Windows 0-day exploit

A 0-Day exploit was released for Windows over the weekend, creating alot of headaches for sysadmins everywhere.

In short, it works by executing code that hides in a WMF file (graphics format) and executes upon viewing the file. By viewing, we mean a a graphic on a website or attached in an e-mail. Since WMF is identified by a special header and not by the file extension, the file can be named .jpg, .gif, etc.

If I sound serious, that's because it is.

I really thought this was going to be cleared up by this morning but apparently Microsoft has decided that they will wait till the 10th before deploying a patch. Lucky for us, the guys at isc.sans.org issued their own patch, which you can download here:

http://handlers.sans.org/tliston/wmffix_hexblog14.exe

It has been tested for Windows XP and Windows 2000. (If you're running Windows 98 or earlier, do panic. There is no hope you for you.)

It is also reccomended that you unregister the .dll that handles .WMF files. You can do this by going to "Start" -> "Run" and in the Run box, type "regsvr32 -u %windir%\system32\shimgvw.dll" without quotes.

Again, it is reccomended that you both install the patch and unregister the .dll.

Microsoft will be releasing their own patch on the 10th. At that time, pending reports that it successfully blocks the attack, I will post instructions to uninstall the SANS patch (it removes via Add/Remove programs) and how to re-register the .dll

Again, if you have Windows XP or Windows 2000, please take care of this ASAP. This runs very easily. Just looking at a webpage, previewing a graphic, or looking at a picture in an e-mail will trigger the exploit.

You can follow all of the goings on here:
http://isc.sans.org/

If you're running MacOS X, Linux, or something else entirely, you should forget all of the above and go play with sand! =)