Network News

X My Profile
View More Activity

Unofficial Patch for Windows Flaw

Security experts are urging Windows users to apply a non-Microsoft-issued software patch to fix an extremely dangerous bug that has exposed hundreds of millions of the operating system's users to spyware and viruses.

The patch was developed by computer programmer Ilfak Guilfanov, perhaps best known in security circles at the creator of IDA Pro, a tool used to design and deconstruct software and even malware.

Tom Liston, an Internet security consultant with Washington-based Intelguardians and an incident handler with the SANS Internet Storm Center, pleaded with Microsoft users to feel at ease installing the patch, which he said SANS had reverse-engineered, reviewed and vetted to ensure it fixes the problem and does nothing else.

"To the best of my knowledge, over the past 5 years, this rag-tag group of volunteers hasn't asked for your trust: we've earned it," Liston wrote. "Now we're going to expend some of that hard-earned trust. This is a bad situation that will only get worse. The very best response that our collective wisdom can create is contained in this advice -- unregister shimgvw.dll and use the unofficial patch. You need to trust us."

The folks over at Finnish antivirus company F-Secure also have been chronicling the threats taking advantage of this new vulnerability, and they also urge users to install the patch from Guilfanov.

It's a pretty remarkable statement about the security community's assessment of the threat from this flaw that they would urge users to install a non-Microsoft patch. Hardly a month goes by when we don't warn about some virus or worm going around masquerading as a patch from Redmond.

I haven't seen any reports of this patch causing any trouble for those who've installed it, but of course, use the patch at your own risk. You can download it from here.

SANS's Liston said it doesn't appear that Microsoft Corp. will issue a fix for this problem before Jan. 10, its next regular monthly patch release date. SANS's recommendation comes hours after the emergence of an instant-message worm that's now exploiting the Windows flaw.

It looks like this patch could be difficult to deploy over large networks, as it must be applied manually at each machine. As a result, Liston said SANS is working creating a different installer for the patch that would offer the ability to install the patch remotely.

I have to say I'm surprised that Microsoft has not yet issued an official fix for this. My guess is that if they wait until a week from Tuesday to ship an update, it will cost them dearly in terms of current and potential future customers.

Update, 8:00 p.m. ET, Jan. 3:Looks like Guilfanov's site has surpassed its allotted level of monthly Web traffic from all the attention his patch is getting. SANS has set up a mirror of the patch on their site, which is downloadable here.

By Brian Krebs  |  January 1, 2006; 6:36 PM ET
Categories:  Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: New Exploit for Unpatched Windows Flaw
Next: Security Hole Claimed for BlackBerrys

Comments

Brian,
I read about this fix on the F-SECURE site but hesitated to install it. Thanks for publishing the other recommendations to go ahead and install it. I just installed it, re-booted and all seems well.

Also, has Symantec fixed their rar file scan problem yet? I have it blocked for now. There is nothing on their web site to indicate a fix has been applied, but they did have a software update on Saturday that required a re-boot. I'm going to have to start a list of temporary patches and work arounds! Thanks again!

Rich

Posted by: dbm1rxb | January 1, 2006 7:47 PM | Report abuse

If this is truly a big deal story that can affect hundreds of millions of PCs, then put in on the front page of tomorrow paper. If that doesn't get Gates and Ballmer's attention, nothing will.

Posted by: Tom | January 1, 2006 9:35 PM | Report abuse

I beleive SAN's current "best practice" recommendation is to both unregister the DLL and to use the unofficial patch. To unregister the DLL:

* Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK.
* A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

+++Steve

Posted by: Steve Mullen | January 1, 2006 9:38 PM | Report abuse

What happens when

a) the DLL is unregistered?
b) MS issues and the end user installs an official patch, and the unoffical patch has been employed and/or the DLL unregistered?

I haven't seen these issuses addressed, and I'd sure like to know what I could be getting into.

Posted by: AH | January 2, 2006 1:27 AM | Report abuse

I believe Win 98 and 98SE don't ship with MS picture and fax viewer, so don't have shimgvw.dll, so that "fix" won't work for those systems. Just to save folks time searching :-).

Posted by: Luke | January 2, 2006 2:17 AM | Report abuse

Hi Brian;

Thanks very much for your continued service to, and support of, the IT Security community.

First, I used Ilfak's "checking" tool (http://www.hexblog.com/security/files/wmf_checker_hexblog.exe) to check vulnerability of my test systems. This showed them all (Win2K SP4, and WinXP SP2 - all fully patched) to be vulnerable.

Then, I deployed Ilfak's patch (v1.3) using Group Policy in my test bed network configuration. Upon boot of the clients, it installs, then reboots again to finalize the installation.

Then, I used Ilfak's checking tool again to verify the vulnerability was resolved.

Ilfak deserves a lot of credit for reacting to this threat faster than Microsoft and, like you, continues to do a great service for us all.

KevFrey
. . . . . .. . . . . .

Posted by: Kevin Frey | January 2, 2006 2:24 AM | Report abuse

In reference to the question about unregistering the dll file, after Microsoft issues a patch for this, you simply re-register that dll file. If you are debating about whether to delete or rename the file, it's been recommended that you rename it, so you can use it after the patch is issued.

When the dll file is unregistered, certain programs won't function normally. The main one I can remember is "My Computer" (Windows Explorer). The thing that is 'broken' is the ability to see a miniature version of the image in your lower left hand corner. In other words, any program that uses "Thumbnails" won't show them.

However, Outlook and other programs can/will still use Picture and Fax Viewer, which is why you need to use the patch alongside the unregistering of the dll file.

Hope this answers your questions.

Posted by: Patrick Dickey | January 2, 2006 5:12 AM | Report abuse

Hey Tom - This was on the front page of the paper! Well, the lead story on the business front, but hey..

http://www.washingtonpost.com/wp-dyn/content/article/2005/12/29/AR2005122901456.html

Posted by: Bk | January 2, 2006 9:33 AM | Report abuse

I added the patch and unregistered the DLL, but is there a way to know if my machine is already infected (if antivirus software cannot detect it)? Would it be best not to visit e-commerce sites until Microsoft issues its patch?

Posted by: dcg | January 2, 2006 6:36 PM | Report abuse

It's my understanding that simply using Firefox will prevent this new exploit. While I highly recommend users switch anyways, now is the time where it could mean the difference in your PC's life. I might be wrong concerning this but latest I heard, the Firefox and Opera browsers prevent this exploit.

http://www.getfirefox.com

Posted by: Ross | January 3, 2006 9:10 AM | Report abuse

While FF requires user interaction to activate the exploit, it isn't perfect protection, and does nothing about receiving a file by email or an infected word document. Additional protection can be built into FF by using Adblock extension and blocking *.emf and *.wmf files, but again only helps in FF.

Posted by: Dave H | January 3, 2006 10:54 AM | Report abuse

It's important to note that if you're using Firefox and you're blocking *.emf & *.wmf files, you shouldn't assume that you're protected. From the PC Doctor article:

>> What makes this issue much worse is the fact that the affected WMF files can be renamed as .JPG, .GIF, .BMP or a number of other different file extensions and the exploit code will still run. This is because Windows handles these files based on the header information contained in the image rather than based on the file extension.

Posted by: Vellosoft | January 3, 2006 11:52 AM | Report abuse

@Rich (dbmfrxb)?:

Symantec has in fact produced patches for the .RAR issue. Check out their web site for details. Once again, however, you'll have to contact support for some of the enterprise software patches (you can't just download them).

Posted by: David | January 3, 2006 12:12 PM | Report abuse

Does anyone know why Microsoft's security news feed (RSS) not have anything about the .WMF issue?

Seems irresponsible to not include this in the feed, or is the feed only for "Hey, we fixed this issue..." PR information.

Thoughts?

Posted by: David | January 3, 2006 12:15 PM | Report abuse

The link for downloading the fix ain't right, URL-wise. Seems that hexblog.com's account has been *suspended*...

Posted by: Greg | January 3, 2006 7:22 PM | Report abuse

Greg -- Gilfanov's site exceeded its monthly Internet bandwitdh allocation, so the site has been suspended. I have updated this blog post with a link to the patch hosted by SANS.

Posted by: Bk | January 3, 2006 8:02 PM | Report abuse

I installed the patch and lost my ability to connect to the Internet. I have Roadrunner. I had to uninstall it to connnect to the Web.

Posted by: EF | January 4, 2006 4:33 AM | Report abuse

Ok, how about some step by step for us newbies that have the virus. Have called Mirosoft for threedays in row and thier attemps at getting to the problems have not helped as reported.
What has to be renamed? How? Once the patch you quote is installed, then what?
Once mircosoft does something then what? How and what do you rename? thanks for any help.

Posted by: Jim | January 4, 2006 7:47 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company