“Really bad” security exploit arrives

The Sunbelt Software Blog has details on a new security exploit that blows by fully patched Windows XP systems:

Any application that automatically displays a WMF image will cause the user’s machines to get infected. This includes older versions of Firefox, current versions of Opera, Outlook and all current version of Internet Explorer on all versions of Windows.

This is a zero-day exploit, the kind that give security researchers cold chills. It works by exploiting a weakness in the Windows engine that views graphics in the Windows Metafile (WMF) format. You can get infected by simply viewing an infected WMF image.

Another report from F-Secure says so far it’s being exploited by a handful of sites in Russia, but it will spread. You’re most likely to get directed to one of these sites via a spam message offering dirty pictures, free software, and other forms of bait.

I expect that all major antivirus companies will have detection and prevention for this by the end of the day. I don’t know of any workarounds, but will update this post if I hear any more. For now, use the most recent version of Firefox rather than any other browser and steer well clear of unknown/untrusted sites.

Update: One way to prevent this exploit from working is to disable the Windows Picture and Fax Viewer component. To do so, click Start, Run. In the Open box, type the following command:

regsvr32 /u shimgvw.dll

Press Enter to make the change.

This measure isn’t without side effects. Disabling this component eliminates the capability to view thumbnails of all image types (not just WMF files) in Windows Explorer folders, and it zaps the Preview command for images as well. You can work around these limitations by using a graphics viewing/editing program.

To re-enable the Windows Picture and Fax Viewer, issue this command:

regsvr32 shimgvw.dll