People should be aware that this procedure is not a "fix."
Although unregistering the .dll is being widely recommended & also using a third-party graphic viewer such as Irfanview, folks should know that these measures in themselves
do not provide them comprehensive protection against the Win Metafiles exploits that are out there.
A knowledgeable fellow on the subject of malware who now works at Kaspersky suggests over at the BBR Security forum that it's not an effective preventative measure against all versions of the exploit. He says, "Contrary to popular belief shimgvw.dll is not the vulnerable file."
http://www.broadbandreports.com/forum/remark,15115819~days=9999~start=50#15124841A CERT advisory appears to support his statement. Simply unregistering shimgvw.dll does not provide comprehensive protection from all variants. The trouble is, once a zero day exploit is out the bad guys analyze it and then produce variants to defeat initial protective measures. It appears an underlying vulnerability is now being exploited by variants that do not rely on the shimgvw.dll. From CERT:
Current public exploits use the Windows Picture and Fax Viewer (SHIMGVW.DLL) as an attack vector affecting users of any Windows-based application that can handle Windows Metafiles. However, disabling the Windows Picture and Fax Viewer will not eliminate this vulnerability as it is currently thought to exist in the Windows Graphical Device Interface library (GDI32.DLL).
It has also been reported that Google Desktop may be another potential attack vector and that various anti-virus software products cannot detect all known variants of exploits for this vulnerability.
http://www.kb.cert.org/vuls/id/181038The CERT advisory includes unregistering shimgvw.dll as a precaution since it may protect against some variants of malware. But folks should understand it's not a cure all at this time for Windows users. Additionally, use of another graphic viewer such as Irfanview does not afford adequate protection.
A blog at Kaspersky's Viruslist site presently indicates that use of hardware-based Data Execution Protection (for those that have it) can be effective, but NOT if another graphic viewer such as Irfanview is used since it apparently bypasses the DEP to display graphics. An excerpt:
At first glance it seems that hardware-based Data Execution Protection, which is available only with XP/SP2 on NX-bit (AMD) and XD-bit (Intel) enabled CPUs, prevents successful exploitation of the vulnerability.
We've tested on AMD and Intel platforms and HW DEP seemed initially to prevent successful exploitation in Internet Explorer and Windows Explorer.
However, when testing the latest builds of third party image viewers like Irfanview and XnView HW DEP didn't prevent exploitation, even with HW DEP enabled for all programs. This is because both Irfanview and XnView are packed with ASPack and Windows disables HW DEP for ASPack packed files.
This shows that although HW DEP can help, it's by no means a solution.
Perhaps the most worrying thing about this whole issue is that NTFS rights have no effect on whether or not the vulnerability will be exploited.
http://www.viruslist.com/en/weblog?weblogid=176771047 (And apparently variants are now out there which can still infect a system even if the user is running on a limited user account without Admin rights.)
For those who have hardware based DEP that might be something to look into. Not everyone with XP SP2 has the hardware that supports it, though. Don't know if the software DEP alone is sufficient in this matter. Those who only have the DEP software (without the relevant hardware) might have some limited protection by enabling DEP protection for all programs. MS article on DEP here:
http://www.microsoft.com/technet/security/prodtech/windowsxp/depcnfxp.mspx Bottom line, be aware that unregistering the shimgvw.dll and using a third-party image viewer may provide some protection but variants are out that can defeat these measures. Check your antivirus program's website for information on what they cover as one imagines they're busting their humps to try and keep up with variants. Also fwiw I back up my AV with BOClean, an antitrojan program. BOClean covers a lot of malware but not a substitute for an AV. I'm not affiliated with any product, so check out whatever AV/AT software you do have to see how they're doing with this latest malware.
And for those Windows users who are adventurous in their internet use and occasionally visit the "dark side" of the net one might want to consider holding off for a bit. One needn't necessaarily deliberately download something, according to what I've read, to get infected. And viewing email in text rather than html is also recommended.
Printer-friendly format
Email this thread to a friend
Bookmark this thread
(1000+ posts)
Send PM |
Profile |
Ignore
