WMF mitigation: Running regsvr32 on remote computers with PsExec - RESOLVED

[Frank B Denman]

Maybe you won't have to struggle with this as long as I did to get it working.

PsExec is a free utility downloadable from <www.sysinternals.com>.

This command unregisters shimgvd.dll on a single remote computer. The /S switch
suppresses the popup dialog:

psexec \\computername -u domain\administrator regsvr32.exe /U /S shimgvw.dll

And it returns the result code:

regsvr32.exe exited on computername with error code 0

To run this command against a whole bunch of workstations:

psexec @computer_list.txt -u domain\administrator regsvr32.exe /U /S
shimgvw.dll 2> result_codes.txt

Computer_list.txt is a listing of all the remote computer on which the command
should be run. The format is each computer name on a separate line. The result
codes go to result_codes.txt instead of to the screen.

To reregister the dll, run the same command but without the /U switch.

Happy camping!

Frank


Frank Denman
Denman Systems
(e-mail address removed)
Please delete the "x" from my email address.

 

[Doug Knox MS-MVP]

While this stops the Picture and Fax Viewer from working, it does not prevent IE from displaying WMF files, which is another attack vector.

 

[Frank B Denman]

Rats! You are right. Just confirmed this on XP SP2. Curious that MS makes no
mention of this four-lane loophole in their security advisory at
<http://www.microsoft.com/technet/security/advisory/912840.mspx>

I was ready to deploy this on the theory that it would buy a modicum of security
while staying in tune with official MS guidelines, but if it leaves IE wide open
I'm not sure it's worth the effort.

Frank

While this stops the Picture and Fax Viewer from working, it does not prevent IE from displaying WMF files, which is another attack vector.

Frank Denman
Denman Systems
(e-mail address removed)
Please delete the "x" from my email address.

 

[Doug Knox MS-MVP]

The did mention it, but it was kind of an indirect reference.

Mitigating Factors:
• In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail or Instant Messenger request that takes users to the attacker's Web site.

 

[Kerry Brown]

Microsoft's response to this exploit has been woefully lacking. I agree with
their decision to fully test their patch before releasing it to the public
but they have been ridiculously downplaying the scope and impact of the
exploit. There is an unofficial patch you can use. Many respected
individuals and organisations have tested and are recommending it. There is
an msi available for deployment by group policy if needed. Google for wmf
patch to find out who recommends it and who doesn't.

http://www.hexblog.com/

Kerry