05 01 protect yourself against WMF exploits
Stay away from crack and porn sites (but other sites are hacked also)
set your internet explorer to highest form of security (tools-options)
Installs only things on your machine that you really trust
surf on the internet and open your mail as a simple user, not an administrator
Microsoft advises the following
1.Un-register the Windows Picture and Fax Viewer (Shimgvw.dll)
1. Click Start, click Run, type "regsvr32 -u %windir%system32shimgvw.dll"
(without the quotation marks), and then click OK.
2. A dialog box appears to confirm that the un-registration process has succeeded.
Click OK to close the dialog box.
Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started
when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.
To undo this change, re-register Shimgvw.dll by following the above steps.
Replace the text in Step 1 with “regsvr32 %windir%system32shimgvw.dll” (without the quotation marks).
Typing REGSVR32 /U SHIMGVW.DLL is a valid wordaround to avoid the exploit.
This effectively disables your ability to view images using the Windows picture and fax viewer via IE (AFAIK you can still download the file and execute it and get smoked, but you won't get hit by a "drive-by" download with this workaround.)
BUT THIS DOESN'T ELIMINATE THE RISK
sites mention that shimgvw.dll is the vulnerable file.
This doesn't seem correct as it's possible to exploit a system on which shimgvw.dll has been unregistered and deleted. The vulnerability seems to be in gdi32.dll.
So while unregistering shimgvw.dll may make you less vulnerable, several attack scenarios come to mind where the system can still be compromised.
It has to be noted that in this case the attack vector of web browsers seems significantly smaller than that of explorer+third party programs.
the effect is lower on Windows 2003
By default, Internet Explorer on Windows Server 2003, on Windows Server 2003 Service Pack 1, on Windows Server 2003 with Service Pack 1 for Itanium-based Systems, and on Windows Server 2003 x64 Edition runs in a restricted mode that is known as Enhanced Security Configuration This mode mitigates this vulnerability where the e-mail vector is concerned although clicking on a link would still put users at risk. In Windows Server 2003, Microsoft Outlook Express uses plain text for reading and sending messages by default. When replying to an e-mail message that is sent in another format, the response is formatted in plain text.http://www.microsoft.com/technet/security/advisory/912840...
the comment from f-secure
So the vulnerability is there on all platforms but it seems that only Windows XP and 2003 are easily exploitable. Unfortunately this still means that majority of Windows computers out there are vulnerable right now. And at least Windows 2000 becomes vulnerable if you're using many of the available third party image handling programs to open image files
so if you set your outlook and mailclient to open everything in text, or your mailantivirus changes all mail to text before sending it over the network, you are safer against emailborn .wmf attacks
http://isc.sans.org/diary.php?storyid=1006 testing tools for .wmf vulnerabilities
more things you can do
- Disable the Microsoft Indexing Service on Windows 2000, Windows XP and Windows Server 2003.
- Disable image-loading in IE. http://support.microsoft.com/kb/153790
- Disable hyperlinks in MSN Messenger.
- Disable image loading in Outlook Express. http://support.microsoft.com/kb/843018
- Making use of hardware-enforced Data Execution Prevention - http://en.wikipedia.org/wiki/Data_Execution_Prevention - effective for all applications.
and how to do it in Windows xp sp2 http://www.microsoft.com/technet/security/prodtech/window...
- Set the default WMF application to be something innocuous such as notepad
For most Outlook users, it looks like a .WMF file will not auto-execute from
an HTML email message using an IFRAME and the CID: protocol. With default
security settings, Outlook (and Outlook Express) will not display any
IFRAMEs. This change was made back in 2002 because of the Klez email worm:
It did verify however, if Outlook is set to a lower security setting, a .WMF
file will auto-execute from an IFRAME in an HTML email message. Hopefully,
it is rare that people are lowering their Outlook security settings even
though Microsoft makes it relatively easy to do
in any case put out the preview pane in outlook (express) it is the best way to protect you against any mailborn script with a link