RyanBibbey.com

The WMF Exploit has you…

Alex Eckelberry’s post regarding the latest zero day exploit for IE couldn’t have been timelier. I had noticed his post earlier in the day but hadn’t given it much notice. I was surprised that an exploit had been found and used in such a short period of time, but I suppose that indicates it was a black hat that found the vulnerability in the first place.

In any case I recently switched my browser of choice and have been using FireFox as my primary browser. Unfortunately I haven’t made this preference known to my system as of yet, thus URLs I click in emails or otherwise automatically open still in IE. My experience this evening has lead me to make that change.

I was quite honestly reading an e-book from a fairly new author and there are several links in this book. He’s a real jerk - but the advice is straight at least. In any case, I clicked one of his links and IE opens to the site. Except, the site isn’t loading. All I’ve got is the top of the page, and it seems to be hung.

Not 5 seconds later I noticed the hourglass next to the mouse pointer, then the Microsot Image and Fax Viewer flashes up and I catch WMF in the title bar. It’s all over! My machine has been hijaaked.

Well what to do now? All of the sudden I’m being told my computer is infected (I know!). Google Desktop shows my CPU is pegged, and a glance at my network switch says my computer is dumping some nasty on the net too. Joy!

First thought is to stop the problem at the source (after disconnecting the NIC of course). Time for Task Manager. Wait, why can’t I open it? Right mouse click on the taskbar shows the option greyed out - so does Ctrl + Alt + Delete. Hmmmm, this little baddy is making my day.

Screenshot 1
Screenshot 2
Screenshot 3

Thanks again to Alex for posting his notice. Through the comments there I found several people who had been stricken and found the best approach at removal: System Restore. Duh?! Being slightly in the know, I might have tried that before sissying out and looking up the answer. I did it because I thought it wouldn’t be that simple… yeah, right.

In any case, after a restart, System Restore, and another restart, it appears as though my system is back to normal. Jon posted a comment on the same blog with a quick fix that should patch up the vulnerability (if you aren’t inclined to switch browsers as I did):

REGSVR32 /U SHIMGVW.DLL

That should prevent the Image and Fax Viewer from being loaded by IE. I haven’t personally tried this but noted some success in the comments I read. Hopefully M$ will release an immediate fix on this one instead of waiting for the usual monthly update. Here’s to FireFox!

–
Ryan