Windows PCs face ‘huge’ virus threat - How can viewing an image file infect your PC?

[ftg]

chappachula:

I always thought that messing with the Register is way beyond the abilities of mere mortals like me who dont know nuthin’ 'bout the innards of their computers.

Using regsvr32 is a whole lot safer than editing the registry directly. It really doesn’t fall into the “messing with” category.

[Derleth]

AHunter3:

I am not a PC user and therefore my consciousness of what’s going on with PC architecture is far from dead-on accurate, but aren’t the later chips of the Pentium family set up so as to reduce the likelihood of executing code in buffer overflows?

This isn’t a buffer overflow. This is one of the relatively few times you’ll ever see a major Microsoft security flaw that is not a buffer overflow. There are no overflowing buffers relevant to the security hole malicious WMF files are exploiting.

Here is what’s happening: A WMF file isn’t just data. It can contain a callback function as well, which is a bit of executable code that a certain DLL will pull out of the file and run whenever the file is opened. I have no idea what the Microsoft programmers were smoking when they thought of this horrible, horrible idea, but they were smoking it years ago and now we’re stuck with one of the worst ideas since ActiveX.

The simplest way around the gaping security hole is to stop the DLL from doing its job, which is the nutshell explanation of what regsvr32 is capable of doing. Typing regsvr32 /u shimgvw.dll into a command prompt will ‘unregister’ the DLL responsible for executing WMF files. No DLL, no hole.

There is no hardware on Earth equal to the task of defending us against software designed by morons.

[Ximenean]

Derleth:

Typing regsvr32 /u shimgvw.dll into a command prompt will ‘unregister’ the DLL responsible for executing WMF files. No DLL, no hole.

Although that is enough to protect a Windows PC from current threats, it’s only a workaround because the vulnerability is actually in the GDI (GDI32.DLL). Probably not a good idea to unregister that. The unofficial (not from Microsoft) patch that is available patches GDI32.DLL. The official patch should be released next Tuesday.

[Derleth]

Usram:

Although that is enough to protect a Windows PC from current threats, it’s only a workaround because the vulnerability is actually in the GDI (GDI32.DLL). Probably not a good idea to unregister that. The unofficial (not from Microsoft) patch that is available patches GDI32.DLL. The official patch should be released next Tuesday.

I did not know that. (BTW, what is the GDI? I am not really a Windows programmer.)

[Taran]

“Graphics Device Interface”, an (old) API for graphical output to monitors and printers.

Derleth: From following docandjean’s link, it seems that they were thinking “image files need the ability to stop the printer from spooling”. Seriously.

[Crowbar_of_Irony_3]

It seems that the patch are already out.
http://www.microsoft.com/technet/security/bulletin/ms06-001.mspx

[Derleth]

Taran:

Derleth: From following docandjean’s link, it seems that they were thinking “image files need the ability to stop the printer from spooling”. Seriously.

Wonderful. Next I suppose they’ll decide that Word files need the ability to blast ad jingles out of the speakers.