How to stay safe with the new Windows vulnerability


As previously published here, this is a quick-and-dirty method to get yourself in a relatively safe position:



1) Click Start, click Run, type “regsvr32 -u %windir%\system32\shimgvw.dll” (without the quotation marks), and then click OK.
2) Restart the machine.


[Update] Note that this workaround still does not remove the vulnerability and will not block “modified” attacks.  


Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.


To undo this change, re-register Shimgvw.dll by following the above steps. Replace the text in Step 1 with “regsvr32 %windir%\system32\shimgvw.dll” (without the quotation marks).


MSRC is fully aware about this situation and it is working on a patch to be released in the next days. In the meantime, make sure that your Windows OS is configured for receiving automated updates, and that you have an antivirus program installed.


[Second update – Jan 5] The fix is now available here: http://www.microsoft.com/athome/security/update/bulletins/200601_WMF.mspx

Comments (5)

  1. PatriotB says:

    What still isn’t clear is whether this is a bug just in SHIMGVW or if it’s a bug in the main WMF code in GDI. If it’s just the former, then this workaround would be sufficient. But if it’s in GDI itself, there’d still be plenty of open doors…

  2. AdiOltean says:

    Good point. I added a phrase in the text of my blog post in which I made this point explicit. The workaround is NOT a 100% safe method of protecting the machine.

  3. Anonymous says:

    There is another way to mitigate this attack… DON’T RUN AS A FREAKING ADMINISTRATOR! Run as a limited user, and most attacks should fail since they attempt to modify machine state!

    This is a good time for Microsoft to do something about the firewall in XPSP2: Add some basic content filtering, other personal firewalls have had it for ages!

  4. Anonymous says:

    Actually, no Windows machine today should run without a good antivirus installed.

    <a href="http://news.zdnet.com/2100-1009_22-6018696.html?tag=nl.e589">Here </a> you’ll find an article by ZDNet. Almost all antivirus products can effectively protect from the wmf vulnerability, as proved after 206 tests.