Democratic Underground Latest Greatest Lobby Journals Search Options Help Login
Google

How to protect yourself against the Widows Metadata vulnerability

Printer-friendly format Printer-friendly format
Printer-friendly format Email this thread to a friend
Printer-friendly format Bookmark this thread
This topic is archived.
Home » Discuss » Archives » General Discussion (01/01/06 through 01/22/2007) Donate to DU
 
jim3775 Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Dec-29-05 10:00 AM
Original message
How to protect yourself against the Widows Metadata vulnerability
Edited on Thu Dec-29-05 10:01 AM by jim3775
There is a critical unpatched vulnerability in windows that can affect your computer by simply viewing a certain image file. There are already dozens of websites that are hosting an image file that can install trojans and fake anti-spyware software (software that tells you your computer can be un-infected by entering a credit card number). You are still vulnerable if you do not use internet explorer.

Here is how to deal with it and protect yourself:
(all steps are taken from the US computer readiness team and this microsoft bulletin )

1. Uninstall google desktop if you use it. It's automatic indexing will execute the infected image file.

These next steps will break the windows picture and fax viewer but it is the only way to protect yourself short of http filtering.

2.Click Start, click Run, type "regsvr32 -u %windir \system32\shimgvw.dll" (without the quotation marks), and then click OK.

3. A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

4. As a replacement for the built in image viewer download irfanview a freeware image viewer.

Once Microsoft has issued a patch you can make the image and fax viewer work again by replaceing the text in Step 1 with “regsvr32 %windir%\system32\shimgvw.dll” (without the quotation marks).

This is very important, please keep this kicked.
Printer Friendly | Permalink |  | Top
Richard D Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Dec-29-05 10:24 AM
Response to Original message
1. Is Copernic Desktop Search OK?
Printer Friendly | Permalink |  | Top
 
SpiralHawk Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Dec-29-05 10:32 AM
Response to Original message
2. As 2006 ends, I again rejoice that I am a Mac guy
Not out of gloating, mind you, just out of the realization that the care and feeding of a computer system involves so much time already -- the MS leaky Windows system appears a nightmare to me. So glad there are so many less scares and vulnerabilities in this part of the cyber-universe. May it continue into eternity.
Printer Friendly | Permalink |  | Top
 
A Simple Game Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Dec-29-05 10:58 AM
Response to Reply #2
4. I always wanted to try a Mac, oh well,
at least my Windows XP computer knows what year it is.
Printer Friendly | Permalink |  | Top
 
timber84 Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Dec-29-05 11:41 AM
Response to Reply #2
13. My husband tells me this o a daily basis.
You Mac guys are an unique bunch!
Printer Friendly | Permalink |  | Top
 
Poiuyt Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Dec-29-05 01:05 PM
Response to Reply #13
19. We're like Scientologists!
We're always trying to get people to convert

:)


Printer Friendly | Permalink |  | Top
 
AspenRose Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Dec-29-05 01:11 PM
Response to Reply #2
21. AMEN!
I LOVE my Mac :loveya:

Once you go Mac, you never go back! ;-)
Printer Friendly | Permalink |  | Top
 
FlashHarry Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Dec-29-05 01:57 PM
Response to Reply #21
23. No viruses, spyware, adware or malware.
Ever. Three years on my Mac, and still going strong. I'll never go back.
Printer Friendly | Permalink |  | Top
 
DS1 Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Dec-29-05 09:28 PM
Response to Reply #2
41. Figures that a Mac user would be a year off
:eyes:

:P
Printer Friendly | Permalink |  | Top
 
Poll_Blind Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Dec-29-05 10:38 AM
Response to Original message
3. Seriously- _thank you_! n/t
PB
Printer Friendly | Permalink |  | Top
 
mike_c Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Dec-29-05 11:18 AM
Response to Original message
5. hmmmm-- I got an error at step #2....
RegSvr32

LoadLibrary ("%windir") failed- The specified module could not be found.


Running WindowsXP Pro SP2 with all the latest patches. Any advice?
Printer Friendly | Permalink |  | Top
 
gogo69 Donating Member (25 posts) Send PM | Profile | Ignore Thu Dec-29-05 11:31 AM
Response to Reply #5
7. missing a '%'
The line...
"regsvr32 -u %windir \system32\shimgvw.dll"

should read...
"regsvr32 -u %windir%\system32\shimgvw.dll"

Note the missing percentage sign.


Printer Friendly | Permalink |  | Top
 
mom cat Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Dec-29-05 11:36 AM
Response to Reply #7
10. OK, I did not see that. I will try it. Thanks.
Printer Friendly | Permalink |  | Top
 
mom cat Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Dec-29-05 11:38 AM
Response to Reply #10
11. THANKS...........THAT WORKED!!!!!!!
Printer Friendly | Permalink |  | Top
 
jim3775 Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Dec-29-05 12:05 PM
Response to Reply #7
15. You're right, i missed that
It's too late to edit now.
Printer Friendly | Permalink |  | Top
 
newyawker99 Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Dec-29-05 03:57 PM
Response to Reply #7
29. Hi gogo69!!
Welcome to DU!! :toast:
Printer Friendly | Permalink |  | Top
 
gogo69 Donating Member (25 posts) Send PM | Profile | Ignore Fri Dec-30-05 04:46 PM
Response to Reply #29
44. Thx ...
I assume you're from NY by your name 'newyawker99'. I live just outside NYC.

I've been quietly reading posts since last years elections.
Printer Friendly | Permalink |  | Top
 
mom cat Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Dec-29-05 11:33 AM
Response to Reply #5
8. Self-delete
Edited on Thu Dec-29-05 11:40 AM by mom cat
Keeping the original message would add to the confusion. Problem solved.
Printer Friendly | Permalink |  | Top
 
leftofthedial Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Dec-29-05 11:19 AM
Response to Original message
6. only one step is really needed
switch to a Mac
Printer Friendly | Permalink |  | Top
 
mom cat Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Dec-29-05 11:34 AM
Response to Reply #6
9. Give me the money and I will do it. Till then I am stuck with what I have.
Printer Friendly | Permalink |  | Top
 
Poiuyt Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Dec-29-05 12:10 PM
Response to Reply #9
16. Seriously consider switching to Mac the next time you buy a computer
The Macintosh operating system is MUCH more secure than Windows
Printer Friendly | Permalink |  | Top
 
BlueEyedSon Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Dec-29-05 01:28 PM
Response to Reply #16
22. Switch to Linux. It's free.
Printer Friendly | Permalink |  | Top
 
Angry Girl Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Dec-29-05 04:06 PM
Response to Reply #22
30. A lot of people don't have the time for a Unix learning curve
I mean, come on: Tell your grandma or the accountant who works down the street to switch to Linux and give them the installation CD. See what they do with it....

Noooo, don't put it THERE!!!!
Printer Friendly | Permalink |  | Top
 
BlueEyedSon Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Dec-29-05 08:00 PM
Response to Reply #30
35. So there is no learning curve going from PC to Mac?
Edited on Thu Dec-29-05 08:01 PM by BlueEyedSon
:wtf:
Printer Friendly | Permalink |  | Top
 
Angry Girl Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Dec-29-05 09:19 PM
Response to Reply #35
38. No comparison to Unix, c'mon!
Edited on Thu Dec-29-05 09:20 PM by Angry Girl
And we're not talking tinkering with the internals, just installing, running apps, dialing up to the Internet, etc. Ask your Grandma and your supermarket checkout girl.
:argh:
Printer Friendly | Permalink |  | Top
 
BlueEyedSon Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Dec-29-05 10:34 PM
Response to Reply #38
42. that's all i do on my SuSe 9.2 and KDE desktop!
(after the install, that is!)
Printer Friendly | Permalink |  | Top
 
rpgamerd00d Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Dec-29-05 11:39 AM
Response to Original message
12. I think the problem is with Image Viewer, not browsers, right?
I mean, just don't open images in Image Viewer.
Printer Friendly | Permalink |  | Top
 
mom cat Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Dec-29-05 12:01 PM
Response to Original message
14. Eliminating Google desktop also gets rid of the "autofill" function.
Is there a safe alternative?
Printer Friendly | Permalink |  | Top
 
Deja Q Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Dec-29-05 12:52 PM
Response to Original message
17. Even better: DON'T USE WINDOWS!
I am tired of these fuckheads who whine and complain about viruses and such, yet continue to keep all their eggs in one basket.

I wouldn't be cheering the hackers, but I can't pity these fools who insist on having their cake, eating it, and not getting indolent and obese from it too.
Printer Friendly | Permalink |  | Top
 
Caoimhe Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Dec-29-05 01:04 PM
Response to Reply #17
18. I use Windows and always have
I don't want to sound as rude as your post, but here's my 2 cents. If you wish to buy us all Macs, go for it. Until then, butt out. This was a nice favor the OP did for all of us using IE. I ran the script and appreciate the advice. I use Windows for my job and home, it is what I know and know well. Everyone has their own likes and dislikes. I take the risk of having these security breaches, all of us do. No need for the snideness.
Printer Friendly | Permalink |  | Top
 
rpgamerd00d Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Dec-29-05 01:07 PM
Response to Reply #17
20. Thats like saying dont drive Toyota Camrys because its the most stolen car
Duh. Then some other car would be the most stolen car.

If people stopped using Windows and all used MACs, then all viruses would be for MACs.

Sheesh. Some people don't think things through.
Printer Friendly | Permalink |  | Top
 
Touchdown Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Dec-29-05 03:52 PM
Response to Reply #20
27. But those viruses wouldn't get to the macs.
...or at least nearly as often. There's more to the differences in OSes than just popularity.
Printer Friendly | Permalink |  | Top
 
Solon Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Dec-29-05 03:52 PM
Response to Reply #20
28. That comparison would only be appropriate...
if the Camry's came without door or ignition locks. Sad but true. BSD based MacOS X is simply more secure, you can't run a root or superuser level access unless you put in a password(Same is by and large true for Linux). That reduces the amount of system-wide vulnerabilities available for virus writers and spyware producers, etc. This is assuming, of course, that you don't run your computer with the root account all the time, but then again, not locking the doors on a car also increases the chances of bad shit happening to it.
Printer Friendly | Permalink |  | Top
 
seabeyond Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Dec-29-05 02:01 PM
Response to Original message
24. two nights ago my brother called me about this.
cause we got to the credit card # and they would fix. he is bring it over for husband to fix. i will give him this thread. thanks
Printer Friendly | Permalink |  | Top
 
SillyGoose Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Dec-29-05 02:09 PM
Response to Original message
25. Thanks for this. I ran the script like you said.
I can still see pictures on the internet, though, and I didn't download the image viewer you recommended. Am I supposed to see pictures after I ran the script?

Please forgive me if my question sounds dumb, but I know hardly anything about the computer world.
Printer Friendly | Permalink |  | Top
 
quiet.american Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Dec-29-05 03:41 PM
Response to Original message
26. Thank you! I've been dealing with this for about a week.
Finally, I ran Hijackthis about twelve times and that seemed to do some good. I also just ran your suggestion and hopefully this will do it.
Printer Friendly | Permalink |  | Top
 
Garbo 2004 Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Dec-29-05 06:36 PM
Response to Original message
31. These measures do not adequately protect against the variants in the wild.
Edited on Thu Dec-29-05 06:38 PM by Garbo 2004
People should be aware that this procedure is not a "fix."

Although unregistering the .dll is being widely recommended & also using a third-party graphic viewer such as Irfanview, folks should know that these measures in themselves do not provide them comprehensive protection against the Win Metafiles exploits that are out there.

A knowledgeable fellow on the subject of malware who now works at Kaspersky suggests over at the BBR Security forum that it's not an effective preventative measure against all versions of the exploit. He says, "Contrary to popular belief shimgvw.dll is not the vulnerable file." http://www.broadbandreports.com/forum/remark,15115819~d...

A CERT advisory appears to support his statement. Simply unregistering shimgvw.dll does not provide comprehensive protection from all variants. The trouble is, once a zero day exploit is out the bad guys analyze it and then produce variants to defeat initial protective measures. It appears an underlying vulnerability is now being exploited by variants that do not rely on the shimgvw.dll. From CERT:

Current public exploits use the Windows Picture and Fax Viewer (SHIMGVW.DLL) as an attack vector affecting users of any Windows-based application that can handle Windows Metafiles. However, disabling the Windows Picture and Fax Viewer will not eliminate this vulnerability as it is currently thought to exist in the Windows Graphical Device Interface library (GDI32.DLL).

It has also been reported that Google Desktop may be another potential attack vector and that various anti-virus software products cannot detect all known variants of exploits for this vulnerability. http://www.kb.cert.org/vuls/id/181038


The CERT advisory includes unregistering shimgvw.dll as a precaution since it may protect against some variants of malware. But folks should understand it's not a cure all at this time for Windows users. Additionally, use of another graphic viewer such as Irfanview does not afford adequate protection.

A blog at Kaspersky's Viruslist site presently indicates that use of hardware-based Data Execution Protection (for those that have it) can be effective, but NOT if another graphic viewer such as Irfanview is used since it apparently bypasses the DEP to display graphics. An excerpt:

At first glance it seems that hardware-based Data Execution Protection, which is available only with XP/SP2 on NX-bit (AMD) and XD-bit (Intel) enabled CPUs, prevents successful exploitation of the vulnerability.

We've tested on AMD and Intel platforms and HW DEP seemed initially to prevent successful exploitation in Internet Explorer and Windows Explorer. However, when testing the latest builds of third party image viewers like Irfanview and XnView HW DEP didn't prevent exploitation, even with HW DEP enabled for all programs. This is because both Irfanview and XnView are packed with ASPack and Windows disables HW DEP for ASPack packed files.

This shows that although HW DEP can help, it's by no means a solution.

Perhaps the most worrying thing about this whole issue is that NTFS rights have no effect on whether or not the vulnerability will be exploited. http://www.viruslist.com/en/weblog?weblogid=176771047
(And apparently variants are now out there which can still infect a system even if the user is running on a limited user account without Admin rights.)

For those who have hardware based DEP that might be something to look into. Not everyone with XP SP2 has the hardware that supports it, though. Don't know if the software DEP alone is sufficient in this matter. Those who only have the DEP software (without the relevant hardware) might have some limited protection by enabling DEP protection for all programs. MS article on DEP here: http://www.microsoft.com/technet/security/prodtech/wind...

Bottom line, be aware that unregistering the shimgvw.dll and using a third-party image viewer may provide some protection but variants are out that can defeat these measures. Check your antivirus program's website for information on what they cover as one imagines they're busting their humps to try and keep up with variants. Also fwiw I back up my AV with BOClean, an antitrojan program. BOClean covers a lot of malware but not a substitute for an AV. I'm not affiliated with any product, so check out whatever AV/AT software you do have to see how they're doing with this latest malware.

And for those Windows users who are adventurous in their internet use and occasionally visit the "dark side" of the net one might want to consider holding off for a bit. One needn't necessaarily deliberately download something, according to what I've read, to get infected. And viewing email in text rather than html is also recommended.
Printer Friendly | Permalink |  | Top
 
jim3775 Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Dec-29-05 06:55 PM
Response to Reply #31
33. I know that's why I said "protect yourself" not "fix"
I would recommend instead of using BO clean using an anti-virus product with good heuristics (NOD32, bitdefender). A good heuristics engine is better than any pattern matching. Processguard is another good piece of software and proxomitron; a powerful http filter (with an updated filter set) is another must for those concerned with security (although the learning curve would be too much for non-nerds).
Printer Friendly | Permalink |  | Top
 
Garbo 2004 Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Dec-29-05 07:51 PM
Response to Reply #33
34. Great. My concern is just that some folks may think the hack itself grants
Edited on Thu Dec-29-05 08:07 PM by Garbo 2004
them immunity when the problem is more complex and the hack alone isn't effective against the rapidly increasing variants in the wild. This exploit is a real bastard. Hard to easily tell average Win users how to adequately protect their systems when there is no totally effective "fix" available. (Shush, you Mac & Linux users. ;) ) And the variants keep on coming.

As you note an AV with good heuristics is recommended. I've used NOD with BOClean as an AT for years. Suits me. But most folks just have an AV and I think Symantec still has the largest market share and name recognition. Which is why I often recommend using BOClean in addition to an AV to catch things an AV may miss. As I noted above, BOClean is NOT a substitute for an AV.

Processguard of course is another application that folks should consider looking into. Its developers have been in the biz for years and know their stuff. They put TDS out to pasture to focus on the Processguard approach, as I recall.

And Proxo!! :) I've been a devoted user of The Mighty Proxomitron (LOL) for years and simply wouldn't/couldn't surf without it. There are filter config sets that are user friendly and help people over the learning curve, and that's helped many folks get into Proxo. At the BBR thread KyeU posted a filter that may help Proxo users. http://www.broadbandreports.com/forum/remark,15115819~d... . I make no claims for it myself, but I popped it in just in case. ;)
Printer Friendly | Permalink |  | Top
 
Garbo 2004 Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Dec-29-05 09:26 PM
Response to Reply #34
40. I wondered about the filter and & it appears KyeU's revised Proxo filters
yet again to address an oversight. I post this link just in case anyone out there is a Proxo user. http://www.broadbandreports.com/forum/remark,15115819~d...
Printer Friendly | Permalink |  | Top
 
gulfcoastliberal Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Dec-29-05 08:06 PM
Response to Reply #33
37. Does AVG anti-virus have a good heuristics engine?
I use the pro version, the license goes through 2007.
Printer Friendly | Permalink |  | Top
 
earthboundmisfit Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Dec-29-05 06:46 PM
Response to Original message
32. I had to unregister the .dll from command prompt
Edited on Thu Dec-29-05 07:05 PM by earthboundmisfit
I kept getting errors with regsvr32 Run from Start on my XP Pro machine, so I unregistered the .dll from the command prompt (known as DOS prompt to some of us), thusly:

C:>Windows\System32\regsvr32 /u shimgvw.dll

This worked fine.

Plus I have been a fan of Infranview for a long time - it's the best free image viewer out there, in my book at least - has lots of features too for editing etc...

Printer Friendly | Permalink |  | Top
 
PetraPooh Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Dec-29-05 08:03 PM
Response to Original message
36. Will this work? Firefox + Adblocker set to block *.wmf
In other words I have adblock set to disallow any WMF formats till this is all cleared up? I haven't noticed any difference so far, but I have dial up so I don't see any images except avatars and stuff like that. I guess I would have to admit to being a bit confused as to what a WMF file is. Is it for the streaming stuff or what? Sorry, stupid me.
Printer Friendly | Permalink |  | Top
 
Garbo 2004 Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Dec-29-05 09:22 PM
Response to Reply #36
39. Can't say how effective that may be at this point but it might help
in some instances against some variants. But it would appear to provide very limited protection.

The problem is an OS vulnerability which apparently involves a basic functionality. While some versions of the exploit might possibly be mitigated by some measures like filtering .wmf format it's not a comprehensive solution. Just as unregistering the .dll as recommended in the initial post may help in some cases but not all. Variants are going around that go beyond the initial method and means of attack.

And file extensions can be changed so that a wmf does not have the telltale extension. It could appear as a .jpg for example. Apparently if downloaded and viewed via Windows Explorer (I don't mean Internet Explorer) what seemed not to be a .wmf could in fact be an infected .wmf. As noted in Schouw's post at BBR: http://www.broadbandreports.com/forum/remark,15115819~d...

It's still not clear to me how likely at this point the average user who doesn't live dangerously on the net might run into this malware. At first it was limited to certain websites. But even with those shut down, the exploit is apparently now used elsewhere on other sites and can be passed on by other means. Could be passed on via email, for example, which is why setting email to reading in plain text and not opening attachments one does not expect seem to be a generally prudent approach. One fellow mentioned getting it passed to him as a download via IRC, I think.

Sorry, this isn't a particularly helpful response. But this appears to be a real bastard of an exploit. AV's are responding but playing catch up with malware variants takes time if an AV's heuristics don't suffice to provide protection.
Printer Friendly | Permalink |  | Top
 
Chalco Donating Member (817 posts) Send PM | Profile | Ignore Fri Dec-30-05 07:16 AM
Response to Original message
43. Question: when you say to uninstall Google desktop
what exactly do you mean. I have as my home page Verizon and then I have a Google search thing in my toolbar. Am I supposed to disable that?

Thanks.
Printer Friendly | Permalink |  | Top
 
DU AdBot (1000+ posts) Click to send private message to this author Click to view 
this author's profile Click to add 
this author to your buddy list Click to add 
this author to your Ignore list Sun Jul 13th 2014, 11:41 AM
Response to Original message
Advertisements [?]
 Top

Home » Discuss » Archives » General Discussion (01/01/06 through 01/22/2007) Donate to DU

Powered by DCForum+ Version 1.1 Copyright 1997-2002 DCScripts.com
Software has been extensively modified by the DU administrators


Important Notices: By participating on this discussion board, visitors agree to abide by the rules outlined on our Rules page. Messages posted on the Democratic Underground Discussion Forums are the opinions of the individuals who post them, and do not necessarily represent the opinions of Democratic Underground, LLC.

Home  |  Discussion Forums  |  Journals |  Store  |  Donate

About DU  |  Contact Us  |  Privacy Policy

Got a message for Democratic Underground? Click here to send us a message.

© 2001 - 2011 Democratic Underground, LLC