The WMF exploit that has been in the news so much..

Update: MS will be releasing a patch for this problem on 10 January.

What a mess.  I've been sitting back waiting for information to soldify about what works, and what doesn't work before posting.  First it was said that Software DEP (Data Execution Prevention) would work, and then it was said that it wouldn't.  Same thing about hardware DEP.  First it was said that deregistering shimgvw.dll would make us safe, then it was discovered that it wouldn't.

Very early on there was a Web forum that recommended replacing GDI32.DLL with a version supplied by a member of the forum.  But, to get the file to stick you had to mess around with cached copies of the file (gdi32.dll is protected by Windows File Protection).  The changed file was also causing Windows Update to offer old security patches.  Frankly, it was a good idea, but too messy in practice.

IMHO the best information on the net about this problem is at the Internet Storm Centre:
http://isc.sans.org/diary.php?storyid=994
And here:
http://isc.sans.org/diary.php?date=2006-01-01

One thing I see missing is instructions on how to reregister the DLL, which can be done using this command:
regsvr32 %windir%\system32\shimgvw.dll

Deregistering shimgvw.dll will stop Windows Picture and Fax viewer from working.

Early in the article it mentions 'indexing software'.  What is that? Things like Google Desktop or MSN Desktop.

The article says that Hardware DEP will protect you from the exploit depending on hardware.  I am not convinced of the safety/accuracy of this claim.  One thing the article does not mention is that you must make sure you enable the option to "Turn on DEP for all programs and services except those I select".   If you have DEP available, you will find it at Control Panel, System, Advanced.  Click on the Performance Settings button then navigate to the Data Execution Prevention tab.  If you do not have Hardware DEP there will be a warning at the bottom of that tab. 

The official Microsoft advisory can be found here:
http://www.microsoft.com/technet/security/advisory/912840.mspx

If somebody tells you to "dump IE and you'll be safe", hit them over the head with a cluestick.

Published Sun, Jan 1 2006 23:46 by sandi