Figured I'd post the update to this panic that started yesterday and at least try to help a few of you out there that may not be protected by the likes of ExchangeDefender or competent IT staff. If you're worried about WMF exploit infecting your system try to unassociate the WMF files so they cannot be automatically opened by Internet Explorer: Un-register the Windows Picture and Fax Viewer (Shimgvw.dll)
1. Click Start, click Run, type "regsvr32 -u %windir%/system32/shimgvw.dll" (without the quotation marks), and then click OK. 2. A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.
Then check with your system admin and ask if they have restricted WMF flow (through the mail server), how up-to-date is your virus protection, what kind of content/network filtering is in place. There is always Firefox… Slight update. I'm just read an email from Michael Curley alluding to what I've said above about unassociating the filetype:
"Although blocking wmf extensions at the proxy is a good idea, it should be noted that a wmf can present itself as a .png or a .gif or a .anything, and windows can still read the metadata on the file and treat it as a .wmf."
In practical IT security (which is quite different from the idiots that write security books and have no business experience whatsoever) where you have to consider business practices, user experience / education and all the other factors in implementing a good and efficient security plan one size does not fit all. You have to implement as many layers you can to protect yourself. That is, use antivirus. Use a firewall. Use a proxy/content filter. Use everything you can tag onto your mail server to stop direct contact. Use content permission software to block where users are going. It cannot be a shotgun implementation.
9 Responses to WMF workaround