UPDATE: 

Houston, we have an unofficial hotfix!   Install Ilfak Guilfanov’s patch.  Link here.  You will need to remember to uninstall it after Microsoft releases its patch.  Frequently Asked Questions here. Caveat — this is an unofficial, unsupported fix. However, it has been broadly tested by many in the Internet community and we recommend it as a temporary solution.

Many AV engines are doing a great job of keeping on top of this thing.  Between this simple hotfix and keeping your AV signatures up to date, you should be just fine. 

Need AV but on a budget?  My recommendations for free security tools is here

The rest of the blog posting (below) has additional workarounds but with these two fixes in place, it’s largely irrelevant.

—————

For this WMF exploit: Until Microsoft patches this thing or your AV provider has updated defs, here are some workarounds.   

Basic, easy fixes

Unregister SHIMGVW.DLL. 

This is your best workaround for the time being (realizing that nothing is perfect).    As CERT says, “Remapping handling of Windows Metafiles to open a program other than the default Windows Picture and Fax Viewer (SHIMGVW.DLL) may prevent exploitation via some current attack vectors. However, this may still allow the underlying vulnerability to be exploited via other known attack vectors.” 

There’s also this caveat.

At any rate, here’s how you do it:

From the command prompt, type REGSVR32 /U SHIMGVW.DLL.  A reboot is recommended.  (It works post reboot as well.  It is a permanent workaround).

You can also do this by going to Start, Run and then pasting in the above command.

This effectively disables your ability to view images using the Windows picture and fax viewer via IE. 

However, it is not the most elegant fix.  You’re probably going to have all kinds of problems viewing images.

But, no biggie: Once the exploit is patched, you can simply type “REGSVR32 SHIMGVW.DLL” to bring back the functionality.

And, it is a preventative measure. If you are already infected, it will not help.

Works for IE, should work fine for Firefox users as well. 

Change file associations for WMF files. 

Note that if a WMF file was spoofed to look like it was a different type of file (like GIF), this fix wouldn’t do anything.  So it’s a pretty weak workaround. At any rate, here it is:

    a)  Go to My documents, Tools, Folder Options, File Types.
    b)  Change WMF Image to notepad and select Always Open with this.

Your WMF files will open in Notepad.  I really don’t recommend bothering with this solution. Ugly and not as effective as unregistering SHIMGVW.DLL. 

Run IESPYAD. 

IESpyad is a free tool that puts block lists into IE’s restricted sites zone.  It’s managed by Eric Howes, who works as a consultant for Sunbelt.  We regularly update him with the latest URLs.  Click here. GravatarAlso, see Eric’s comments here.

If you don’t have AV in place, get it.  If you have it, update it.

If you’re on a budget, see my article, Security on the Cheap.

Additional fixes for the more advanced user:

Add Snort rules to the free Sunbelt Kerio Personal Firewall.

This is probably way too technical for most, but you can add Snort rules to the free Sunbelt Kerio Personal Firewall to block this exploit.  Link here. It looks hard, but it’s actually not that difficult and it is pretty effective.

Use hardware-enforced DEP.

Again, way too technical for most, but enabling hardware-enforced DEP may help (but it may not always work for this exploit). It’s free, so no harm in doing it.  Software-enforced DEP is useless, so don’t bother.

Administrators: Filter graphic files at the perimeter.

If you’re an administrator, filter common file extensions at the perimeter, like BMP, DIB, EMF, etc. See SANS here.  Just blocking WMF files is not a full solution, as Windows goes by the header info for the file, not the extension (so one could rename a WMF file to GIF and it would still go through if you weren’t blocking GIF images).

 

Alex Eckelberry
(Hat tip to Jon and Sunbelt researchers Lior Kimchi and Adam Thomas)