Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

How To Beat Back The New Zero-Day Windows Bug

With a patch for the worsening zero-day Windows vulnerability perhaps weeks -- or more -- away, security companies and Microsoft on Thursday recommended workarounds and other ad hoc defenses.

Several firms, Microsoft included, told users to disable the Windows Picture and Fax Viewer, the application that Internet Explorer automatically launches to display WMF image files.
Microsoft's advisory instructed users to click the Start menu, choose Run, then enter "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quote marks), and click OK.
Doing so, however, breaks the viewer so that it won't display other associated image file formats, such as those with the .jpg extension, a popular format used by most digital cameras.

And it might not solve the problem. "Any application which automatically displays or renders WMF files is vulnerable," wrote Chris Carboni, an analyst with the Internet Storm Center, in a blog entry Thursday.

Another tactic, said some security vendors, is to block all WMF image files at the network perimeter. Symantec, for instance, listed that advice in its latest bulletin about the vulnerability. Unfortunately, hackers can simply rename a malicious WMF file with a different extension -- .gif or .jpg, for example -- to pass through an exploit. Windows parses WMF files based not on the extension it reads, but on the content of the file, making such blocking strategies ineffective.

On Wednesday, several security companies recommended that users and companies also block access to the sites known to be using the exploit. Sunbelt Software posted a list of some of the sites -- which included the most prominent, iFrameurl [dot] biz -- but with the exploit being used by an ever-increasing number of malicious and/or spyware sites, the technique will soon be impossible to implement manually.

"Yesterday only a few of the sites we monitor used this exploit," wrote Eric Sites, vice president of research at Sunbelt, "but now that number is exploding." (Another security vendor, San Diego-based Websense, said Thursday that "thousands of sites" were distributing exploit code from iFramecash [dot] biz.)

  • 1