Why You Need To Download Microsoft’s New WMF Exploit Patch Right Now!

Thank God Microsoft lied. They told us they were waiting until 10 January, but it’s out now. Click here to get it.

The WMF exploits are coming too fast and they’re too darned all-encompassing. And yes, Mozilla/Firefoxers on Windows, you’re in the bullseye too, as is anything that calls GDI32.dll. Maybe you thought this was all about shimgvw.dll?

SANS on the WMF Exploit:

Microsoft advised to unregister the shimgvw.dll in order to break the chain that leads to the vulnerable Escape() in GDI32.DLL. This will work for all applications that follow this path, but nothing prevents direct calls to GDI32.DLL from being made by other applications. Some applications (e.g. Mozilla) rely on the functionality provided by shimgvw.dll to do things people use in daily life. The library might be registered again by other software. — SANS Internet Storm Center WMF workarounds and patches (pdf)

SANS reports that 10% of its audience has already seen the WMF exploits in the wild. Expect an all-out assault.

So you can fight over philosophy once you’re safe. To that end, we give you plenty of ammo at the foot of this article.

Note: AV-Test checked most anti-virus products for their ability to intercept 206 of the known WMF exploits. All passed, except Trend Micro. But new exploits are flying out so fast it’s highly improbable that a/v vendors can create and distribute virus signatures quickly enough.

The patch has been vetted by Microsoft as a Good Thing. If you installed a third party fix earlier, SANS says you need to:

• Reboot to clear memory, then apply the Microsoft patch;
• Reboot then un-install the 3rd party patch
• Re-register shimgvw.dll (if you previously unregistered it), and reboot.

Email Battles Backgrounder:

• Antivirus makers catch up to WMF bug; Joris Evers; CNET; 4 January 2006.
• Browser Wars: Network Managers Flee IE; Email Battles; 27 December 2005.
• Beating Microsoft to the punch; Dawn Kawamoto; ZDNet News; 4 January 2006.
• Experts Clash Over Third Party Windows Metafile Patch; Gregg Keizer; Security Pipeline; 4 January 2006.
• Finally! WMF Exploit nails the Goog.; Email Battles; 30 December 2005.
• Interview with Ilfak Guilfanov; Matthew; SecuriTeam Blogs; 4 January 2006.
• How to protect your network from WMF trojans plaguing Internet Explorer; Email Battles; 30 December 2005.
• Oldest infected .wmf; Marcus Sachs; SANS Handler’s Diary; 4 January 2006.
• What do the bad guys do with WMF?; Bojan Zdrnja; SANS Handler’s Diary; 4 January 2006.
• WMF Exploit fells Lotus Notes; Email Battles; 30 December 2005.
• WMF patches and workarounds explained; Swa Frantzen; SANS Handler’s Diary; 3 January 2006.
• Why Third-Party Patching Isn’t A Good Solution For Current Windows Vulnerability; Rob Enderle; Security Pipeline; 4 January 2006.
• XP SP2 Data Execution Prevention can’t prevent WMF exploit execution; Email Battles; 30 December 2005.

“