Microsoft Security Advisory (912840): Vulnerability in Graphics Rendering Engine Could Allow Remote

P

PA Bear

T

Tom [Pepper] Willett

The work-around is also posted on the MS security advisory that PA Bear
posted.

Tom
| Here's a way to avoid the risk altogether:
|
| http://geekswithblogs.net/lorint
|
|
|
| "PA Bear" wrote:
|
| > X-post to Security, Security.Homeusers, IE6 & WinXP General newsgroups.
| > Followup set to microsoft.public.security.
| >
| > Microsoft Security Advisory (912840): Vulnerability in Graphics
| > Rendering Engine Could Allow Remote Code Execution
| > http://www.microsoft.com/technet/security/advisory/912840.mspx
| >
| > Welcome to the Microsoft Security Response Center Blog!
| > New Security Advisory for Possible Windows Vulnerability
| > http://blogs.technet.com/msrc/archive/2005/12/29/416569.aspx
| > --
| > ~PA Bear
| >
| >
 
T

Tom [Pepper] Willett

It's under "Suggested Actions"

Tom
| Hmmm, if it was out there before then it isn't there anymore. The
strongest
| protection I see mentioned is to enable Enhanced Security Configuration.
I
| still recommend this solution:
|
| http://geekswithblogs.net/lorint
|
|
| "Tom [Pepper] Willett" wrote:
|
| > The work-around is also posted on the MS security advisory that PA Bear
| > posted.
| >
| > Tom
message
| > | > | Here's a way to avoid the risk altogether:
| > |
| > | http://geekswithblogs.net/lorint
| > |
| > |
| > |
| > | "PA Bear" wrote:
| > |
| > | > X-post to Security, Security.Homeusers, IE6 & WinXP General
newsgroups.
| > | > Followup set to microsoft.public.security.
| > | >
| > | > Microsoft Security Advisory (912840): Vulnerability in Graphics
| > | > Rendering Engine Could Allow Remote Code Execution
| > | > http://www.microsoft.com/technet/security/advisory/912840.mspx
| > | >
| > | > Welcome to the Microsoft Security Response Center Blog!
| > | > New Security Advisory for Possible Windows Vulnerability
| > | > http://blogs.technet.com/msrc/archive/2005/12/29/416569.aspx
| > | > --
| > | > ~PA Bear
| > | >
| > | >
| >
| >
| >
 
S

Stephen Howe

It's under "Suggested Actions"

No it is not. Those, in the strictest sense, do not prevent you getting
inadvertently infected. None of them do. A "workaround" would prevent you
getting infected. That is the normal meaning of the word "workaround".

Here is a workaround:

Run
regsvr32 /u shimgvw.dll

Stephen Howe
 
T

Tom [Pepper] Willett

Suggested Actions
Workarounds

Microsoft has tested the following workaround. While this workaround will
not correct the underlying vulnerability, it will help block known attack
vectors. When a workaround reduces functionality, it is identified in the
following section.

Un-register the Windows Picture and Fax Viewer (Shimgvw.dll) on Windows
XP Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and
Windows Server 2003 Service Pack 1

From the MS Advisory:



To un-register Shimgvw.dll, follow these steps:

1.
Click Start, click Run, type "regsvr32 -u
%windir%\system32\shimgvw.dll" (without the quotation marks), and then click
OK.

2.
A dialog box appears to confirm that the un-registration process has
succeeded. Click OK to close the dialog box.


Impact of Workaround: The Windows Picture and Fax Viewer will no longer be
started when users click on a link to an image type that is associated with
the Windows Picture and Fax Viewer.

To undo this change, re-register Shimgvw.dll by following the above steps.
Replace the text in Step 1 with “regsvr32 %windir%\system32\shimgvw.dll”
(without the quotation marks).



Tom

"Stephen Howe" <stephenPOINThoweATtns-globalPOINTcom> wrote in message
|> It's under "Suggested Actions"
|
| No it is not. Those, in the strictest sense, do not prevent you getting
| inadvertently infected. None of them do. A "workaround" would prevent you
| getting infected. That is the normal meaning of the word "workaround".
|
| Here is a workaround:
|
| Run
| regsvr32 /u shimgvw.dll
|
| Stephen Howe
|
|
|
|
|
 
K

Kerry Brown

Stephen said:
No it is not. Those, in the strictest sense, do not prevent you
getting inadvertently infected. None of them do. A "workaround" would
prevent you getting infected. That is the normal meaning of the word
"workaround".

Here is a workaround:

Run
regsvr32 /u shimgvw.dll

Stephen Howe
Click to expand...

Click on the plus sign beside Suggested Actions, then click on the plus sign
beside Workarounds. It is there.

Kerry
 
L

Lem

Stephen said:
No it is not. Those, in the strictest sense, do not prevent you getting
inadvertently infected. None of them do. A "workaround" would prevent you
getting infected. That is the normal meaning of the word "workaround".

Here is a workaround:

Run
regsvr32 /u shimgvw.dll

Stephen Howe
Click to expand...

The advice to unregister shimgvw.dll is indeed in the originally-posted MS
article. However, in true MS fashion, it is hidden several layers deep. You
have to click on the + to expand "Suggested Actions," then click on the +
next to "Workarounds" and finally, click on the + next to "Un-register the
Windows Picture and Fax Viewer (Shimgvw.dll) on Windows XP Service Pack 1;
Windows XP Service Pack 2; Windows Server 2003 and Windows Server 2003
Service Pack 1"
 
S

Stephen Howe

The advice to unregister shimgvw.dll is indeed in the originally-posted MS
article. However, in true MS fashion, it is hidden several layers deep. You
have to click on the + to expand "Suggested Actions," then click on the +
next to "Workarounds" and finally, click on the + next to "Un-register the
Windows Picture and Fax Viewer (Shimgvw.dll) on Windows XP Service Pack 1;
Windows XP Service Pack 2; Windows Server 2003 and Windows Server 2003
Service Pack 1"
Click to expand...

Yeah your right. Sorry. I missed all those level of +'s

Stephen Howe
 
K

Kerry Brown

PA said:
X-post to Security, Security.Homeusers, IE6 & WinXP General
newsgroups. Followup set to microsoft.public.security.

Microsoft Security Advisory (912840): Vulnerability in Graphics
Rendering Engine Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/912840.mspx

Welcome to the Microsoft Security Response Center Blog!
New Security Advisory for Possible Windows Vulnerability
http://blogs.technet.com/msrc/archive/2005/12/29/416569.aspx
Click to expand...

As an addendum. This exploit is being used right now. I just received a
customer's computer that was infected with Spy Sherriff by this method. The
exploit was in a spam email. Turn off the preview pane in OE (always a good
idea) and turn off the Windows picture and fax viewer until Microsoft has a
fix.

Kerry
 
P

PA Bear

X-posted to OE General, OE6, Security & Security.Homeusers NGs.
Followup-to: WinXP General

Kerry said:
As an addendum. This exploit is being used right now. I just received a
customer's computer that was infected with Spy Sherriff by this method.
The exploit was in a spam email. Turn off the preview pane in OE (always
a good idea) and turn off the Windows picture and fax viewer until
Microsoft has a fix.
Click to expand...

Preview Pane should be OK if...

OE: Tools > Options > Read > Read all messages in Plain Text (check)

OE: Tools>Options>Security>Download images... (check)

See
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2email.mspx
 
K

Karl Levinson, mvp

The advice to unregister shimgvw.dll is indeed in the originally-posted MS
article. However, in true MS fashion, it is hidden several layers deep. You
have to click on the + to expand "Suggested Actions," then click on the +
next to "Workarounds"
Click to expand...

I have to agree. I read those security articles religiously, and I missed
the workaround as well. Apparently I'm far from the only one that missed
this. This could be done better.
 
P

PA Bear

X-post to Security, Security.Homeusers, IE6 & WinXP General newsgroups.
Followup-to set for microsoft.public.security.

The FAQ section of
http://www.microsoft.com/technet/security/advisory/912840.mspx has been
updated.

Fully expand Suggest Actions > Workarounds subsection to see steps you can
take to "help block known attack vectors".

Additional Resources:

Protect Your PC
http://www.microsoft.com/athome/security/protect/

Microsoft Security Home Page
http://www.microsoft.com/security/default.mspx
 
S

Stephen Howe

The FAQ section of
http://www.microsoft.com/technet/security/advisory/912840.mspx has been
updated.

Fully expand Suggest Actions > Workarounds subsection to see steps you can
take to "help block known attack vectors".
Click to expand...

What about Windows 2000 Professional SP4?
Running that at work and that has

07/12/1999 12:00 52,496 shimgvw.dll

Is the workaround useless for Windows 2000?

According to here
http://www.updatexp.com/wmf-exploit.html
ME & 2000 are vulnerable

Cheers

Stephen Howe
 
G

Guest

Has anyone just removed the .wmf file type?

Would this be equal to (or even better than) unregistering the fax/picture
viewer DLL?

I assume it would result in the user being prompted to specify a program to
open the file.

Thanks.

====
Mike
 
S

Stephen Howe

Has anyone just removed the .wmf file type?
Would this be equal to (or even better than) unregistering the fax/picture
viewer DLL?
Click to expand...

From what I understand this vulnerability can occur with the extension JPGs,
JPEGs, PNGs, GIFs, TIFFs
so, no, the original suggestion is no good.

Good thought.

Stephen Howe
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

MS Security Bulletin MS06-001: Vulnerability in Graphics Rendering Engine Could Allow Remote Code Ex 27
MS Advisory 935964 : DNS server vulnerability 2
Microsoft Security Advisory (943521) 38
Just Released! Official Microsoft Security Update (KB12919) 2
New Zero Day IE vulnerability 0
MS issued advisory, current exploit potential 47
MS06-055 released for VML issue 2
Microsoft makes errors in Microsoft Security Advisory (912840) 11

Top