WMF) images can be embedded in other files such as Word documents. Am I vulnerable to an attack from this vector?
No. While we are investigating the public postings which seek to utilize specially crafted WMF files through IE, we are looking thoroughly at all instances of WMF handling as part of our investigation. While we're not aware of any attempts to embed specially crafted WMF files in, for example Microsoft Word documents, our advice is to accept files only from trusted source would apply to any such attempts.
If I block .wmf files by extension, can this protect me against attempts to exploit this vulnerability?
No. Because the Graphics Rendering Engine determines file type by means other than just looking at the file extensions, it is possible for WMF files with changed extensions to still be rendered in a way that could exploit the vulnerability.
Does the workaround in this advisory protect me from attempts to exploit this vulnerability through WMF files with changed extensions?
Yes. Microsoft has tested and can confirm the workaround in this advisory help protect against WMF files with changed extensions.
It has been reported that malicious files indexed by MSN Desktop Search could lead to exploitation of the vulnerability. Is this true?
We have received reports and are investigating them thoroughly as part of our ongoing investigation. We are not aware at this time of issues around the MSN Desktop Indexer, but we are continuing to investigate.
Is this issue related to Microsoft Security Bulletin MS05-053 - Vulnerabilities in Graphics Rendering Engine Could Allow Code Execution (896424) which was released in November?
No, these are different and separate issues.
Are there any third party Intrusion Detection Systems (IDS) that would help protect against attempts to exploit this vulnerability?
While we don't know of specific products or services that currently scan or detect for attempts to render specially crafted WMF files, we are working with our partners through industry programs like VIA to provide information as we have it. Customers should contact their IDS provider to determine if it offers protection from this vulnerability.
Will my anti-virus software protect me from exploitation of this vulnerability?
As of the latest update to this advisory the following members of the Virus Information Alliance have indicated that their anti-virus software provides protection from exploitation of Windows Metafile (WMF) files using the vulnerability discussed in this advisory.
• Symantec
• Computer Associates
• McAfee
• F-Secure Corporation
• Panda Software International
• Eset Software
In addition Microsoft is providing heuristic protection against exploitation of this vulnerability through Windows Metafile (WMF) files in our new Windows OneCare Live Beta.
As currently known attacks can change, the level of protection offered by anti-virus vendors at any time may vary. Customers are advised to contact their preferred anti-virus vendor with any questions they may have or to confirm additional information regarding their vendor’s method of protection against exploitation of this vulnerability.
When this security advisory was issued, had Microsoft received any reports that this vulnerability was being exploited?
Yes. When the security advisory was released, Microsoft had received information that this vulnerability was being actively exploited.
Top of section
Suggested Actions
• Un-register the Windows Picture and Fax Viewer (Shimgvw.dll) on Windows XP Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and Windows Server 2003 Service Pack 1
Microsoft has tested the following workaround. While this workaround will not correct the underlying vulnerability, it helps block known attack vectors. When a workaround reduces functionality, it is identified in the following section.
Note The following steps require Administrative privileges. It is recommended that the machine be restarted after applying this workaround. It is also possible to log out and log back in after applying the workaround. However, the recommendation is to restart the machine.
To un-register Shimgvw.dll, follow these steps:
1.
Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK.
2.
A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.
Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.
To undo this change, re-register Shimgvw.dll by following the above steps. Replace the text in Step 1 with “regsvr32 %windir%\system32\shimgvw.dll” (without the quotation marks).
• Microsoft encourages users to exercise caution when they open e-mail and links in e-mail from untrusted sources. For more information about Safe Browsing, visit the Trustworthy Computing Web site.
• Customers in the U.S. and Canada who believe they may have been affected by this possible vulnerability can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support that is associated with security update issues or viruses." International customers can receive support by using any of the methods that are listed at Security Help and Support for Home Users Web site.
• All customers should apply the most recent security updates released by Microsoft to help ensure that their systems are protected from attempted exploitation. Customers who have enabled Automatic Updates will automatically receive all Windows updates. For more information about security updates, visit the Microsoft Security Web site.
• Protect Your PC
We continue to encourage customers follow our Protect Your PC guidance of enabling a firewall, getting software updates and installing ant-virus software. Customers can learn more about these steps by visiting Protect Your PC Web site.
• For more information about staying safe on the Internet, customers can visit the Microsoft Security Home Page.
• Keep Windows Updated
All Windows users should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit the Microsoft Update Web site, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have Automatic Updates enabled, the updates are delivered to you when they are released, but you have to make sure you install them.
Top of section
Resources:
• You can provide feedback by completing the form by visiting the following Web site.
• Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services. For more information about available support options, see the Microsoft Help and Support Web site.
• International customers can receive support from their local Microsoft subsidiaries. For more information about how to contact Microsoft for international support issues, visit the International Support Web site.
• The Microsoft TechNet Security Web site provides additional information about security in Microsoft products.
Disclaimer:
The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions:
• December 28, 2005: Advisory published
• December 29, 2005: Advisory updated. FAQ section updated.
• December 30, 2005: Advisory updated. FAQ section updated.
