Well, after almost two days of the exploit Microsoft has come forward with Advisory 912840 that suggests several
things:
- This is more than just a hole in fully patched XP and 2003 (9x and 2K have been added to the list). Not much of a surprise there.
- The scope of the infection/attack is still vague, so there is no public advice yet on how to consistently close the hole. That’s something of a surprise, especially since Microsoft has announced that if you are part of their “One Care” program you are protected.
- Microsoft really really wants you to contact the authorities, whether it be the FBI, Internet Fraud Complaint Center, or your local alternative.
Note: the One Care reference is wmf1228. Yet another vulnerability database…wonder what happens if you get two distinct WMF exploits on Dec 28th? Do they go to wmf1228a and wmf1228b? And next year when another WMF explot is launched on the same day? Do they switch to wmf061228a? Seems like someone isn’t thinking too carefully about even the simple things, but I digress…
So, I’m not sure I’m reading this announcement properly, but it raises an interesting question: Should a company be liable for damages from a defect if they have a fix but are not distributing it to anyone outside a subscription/maintenance program? Aside from all the details about fees and testing, etc. I am getting more and more curious why information about the patch (other than “if you use One Care and your light is green, then you are safe”) is not being released more quickly, since it obviously can’t be a good thing for Microsoft to delay and risk damage to all the non-One Care customers.
Edited to add: Some have suggested to me that the One Care fix is actually nothing more than an automated version of the suggestion on the Microsoft Alert:
Microsoft has tested the following workaround. While this workaround will not correct the underlying vulnerability, it will help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.
Un-register the Windows Picture and Fax Viewer (Shimgvw.dll) on Windows XP Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and Windows Server 2003 Service Pack 1
Note The following steps require Administrative privileges.
To un-register Shimgvw.dll, follow these steps:
- Click Start, click Run, type “regsvr32 -u %windir%\system32\shimgvw.dll” (without the quotation marks), and then click OK.
- A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.
Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.
Also, f-secure has said that they think this step is actually a really good idea, and that “leaving image editors out completely for the rest of the year might be a good idea.” I’ll defer to their expertise (and inside scoop) on the malware, but sometimes it is hard to tell whether they are serious or just have a really dry sense of humor.