Attackers are actively exploiting a previously unknown buffer-overflow flaw in the Windows Picture and Fax Viewer (SHIMGVW.DLL) to install backdoors on vulnerable Windows systems. The flaw takes effect when a malicious WMF file (a type of image file) is opened on a vulnerable system. Worse, if a malicious WMF file has been downloaded, the Google Desktop software will activate the flaw as it attempts to index the file, even though the user has not attempted to open the file. Microsoft is investigating the problem, but does not have a patch available at the time of writing.
Zero-Day Exploits are the good guy’s nightmares – all complex software has bugs, and some bugs are vulnerabilities: they can be used to compromise a system. Responsible software developers have teams trying to find the vulnerabilities before the bad guys find them. A Zero-Day Exploit is a vulnerability that the bad guys know about, but the good guys don’t: the good guys lost the race.
Administrators and users can do nothing specific to protect themselves against zero-day exploits (general security best practices can help) before the exploit is discovered. Even after discovery, before a patch has been released, there are few options. The best course at the moment is to disable the affected component: (from Microsoft’s bulletin)
Un-register the Windows Picture and Fax Viewer (Shimgvw.dll)
- Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK.
- A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.
Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.
To undo this change, re-register Shimgvw.dll by following the above steps.
Replace the text in Step 1 with “regsvr32 %windir%\system32\shimgvw.dll” (without the quotation marks).
Attackers are currently exploiting this vulnerability by using malicious WMF files planted on websites to download backdoors including Trojan-Downloader.Win32.Agent.abs, Trojan-Dropper.Win32.Small.zp, Trojan.Win32.Small.ga and Trojan.Win32.Small.ev. The affected websites include:
Crackz [dot] ws unionseek [dot] com www.tfcco [dot] com Iframeurl [dot] biz beehappyy [dot] biz toolbarbiz[dot]biz toolbarsite[dot]biz toolbartraff[dot]biz toolbarurl[dot]biz buytoolbar[dot]biz buytraff[dot]biz iframebiz[dot]biz iframecash[dot]biz iframesite[dot]biz iframetraff[dot]biz iframeurl[dot]biz
Do not visit those sites, you may want to filter them at your corporate firewall.
The latest news is that the workaround shown above does not stop the exploit from working if you open a malicious WMF file in MSPAINT. Also, the number of trojans known to be exploiting this vulnerability is still rising rapidly.