Posted by: kurtsh | December 31, 2005

RELEASE: A commentary on the WMF Vulnerability

The sad ridiculous media hype over this vulnerability truly highlights how warped the priorities are of many journalists – particularly those on the Internet.  The common journalistic claim to "inform the public" and "defend their right to know" sometimes seems like a giant front for a real agenda to "create panic and hysteria"… because as we all know, negativity always generates an audience in the same way that highway accidents attract rubberneckers. 
To be clear, I have no problem with people that want to bring attention to this vulnerability.  That’s important.  What’s not cool is that most of these same people absolve all responsibility for informing people about what to do about it.
Net Net:  If there’s a problem, why not link to the "official description" of the problem instead of some 1 man consulting firm hack that wants to get his name in the press… and God forbid,  why not link to some"potential solutions"?  Why write about the supposed cataclysmic disaster impending and not tell people how to avoid it?
The official Microsoft advisory on this issue is located here: 
Microsoft Security Advisory (912840):  Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution.
There are a number of solutions available. 
    There’s a real simple solution – Enable software DEP, a feature of Windows XP Service Pack 2.  Here’s a quote from the advisory that no one seems to be reading.
    "I have software DEP enabled on my system, does this help mitigate the vulnerability?
    Yes. Windows XP Service Pack 2 also includes software-enforced DEP that is designed to reduce exploits of exception handling mechanisms in Windows. By default software-enforced DEP applies to core operating system components and services. This vulnerability can be mitigated by enabling DEP for all programs on your computer.
    For additional information about how to “Enable DEP for all programs on your computer”, see the product documentation."

    To enable or mess around with the DEP settings:
    – Click ADVANCED tab & press Performance SETTINGS button
    Make sure that the "Turn on DEP for essential Windows programs and services only" radio button is clicked.

    This is an even easier solution.  Enable hardware DEP support  (also called NX support) on your PC if you have a recent Pentium 4 from Feb 2005 on, or an AMD Athlon chip. 
    (BTW If you have no idea what this is, check out for a 3rd party explanation of what software and hardware DEP is.)
    A couple of security firms, including Verisign’s iDefense, have published workarounds that appear to mitigate the threat. According to iDefense, Windows users can disable the rendering of WMF files using the following hack:

    1. Click on the Start button on the taskbar.
    2. Click on Run…
    3. Type "regsvr32 /u shimgvw.dll" to disable.
    4. Click ok when the change dialog appears.

    iDefense notes that this workaround may interfere with certain thumbnail images loading correctly, though I have used the hack on my machine and haven’t had any problems yet. The company notes that once Microsoft issues a patch, the WMF feature may be enabled again by entering the command "regsvr32 shimgvw.dll" in step three above.

There’s even more than this, but I’ll leave 3 as a starter.  This hopefully will tell you, dear reader, how easy it is to protect yourself – in fact, many of you probably already are by virtue of WinXPSP2’s software DEP feature that you installed and didn’t even know was operational.
…but oooohh watch out.  The press says that "THERE IS NO KNOWN PATCH AVAILABLE FROM MICROSOFT!"  Aigh!  What are we going to do?!?  There’ll be panic in the streets!  Mayhem and chaos across the Internet!  Dogs and cats living with each other!  (With apologies to Bill Murray)  We’rrrrrre allllll gonnnnnnna diiiiiiiiiiiie!
Or maybe not.  Film at 11.


%d bloggers like this: