Yet another development… It is getting worse before it is getting better.
Now, like the polymorphic viruses of old, the exploit has become even harder to defend against. SANS has posted a new alert describing the latest iteration of the WMF unpatched vulnerability.
The gist is that the attack code “looks” a little different every time. Since the vulnerability remains unpatched, the primary defense against this flaw has been antivirus (AV) software. The way nearly all AV works is by generating a unique string of information (known as a signature) to spot malicious code. But, since this attack changes slightly in a random way each time, AV signature methods won’t work the same way, making the exploit that much more difficult to detect.
I recommend immediately running the regsrv32 command (as follows) to divorce the automatic execution of this exploit:
- Choose Start, then Run from the taskbar.
- Type regsvr32 /u shimgvw.dll and click OK when the confirmation dialog appears.
Secondly, in your email software I strongly suggest turning off (disabling) the automatic rendering of inline images and embedded links if available in your mail client settings.
Additionally, a person named Ilfak Guilfanov has reverse engineered the vulnerable code and has released a patch that appears to resolve the problem. I have not tested this yet myself, but have no reason to think that it won’t work. However, on your work computers (i.e. the one’s provided and mantained by your employer), unless you have prior approval, do not run this fix because it might interfere with the forthcoming fix from Microsoft when deployed. Ilfak has stated on the blog to uninstall this fix prior to installing the fix from MS when it comes available.
Ugly, ugly attack. Happy friggin’ New Year ;-) Questions or problems, please let me know.
_____________________________________________________________
KevFrey
. . . . . .. . . . . .
