« | Home | Recent Comments | Categories | »

regsvr32 /u shimgvw.dll

Posted on December 29th, 2005 at 11:16 by John Sinteur in category: Microsoft, Security

[Quote:]

Security researchers have released instructions for exploiting a previously unknown security hole in Windows XP and Windows 2003 Web Server with all of the latest patches applied.

Anti-virus company Symantec warned of the new exploit, which it said uses a vulnerability in the way Windows computers process certain image files (Windows Meta Files, or those ending in .wmf).

The exploit is already in the wild. Do this to secure your computer (for now):

1. Click on the Start button on the taskbar.
2. Click on Run…
3. Type “regsvr32 /u shimgvw.dll” to disable.
4. Click ok when the change dialog appears.

You will also lose the ability to see thumbnails, but that’s a small price to pay.

[Quote:]

Do note that it’s really easy to get burned by this exploit if you’re analysing it under Windows. All you need to do is to access an infected web site with IE or view a folder with infected files with the Windows Explorer.

You can get burned even while working in a DOS box! This happened on one of our test machines where we simply used the WGET command-line tool to download a malicious WMF file. That’s it, it was enough to download the file. So how on earth did it have a chance to execute?

The test machine had Google Desktop installed. It seems that Google Desktop creates an index of the metadata of all images too, and it issues an API call to the vulnerable Windows component SHIMGVW.DLL to extract this info. This is enough to invoke the exploit and infect the machine. This all happens in realtime as Google Desktop contains a file system filter and will index new files in realtime.


Write a comment

Comments:

  1. hi! I’ve unregistered the dll as you suggested, and all went fine. After that Microsoft released a patch. I am guessing if the patch cured the dll even if unregistered.
    Do you think I can re-register the dll safely? Is there any SECURE site where I can test my system to know if I am still affected by the bug? thanks

  2. disregard my latest comment. the patch is applied correctely, I’ve tested it here:http://isc.sans.org/diary.php?storyid=994
    thanks

Sanity

Posted on December 29th, 2005 at 11:00 by John Sinteur in category: Quote

The statistics on sanity are that one out of every four Americans is suffering from some form of mental illness. Think of your three best friends. If they’re okay, then it’s you.

— Rita Mae Brown


Write a comment

NSA involved in snooping cookie shocker

Posted on December 29th, 2005 at 10:53 by John Sinteur in category: News

[Quote:]

Holy global eavesdropping network, Batman! The NSA has – or rather had – cookies on its web site.

Daniel Brandt – he of Google watching and Wikipedia fiddling fame – discovered a pair of cookies lurking on the NSA’s (National Security Agency) web site. The cookies were set to expire in 2035 and could be used to track your online activity. That’s a big no-no under federal rules that forbid the use of most persistent cookies.

The NSA removed the cookies after Brandt brought the issue to the agency’s attention and after the AP started asking questions.

Well, if an organisation has to worry about the Big Things (such as a commander in chief who wants them to snoop domestically), it’s no surprise the very small things start slipping by you as well.


Write a comment

Nazi deportation?

Posted on December 29th, 2005 at 10:49 by John Sinteur in category: ¿ʞɔnɟ ǝɥʇ ʇɐɥʍ

Somebody searched for “Nazi Deportation” on Technorati, where this posting on this weblog turned up on the second page of results.

That same somebody tried to post a comment with a dozen or so links to compeltely unrelated threads on stormfront.org, a white supremacist web site in the USA.

That same somebody probably didn’t realize that postings with a lot of links are considered “potential spam” and sent to the moderation queue (or deleted outright if there’s a spam-match)

That same somebody probably will never realize his or her IP address is now blacklisted from even visiting this weblog.


Write a comment

Comments:

  1. Why can’t I read your weblog anymore? Hell, I can’t even submit comments! :-)