Dec 28 2005

You can try this

Published by at 8:10 pm under Malware

If you’re worried about the 0-day Microsoft vulnerability in the handling of WMF files, you can try this hint that Dave Klienman suggested on the CISSP mailing list:

;from Dave:

Actually just change:

[HKEY_LOCAL_MACHINE\SOFTWARE

\Classes\SystemFileAssociations\image\ShellEx\Co
ntextMenuHandlers\ShellImagePreview]
@=”{e84fda7c-1d6a-45f6-b725-cb260c236066}”

To  @=””

And reboot.  Or unregister the image view DLL;

To un-register Shimgvw.dll, follow these steps:

1.

Click Start, click Run, type “regsvr32 -u %windir%\system32\shimgvw.dll” (without the quotation marks), and then click OK.

2.

A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

Impact of Workaround:
The Windows Picture and Fax Viewer will no longer be started when users
click on a link to an image type that is associated with the Windows
Picture and Fax Viewer.

To undo this change, re-register Shimgvw.dll by following the above steps. Replace the text in Step 1 with “regsvr32 %windir%\system32\shimgvw.dll” (without the quotation marks).

The unregister steps were directly from the Microsoft advisory on this vulnerability, but in typical Microsoft fashion, they were three levels in and somewhere the average, or even above average user, would never find them.  I wouldn’t have found it if not for Dave’s post and the fact that other, similar vulnerability alerts had listed the same steps in an easier to find fashion.

I’m not going to be doing this to my computer, and I’m not really suggesting you do this either.  I’m just letting you know that this is an option.   A better option would be to upgrade to Firefox 1.5, which doesn’t use the vulnerable DLL when viewing WMF files.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Trackback URI | Comments RSS

Leave a Reply

%d bloggers like this: