How to protect yourself against the Widows Metadata vulnerability

There is a critical unpatched vulnerability in windows that can affect your computer by simply viewing a certain image file. There are already dozens of websites that are hosting an image file that can install trojans and fake anti-spyware software (software that tells you your computer can be un-infected by entering a credit card number). You are still vulnerable if you do not use internet explorer.

Here is how to deal with it and protect yourself:
(all steps are taken from the US computer readiness team and this microsoft bulletin )

1. Uninstall google desktop if you use it. It's automatic indexing will execute the infected image file.

These next steps will break the windows picture and fax viewer but it is the only way to protect yourself short of http filtering.

2.Click Start, click Run, type "regsvr32 -u %windir \system32\shimgvw.dll" (without the quotation marks), and then click OK.

3. A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

4. As a replacement for the built in image viewer download irfanview a freeware image viewer.

Once Microsoft has issued a patch you can make the image and fax viewer work again by replaceing the text in Step 1 with “regsvr32 %windir%\system32\shimgvw.dll” (without the quotation marks).

This is very important, please keep this kicked.

Not out of gloating, mind you, just out of the realization that the care and feeding of a computer system involves so much time already -- the MS leaky Windows system appears a nightmare to me. So glad there are so many less scares and vulnerabilities in this part of the cyber-universe. May it continue into eternity.

at least my Windows XP computer knows what year it is.

You Mac guys are an unique bunch!

We're always trying to get people to convert

:)

I LOVE my Mac :loveya:

Once you go Mac, you never go back! ;-)

Ever. Three years on my Mac, and still going strong. I'll never go back.

:eyes:

:P

PB

Running WindowsXP Pro SP2 with all the latest patches. Any advice?

The line...
"regsvr32 -u %windir \system32\shimgvw.dll"

should read...
"regsvr32 -u %windir%\system32\shimgvw.dll"

Note the missing percentage sign.

It's too late to edit now.

Welcome to DU!! :toast:

I assume you're from NY by your name 'newyawker99'. I live just outside NYC.

I've been quietly reading posts since last years elections.

Keeping the original message would add to the confusion. Problem solved.

switch to a Mac

The Macintosh operating system is MUCH more secure than Windows

I mean, come on: Tell your grandma or the accountant who works down the street to switch to Linux and give them the installation CD. See what they do with it....

Noooo, don't put it THERE!!!!

:wtf:

And we're not talking tinkering with the internals, just installing, running apps, dialing up to the Internet, etc. Ask your Grandma and your supermarket checkout girl.
:argh:

(after the install, that is!)

I mean, just don't open images in Image Viewer.

Is there a safe alternative?

I am tired of these fuckheads who whine and complain about viruses and such, yet continue to keep all their eggs in one basket.

I wouldn't be cheering the hackers, but I can't pity these fools who insist on having their cake, eating it, and not getting indolent and obese from it too.

I don't want to sound as rude as your post, but here's my 2 cents. If you wish to buy us all Macs, go for it. Until then, butt out. This was a nice favor the OP did for all of us using IE. I ran the script and appreciate the advice. I use Windows for my job and home, it is what I know and know well. Everyone has their own likes and dislikes. I take the risk of having these security breaches, all of us do. No need for the snideness.

Duh. Then some other car would be the most stolen car.

If people stopped using Windows and all used MACs, then all viruses would be for MACs.

Sheesh. Some people don't think things through.

...or at least nearly as often. There's more to the differences in OSes than just popularity.

if the Camry's came without door or ignition locks. Sad but true. BSD based MacOS X is simply more secure, you can't run a root or superuser level access unless you put in a password(Same is by and large true for Linux). That reduces the amount of system-wide vulnerabilities available for virus writers and spyware producers, etc. This is assuming, of course, that you don't run your computer with the root account all the time, but then again, not locking the doors on a car also increases the chances of bad shit happening to it.

cause we got to the credit card # and they would fix. he is bring it over for husband to fix. i will give him this thread. thanks

I can still see pictures on the internet, though, and I didn't download the image viewer you recommended. Am I supposed to see pictures after I ran the script?

Please forgive me if my question sounds dumb, but I know hardly anything about the computer world.

Finally, I ran Hijackthis about twelve times and that seemed to do some good. I also just ran your suggestion and hopefully this will do it.

People should be aware that this procedure is not a "fix."

Although unregistering the .dll is being widely recommended & also using a third-party graphic viewer such as Irfanview, folks should know that these measures in themselves do not provide them comprehensive protection against the Win Metafiles exploits that are out there.

A knowledgeable fellow on the subject of malware who now works at Kaspersky suggests over at the BBR Security forum that it's not an effective preventative measure against all versions of the exploit. He says, "Contrary to popular belief shimgvw.dll is not the vulnerable file." http://www.broadbandreports.com/forum/remark,15115819~days=9999~start=50#15124841

A CERT advisory appears to support his statement. Simply unregistering shimgvw.dll does not provide comprehensive protection from all variants. The trouble is, once a zero day exploit is out the bad guys analyze it and then produce variants to defeat initial protective measures. It appears an underlying vulnerability is now being exploited by variants that do not rely on the shimgvw.dll. From CERT:



The CERT advisory includes unregistering shimgvw.dll as a precaution since it may protect against some variants of malware. But folks should understand it's not a cure all at this time for Windows users. Additionally, use of another graphic viewer such as Irfanview does not afford adequate protection.

A blog at Kaspersky's Viruslist site presently indicates that use of hardware-based Data Execution Protection (for those that have it) can be effective, but NOT if another graphic viewer such as Irfanview is used since it apparently bypasses the DEP to display graphics. An excerpt:

(And apparently variants are now out there which can still infect a system even if the user is running on a limited user account without Admin rights.)

For those who have hardware based DEP that might be something to look into. Not everyone with XP SP2 has the hardware that supports it, though. Don't know if the software DEP alone is sufficient in this matter. Those who only have the DEP software (without the relevant hardware) might have some limited protection by enabling DEP protection for all programs. MS article on DEP here: http://www.microsoft.com/technet/security/prodtech/windowsxp/depcnfxp.mspx

Bottom line, be aware that unregistering the shimgvw.dll and using a third-party image viewer may provide some protection but variants are out that can defeat these measures. Check your antivirus program's website for information on what they cover as one imagines they're busting their humps to try and keep up with variants. Also fwiw I back up my AV with BOClean, an antitrojan program. BOClean covers a lot of malware but not a substitute for an AV. I'm not affiliated with any product, so check out whatever AV/AT software you do have to see how they're doing with this latest malware.

And for those Windows users who are adventurous in their internet use and occasionally visit the "dark side" of the net one might want to consider holding off for a bit. One needn't necessaarily deliberately download something, according to what I've read, to get infected. And viewing email in text rather than html is also recommended.

I would recommend instead of using BO clean using an anti-virus product with good heuristics (NOD32, bitdefender). A good heuristics engine is better than any pattern matching. Processguard is another good piece of software and proxomitron; a powerful http filter (with an updated filter set) is another must for those concerned with security (although the learning curve would be too much for non-nerds).

them immunity when the problem is more complex and the hack alone isn't effective against the rapidly increasing variants in the wild. This exploit is a real bastard. Hard to easily tell average Win users how to adequately protect their systems when there is no totally effective "fix" available. (Shush, you Mac & Linux users. ;) ) And the variants keep on coming.

As you note an AV with good heuristics is recommended. I've used NOD with BOClean as an AT for years. Suits me. But most folks just have an AV and I think Symantec still has the largest market share and name recognition. Which is why I often recommend using BOClean in addition to an AV to catch things an AV may miss. As I noted above, BOClean is NOT a substitute for an AV.

Processguard of course is another application that folks should consider looking into. Its developers have been in the biz for years and know their stuff. They put TDS out to pasture to focus on the Processguard approach, as I recall.

And Proxo!! :) I've been a devoted user of The Mighty Proxomitron (LOL) for years and simply wouldn't/couldn't surf without it. There are filter config sets that are user friendly and help people over the learning curve, and that's helped many folks get into Proxo. At the BBR thread KyeU posted a filter that may help Proxo users. http://www.broadbandreports.com/forum/remark,15115819~days=9999~start=50#15126149 . I make no claims for it myself, but I popped it in just in case. ;)

yet again to address an oversight. I post this link just in case anyone out there is a Proxo user. http://www.broadbandreports.com/forum/remark,15115819~days=9999~start=50#15127943

I use the pro version, the license goes through 2007.

I kept getting errors with regsvr32 Run from Start on my XP Pro machine, so I unregistered the .dll from the command prompt (known as DOS prompt to some of us), thusly:

C:>Windows\System32\regsvr32 /u shimgvw.dll

This worked fine.

Plus I have been a fan of Infranview for a long time - it's the best free image viewer out there, in my book at least - has lots of features too for editing etc...

In other words I have adblock set to disallow any WMF formats till this is all cleared up? I haven't noticed any difference so far, but I have dial up so I don't see any images except avatars and stuff like that. I guess I would have to admit to being a bit confused as to what a WMF file is. Is it for the streaming stuff or what? Sorry, stupid me.

in some instances against some variants. But it would appear to provide very limited protection.

The problem is an OS vulnerability which apparently involves a basic functionality. While some versions of the exploit might possibly be mitigated by some measures like filtering .wmf format it's not a comprehensive solution. Just as unregistering the .dll as recommended in the initial post may help in some cases but not all. Variants are going around that go beyond the initial method and means of attack.

And file extensions can be changed so that a wmf does not have the telltale extension. It could appear as a .jpg for example. Apparently if downloaded and viewed via Windows Explorer (I don't mean Internet Explorer) what seemed not to be a .wmf could in fact be an infected .wmf. As noted in Schouw's post at BBR: http://www.broadbandreports.com/forum/remark,15115819~days=9999~start=50#15124163

It's still not clear to me how likely at this point the average user who doesn't live dangerously on the net might run into this malware. At first it was limited to certain websites. But even with those shut down, the exploit is apparently now used elsewhere on other sites and can be passed on by other means. Could be passed on via email, for example, which is why setting email to reading in plain text and not opening attachments one does not expect seem to be a generally prudent approach. One fellow mentioned getting it passed to him as a download via IRC, I think.

Sorry, this isn't a particularly helpful response. But this appears to be a real bastard of an exploit. AV's are responding but playing catch up with malware variants takes time if an AV's heuristics don't suffice to provide protection.

what exactly do you mean. I have as my home page Verizon and then I have a Google search thing in my toolbar. Am I supposed to disable that?

Thanks.