A: WMF is a function of Microsoft Windows used to view and render graphic images. The WMF exploit can exploit the vulnerability using images to execute arbitrary code. The user does not need to click on anything to execute the attack and even viewing thumbnail images in a Windows Explorer directory could trigger the exploit.
Q: What Versions Of Windows Are Vulnerable?
A: In a nutshell, all of them. Windows 2000, Windows XP (even fully-patched and updated with SP2) and Windows Server 2003. Older versions of Windows, like Windows 98 may be vulnerable and most likely will not be patched or updated by Microsoft.
Q: Will Switching Web Browsers Protect Me?
A: While Internet Explorer won't, some web browser software, such as Firefox, will ask the user for permission before opening an image. This will only protect users who are aware enough to deny permission though. Overall, switching browsers might make you somewhat safer, but will by no means resolve the issue.
Q: What Should I Do?
A: While there is no perfect answer right now, there are a few things you can do to provide various levels of protection:
- Update Antivirus Software: Thus far, the success rate of the antivirus vendors detecting this exploit have been a tad dissapointing, but they are improving and keeping your antivirus product updated may help detect and block the exploit from your system.
- Unregister The Vulnerable DLL: Click Start, then Run and enter \regsvr32 -u %windir%\\system32\\shimgvw.dll\ and click OK. You should see a dialog box confirming that the process worked. There are however some reports that unregistering the DLL will not protect your system 100 percent.
- Execute The Unofficial Patch: Microsoft is still investigating the issue and working on a patch, but Ilfak Guilfanov has created an unofficial patch which is available now. The patch intercepts calls to the DLL using the exploit and ignores them, allowing images to be displayed without executing the exploit.
Q: Can I Just Filter WMF Files?
A: Blocking the .WMF extension might prevent some issues, however Windows can still recognize and display images based on their file header information, so even a WMF file without the .WMF extension can infiltrate and exploit your system.
Q: What If My Computer Has Already Been Exploited?
A: There isn't much you can do. While the exploit itself is now known and is being worked on, there is little way of telling what a specific attack that uses the exploit may have done to your system. You can contact Microsoft for free support if you believe your machine has been attacked with this exploit by calling 866-727-2389.