Windows metafile hole requires unofficial patch

By Brian Livingston

A weakness in the way Windows renders images is being exploited on the Internet and affects any browser you may be using, not just Internet Explorer.

Microsoft has no patch for the problem at this writing. An official patch may appear at any time, or it may take days or weeks. I recommend that you immediately run a small, unofficial patch that was developed by white-hat security researchers to make your PCs immune to the problem.

Not just .wmf files are suspect

I don’t ordinarily publish a news update for every new Windows security threat that appears. Instead, I urge my readers to install one piece of hardware and two pieces of software that I call the Security Baseline (see my Dec. 15, 2005, description). You then configure Windows and your security programs so they automatically download all critical updates.

That way, you’re protected against most exploits — and you can safely enjoy personal computing instead of constantly tweaking your PC to defend against real or imagined threats.

Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 10, Windows 8, Windows 7, Firefox, Internet Explorer, Google, etc. Join our 460,000 subscribers!

Enter your email above to receive messages about offerings by Penton, its brands, affiliates and/or third-party partners, consistent with Penton's Privacy Policy.
The Windows 7, Vol 3 (Excerpt)

Subscribe and get our monthly bonuses - free!

The Windows 7 Guide, Volume 3: Advanced maintenance and troubleshooting provides advanced tools for keeping Microsoft's premier operating system up and running smoothly. Get this excerpt and other 4 bonuses if you subscribe FREE now!

The new “WMF Metafile” vulnerability is different:

It can infect your PC if you merely view an image formatted as a Windows metafile on a Web page, in an e-mail attachment, or on your hard disk.

Every browser is vulnerable — IE, Firefox, Opera, and others — because the image is not being rendered by the browser. It’s rendered by Windows’ own Picture and Fax Viewer (Shimgvw.dll, also known as the Shell Image View Control). New versions of Firefox do display an alert when a suspicious image is encountered on a Web page. But since viewing an image is usually harmless, most users will click OK, exposing themselves to infection.

If your PC catches an infected metafile — perhaps through instant messaging or file-sharing software — the payload can run even if you don’t consciously open or view the image. Google Desktop Search, for example, causes the payload to be executed when the metadata of the image is accessed. If the image is an icon, merely displaying a file directory in certain views of Windows Explorer can silently execute a Trojan.

New-year white hats to the rescue

When exploit code was discovered on Dec. 31, security researchers worked furiously over the New Year’s Eve holiday to find a defense against the WMF Metafile threat. Fortunately, a small patch has become available until Microsoft releases its own fix. In my opinion, you’re far better off to install the unofficial patch than to wait to see what Microsoft will come up with.

What NOT to do: I’ve seen advice on the Internet suggesting that network administrators should “block .wmf files at the border.” That’s pointless, because an infected file can bear any image-file extension. It could even be embedded in a Word document or any other kinds of file. The Windows viewer will dutifully execute the instructions in the metafile anyway.

What to do: First, read the FAQ on the problem at the Internet Storm Center, story I.D. 994. (For exhaustive details, see the ISC’s link overview.)

Then, download the latest version of the patch developed by researcher Ilfak Guilfanov. This download is linked to from the FAQ. The experts at the ISC, a division of the SANS Institute, say they’ve examined and tested the patch and found it to be safe and effective. That’s as good a testimonial as we can expect for any software.

You can also deregister Shimgvw.dll. This prevents the Windows Picture and Fax Viewer from starting, avoiding the problem. The DLL, however, can be re-registered by a Trojan, so this affords only limited security.

Microsoft provides details on how to deregister Shimgvw.dll in a security advisory released on Dec. 28. This document also describes DEP (Data Execution Prevention), which prevents certain software exploits when using Windows XP SP2 and hardware exploits when using 64-bit XP on certain 64-bit hardware. For more information, see security advisory 912840.

Installing the Guilfanov patch, deregistrating the DLL, and enabling DEP are all steps that can be easily reversed, if necessary. The unofficial patch and the deregistration should be undone before installing Microsoft’s own patch, whenever it may become available. We’ll have more details in the next regular Windows Secrets Newsletter on Jan. 12.

To send us more information about the WMF Metafile bug, or to send us a tip on any other subject, visit You’ll receive a gift certificate for a book, CD, or DVD of your choice if you send us a comment that we print.

Brian Livingston is editor of the Windows Secrets Newsletter and the coauthor of Windows 2000 Secrets, Windows Me Secrets, and eight other books.
= Paid content

All Windows Secrets articles posted on 2006-01-04: