912840.mspx advisory microsoft.com security technet

Download Microsoft Edge More info. Contents Exit focus mode. Please rate your experience Yes No. Any additional feedback? In this article. Microsoft will continue to investigate the public reports to help provide additional guidance for customers.

Microsoft is aware of the public release of detailed exploit code that could allow an attacker to execute arbitrary code in the security context of the logged-on user, when such user is visiting a Web site that contains a specially crafted Windows Metafile WMF image.

An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site. Customers are encouraged to keep their antivirus software up to date. The Microsoft Windows AntiSpyware Beta can also help protect your system from spyware and other potentially unwanted software. We will continue to investigate these public reports.

Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This will include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs. Microsoft encourages users to exercise caution when they open e-mail and links in e-mail from untrusted sources.

We continue to encourage customers to follow our Protect Your PC guidance of enabling a firewall, applying software updates and installing antivirus software. Customers who believe they may have been affected by this issue can contact Product Support Services. Customers outside of the United States and Canada can locate the number for no-charge virus support by visiting the Microsoft Help and Support Web site.

Mitigating Factors: In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

By default, Internet Explorer on Windows Server , on Windows Server Service Pack 1, on Windows Server with Service Pack 1 for Itanium-based Systems, and on Windows Server x64 Edition runs in a restricted mode that is known as Enhanced Security Configuration This mode mitigates this vulnerability where the e-mail vector is concerned although clicking on a link would still put users at risk. Would explain a lot.

Is it? Don't be too sure - the way I read it, this flaw affects any program that uses the usual libraries to display WMF files. Windows Picture and Fax Viewer is only the one that comes up by default if you've installed no other image viewer, and you double-click on an image file. If you have any program that displays WMF files, you are probably vulnerable. No it is not. Those, in the strictest sense, do not prevent you getting inadvertently infected.

None of them do. A "workaround" would prevent you getting infected. That is the normal meaning of the word "workaround". Microsoft has tested the following workaround.

While this workaround will not correct the underlying vulnerability, it will help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.

A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box. Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.

To undo this change, re-register Shimgvw. Click on the plus sign beside Suggested Actions, then click on the plus sign beside Workarounds. It is there. The advice to unregister shimgvw. However, in true MS fashion, it is hidden several layers deep.

Windows Picture and Fax Viewer Shimgvw. As an addendum. This exploit is being used right now. I just received a customer's computer that was infected with Spy Sherriff by this method.

The exploit was in a spam email. Turn off the preview pane in OE always a good idea and turn off the Windows picture and fax viewer until Microsoft has a fix. There is in fact anecdotal evidence to suggest that this might indeed be the case. Preview Pane should be OK if I received a a sample.

Note that Microsoft's AV solution is it really one? AntiVir 6. D Avast 4. AI Avira 6. D BitDefender 7. Exploit ClamAV devel A DrWeb 4. MS eTrust-Iris 7. Trojan eTrust-Vet ACD Kaspersky 4. Wmfex Norman 5. Trojan TheHacker 5. D UNA 1. I would think that an image file would be marked as "data" in memory, not as an executable image, although WMF might be different than say a jpg or bmp, does anyone know for sure?

Hardware-enforced DEP is a feature of certain processors that prevents the execution of code in memory regions that are marked as data storage. This feature is also known as No-Execute and Execution Protection. Unlike an antivirus program, hardware and software-enforced DEP technologies are not designed to prevent harmful programs from being installed on your computer.

Instead, they monitor your installed programs to help determine if they are using system memory safely. To monitor your programs, hardware-enforced DEP tracks memory locations declared as "non-executable". To help prevent malicious code, when memory is declared "non-executable" and a program tries to execute code from the memory, Windows will close that program. This occurs whether the code is malicious or not. It certainly is. I watched it in action.

Time to reboot in Safe mode and disinfect and kick in with that temp fix. I have been here before.