http://www.microsoft.com/technet/sec...ry/912840.mspx
"no_name" <no_name@no.where.invalid> wrote in message
news:xTTuf.8789$Or5.1432@tornado.southeast.rr.com. ..
| JP wrote:
|
| > Yo ucan check if your vulnerable and get a patch there:
| >
| > http://www.grc.com/sn/notes-020.htm
| >
|
| What exactly is shimgvw.dll and what does it do?
|
| How will unregistering it affect my system?
|

no_name wrote:

> JP wrote:
>
>> Yo ucan check if your vulnerable and get a patch there:
>>
>> http://www.grc.com/sn/notes-020.htm
>
> What exactly is shimgvw.dll and what does it do?
>
> How will unregistering it affect my system?

A few seconds at Google produced:
http://www.auditmypc.com/process/shimgvw.asp
and it is used for, among other things, to display the thumbnails of
pictures when you have Explorer view set to ... Thumbnails. (I prefer
Details. <g>)

--
-bts
-Warning: I brake for lawn deer

Beauregard T. Shagnasty wrote:

> no_name wrote:
>
>
>>JP wrote:
>>
>>
>>>Yo ucan check if your vulnerable and get a patch there:
>>>
>>>http://www.grc.com/sn/notes-020.htm
>>
>>What exactly is shimgvw.dll and what does it do?
>>
>>How will unregistering it affect my system?
>
>
> A few seconds at Google produced:
> http://www.auditmypc.com/process/shimgvw.asp
> and it is used for, among other things, to display the thumbnails of
> pictures when you have Explorer view set to ... Thumbnails. (I prefer
> Details. <g>)
>

Hmmmm?

I'm a photographer. I do have explorer display my own photographs as
thumbnails; makes it easier to sort through them, find the one I want.
But I don't use it otherwise.

I can live without thumbnails for a few days if I have to.

no_name wrote:

>> A few seconds at Google produced:
>> http://www.auditmypc.com/process/shimgvw.asp
>> and it is used for, among other things, to display the thumbnails of
>> pictures when you have Explorer view set to ... Thumbnails. (I prefer
>> Details. <g>)
>
> Hmmmm?

Indeed. :-)

> I'm a photographer. I do have explorer display my own photographs as
> thumbnails; makes it easier to sort through them, find the one I want.
> But I don't use it otherwise.

Then it makes sense for you to have it set to Thumbnails, or at least
for the directories where you store your photos. The thumbnail view for
\system32\ is a bit silly, though.

> I can live without thumbnails for a few days if I have to.

Until the MS patch is issued ...

--
-bts
-Warning: I brake for lawn deer

You might see if IrfanView uses shimgvw.dll to do its thumbnails, and if
not, deregister, and use IV to look at those folders with images.
"no_name" <no_name@no.where.invalid> wrote in message
news:ulUuf.12365$lg.638@southeast.rr.com...
> Beauregard T. Shagnasty wrote:
>
> > no_name wrote:
> >
> >
> >>JP wrote:
> >>
> >>
> >>>Yo ucan check if your vulnerable and get a patch there:
> >>>
> >>>http://www.grc.com/sn/notes-020.htm
> >>
> >>What exactly is shimgvw.dll and what does it do?
> >>
> >>How will unregistering it affect my system?
> >
> >
> > A few seconds at Google produced:
> > http://www.auditmypc.com/process/shimgvw.asp
> > and it is used for, among other things, to display the thumbnails of
> > pictures when you have Explorer view set to ... Thumbnails. (I prefer
> > Details. <g>)
> >
>
> Hmmmm?
>
> I'm a photographer. I do have explorer display my own photographs as
> thumbnails; makes it easier to sort through them, find the one I want.
> But I don't use it otherwise.
>
> I can live without thumbnails for a few days if I have to.

Indeed!

"Kerry Brown" <kerry@kdbNOSPAMsys-tems.c*a*m> wrote in message
news:uPkz3bPEGHA.2292@tk2msftngp13.phx.gbl...
> Jim wrote:
> > I'm outta here.
> >
> > I have shown you what I know about the patch and protecting
> > yourselves. I have projects to get out and must concentrate on them
> > at this time.
> > Ultimately (in PCs as in life), your seurity is in your hands. Do
> > your research. Listen to whom you trust.
> >
> > I wish you all the very best in this new year.
> >
> > Have fun and be safe.
> >
> > Jim
>
> Thank you. Although many respected people here have disagreed with you it
> has been a valuable discussion. Personally I have seen enough of my
> customer's computers that have been compromised and done enough testing to
> prove to myself that the patch works to block the exploit that I have
> installed it. Yes, it may cause some unforeseen problems but it can be
> easily uninstalled if it does. I look forward to uninstalling it when
> Microsoft releases their patch. I agree with the way Microsoft is
releasing
> their patch. Their patch has to work and has to be well tested before
> general release. I really take offence with the way Microsoft is
downplaying
> the severity of the exploit and how prevalent it is. They are giving many
> people a false sense of security and causing untold damage to unsuspecting
> users by lulling them into a false sense of security. To anyone who
doesn't
> believe this then try this. Build a clean machine. Update Windows. Install
> your favourite anti-virus and anti-spyware programs. Visit a few of the
> known bad sites. You will be infected. Fine you say. I just won't visit
> those sites. There has already been known legitimate sites that have been
> hacked and frames added with the exploit. Microsoft is right to test the
> patch completely. They are wrong to minimize the exploit's impact.
>
> Kerry
>
>

"relic" <complaints@relic211.cjb.net> wrote in message
news:V2Suf.11434$hI1.6362@tornado.socal.rr.com...
> Jim wrote:
>> This makes it look like I made this ignorant quote.
>
> But you DID make all the other ignorant quotes.

If you expect a respone, you will need to be e more specific.

Jim

jt3 wrote:

> You might see if IrfanView uses shimgvw.dll to do its thumbnails, and if
> not, deregister, and use IV to look at those folders with images.

Apparently it does not, since I had already deregistered the DLL &
IrfanView can still display thumbnails.

Among IrfanView's other benefits are:

1. FREEWARE, and a damn good program.
2. Has plugin for my camera's RAW format files, which windows does not.
3. Small & fast.

In news:EKtuf.37300$Lb1.23573@bignews3.bellsouth.net,
Jim <reply@groups.please> replied with a ;-)
> In case you have been living under a rock for the last week or so,
> you may not have heard about the WMF Windows exploit.
>
> For those rock dwellers, here's the scoop.....short and sweet. Reprinted
> here without permission from SANS at
> http://isc.sans.org/diary.php?storyid=994. Hope they don't mind....
> .
> ---------------------------------------------
>
> WMF FAQ (NEW)
> Published: 2006-01-03,
> Last Updated: 2006-01-03 08:55:06 UTC by Johannes Ullrich (Version:
> 3(click to highlight changes))
>
> [a few users offered translations of this FAQ into various languages.
> Obviously, we can not check the translation for accuracy, nor can we
> update them. So use at your own risk: Deutsch and Deutsch (pdf),
> Catalan , Español , Italiana and Italiana, Polski, Suomenkielinen,
> Danish, Japanese, Slovenian, Chinese, Norwegian and Nederlands (in
> progress) ]
>
> a.. Why is this issue so important?
> The WMF vulnerability uses images (WMF images) to execute arbitrary
> code. It will execute just by viewing the image. In most cases, you
> don't have click anything. Even images stored on your system may
> cause the exploit to be triggered if it is indexed by some indexing
> software. Viewing a directory in Explorer with 'Icon size' images
> will cause the exploit to be triggered as well.
>
> a.. Is it better to use Firefox or Internet Explorer?
> Internet Explorer will view the image and trigger the exploit without
> warning. New versions of Firefox will prompt you before opening the
> image. However, in most environments this offers little protection
> given that these are images and are thus considered 'safe'.
>
> a.. What versions of Windows are affected?
> All. Windows 2000, Windows XP, (SP1 and SP2), Windows 2003. All are
> affected to some extent. Mac OS-X, Unix or BSD is not affected.
>
> Note: If you're still running on Win98/ME, this is a watershed
> moment: we believe (untested) that your system is vulnerable and
> there will be no patch from MS. Your mitigation options are very
> limited. You really need to upgrade.
>
> a.. What can I do to protect myself?
> 1.. Microsoft has not yet released a patch. An unofficial patch was
> made available by Ilfak Guilfanov. Our own Tom Liston reviewed the
> patch and we tested it. The reviewed and tested version is available
> here (now at v1.4, MD5: 15f0a36ea33f39c1bcf5a98e51d4f4f6), PGP
> signature (signed with ISC key) here. THANKS to Ilfak Guilfanov for
> providing the patch!! 2.. You can unregister the related DLL.
> 3.. Virus checkers provide some protection.
> To unregister the DLL:
>
> a.. Click Start, click Run, type "regsvr32 -u
> %windir%system32shimgvw.dll" (without the quotation marks... our
> editor keeps swallowing the backslashes... its
> %windir%(backslash)system32(backslash)shimgvw.dll) , and then click OK.
> b.. A dialog box appears to confirm that the un-registration process
> has succeeded. Click OK to close the dialog box.
> Our current "best practice" recommendation is to both unregister the
> DLL and to use the unofficial patch.
>
> a.. How does the unofficial patch work?
> The wmfhotfix.dll is injected into any process loading user32.dll. The DLL
> then patches (in memory) gdi32.dll's Escape() function so
> that it ignores any call using the SETABORTPROC (ie. 0x09) parameter.
> This should allow Windows programs to display WMF files normally
> while still blocking the exploit. The version of the patch located
> here has been carefully checked against the source code provided as
> well as tested against all known versions of the exploit. It should
> work on WinXP (SP1 and SP2) and Win2K.
> a.. Will unregistering the DLL (without using the unofficial patch)
> protect me?
> It might help. But it is not foolproof. We want to be very clear on
> this: we have some very stong indications that simply unregistering
> the shimgvw.dll isn't always successful. The .dll can be
> re-registered by malicious processes or other installations, and
> there may be issues where re-registering the .dll on a running system
> that has had an exploit run against it allowing the exploit to
> succeed. In addition it might be possible for there to be other
> avenues of attack against the Escape() function in gdi32.dll. Until
> there is a patch available from MS, we recommend using the unofficial
> patch in addition to un-registering shimgvw.dll.
> a.. Should I just delete the DLL?
> It might not be a bad idea, but Windows File Protection will probably
> replace it. You'll need to turn off Windows File Protection first.
> Also, once an official patch is available you'll need to replace the
> DLL. (renaming, rather than deleting is probably better so it will
> still be handy).
>
> a.. Should I just block all .WMF images?
> This may help, but it is not sufficient. WMF files are recognized by a
> special header and the extension is not needed. The files could
> arrive using any extension, or embeded in Word or other documents.
>
> a.. What is DEP (Data Execution Protection) and how does it help me?
> With Windows XP SP2, Microsoft introduced DEP. It protects against a
> wide range of exploits, by preventing the execution of 'data
> segements'. However, to work well, it requires hardware support. Some
> CPUs, like AMD's 64 Bit CPUs, will provide full DEP protection and
> will prevent the exploit.
> a.. How good are Anti Virus products to prevent the exploit?
> At this point, we are aware of versions of the exploit that will not
> be detected by antivirus engines. We hope they will catch up soon.
> But it will be a hard battle to catch all versions of the exploit. Up
> to date AV systems are necessary but likely not sufficient.
>
> a.. How could a malicious WMF file enter my system?
> There are too many methods to mention them all. E-mail attachments,
> web sites, instant messaging are probably the most likely sources.
> Don't forget P2P file sharing and other sources.
>
> a.. Is it sufficient to tell my users not to visit untrusted web
> sites? No. It helps, but its likely not sufficient. We had at least
> one widely trusted web site (knoppix-std.org) which was compromissed.
> As part of the compromise, a frame was added to the site redirecting
> users to a corrupt WMF file. "Tursted" sites have been used like this
> in the past.
> a.. What is the actual problem with WMF images here?
> WMF images are a bit different then most other images. Instead of just
> containing simple 'this pixel has that color' information, WMF images
> can call external procedures. One of these procedure calls can be
> used to execute the code.
>
> a.. Should I use something like "dropmyrights" to lower the impact
> of an exploit.
> By all means yes. Also, do not run as an administrator level users
> for every day work. However, this will only limit the impact of the
> exploit, and not prevent it. Also: Web browsing is only one way to
> trigger the exploit. If the image is left behind on your system, and
> later viewed by an administrator, you may get 'hit'.
>
> a.. Are my servers vulnerable?
> Maybe... do you allow the uploading of images? email? Are these images
> indexed? Do you sometimes use a web browser on the server? In short:
> If someone can get a image to your server, and if the vulnerable DLL
> may look at it, your server may very well be vulnerable.
>
> a.. What can I do at my perimeter / firewall to protect my network?
> Not much. A proxy server that strips all images from web sites?
> Probably wont go over well with your users. At least block .WMF
> images (see above about extensions...). If your proxy has some kind
> of virus checker, it may catch it. Same for mail servers. The less
> you allow your users to initiate outbound connections, the better.
> Close monitoring of user workstations may provide a hint if a work
> station is infected.
> a.. Can I use an IDS to detect the exploit?
> Most IDS vendors are working on signatures. Contact your vendor for
> details. Bleedingsnort.org is providing some continuosly improving
> signatures for snort users.
>
> a.. If I get hit by the exploit, what can I do?
> Not much :-(. It very much depends on the exact exploit you are hit
> with. Most of them will download additional components. It can be
> very hard, or even impossible, to find all the pieces. Microsoft
> offers free support for issues like that at 866-727-2389 (866 PC
> SAFETY).
> a.. Does Microsoft have information available?
> http://www.microsoft.com/technet/sec...ry/912840.mspx
> But there is no patch at the time of this writing.
>
>
> a.. What does CERT have to say?
> http://www.kb.cert.org/vuls/id/181038
> http://www.cve.mitre.org/cgi-bin/cve...=CVE-2005-4560
>
>
> -----------------------------------------
>
> So run the patch, reboot and keep your fingers crossed!
>
> Jim

Tested on 3 systems, at one day intervals, no problems at all.
Not sure what the hubbub is all about when so many viable sources say it is
safe. I am sure some unscrupulous people are using the patch as a way to
spread the virus with redirected links, but the same people do this with
official MS patches. Stupid and usually uninformed users will always fall
for these scams.
MS will always have the official advisory to not apply any non-ms patch, but
does anyone think the leaked patch was leaked? LOL
BTW, I have beachfront property in Lawrence,Kansas for sale with great views
of Diamondhead. Bids start at $10.000. Look for it in the Windows COA only
eBays listings.
--
Michael Stevens MS-MVP XP
xpnews@bogusmichaelstevenstech.com
http://www.michaelstevenstech.com
For a better newsgroup experience. Setup a newsreader.
http://www.michaelstevenstech.com/ou...snewreader.htm

"no_name" <no_name@no.where.invalid> wrote in message
news:KmYuf.20$Kp.11@southeast.rr.com...
> jt3 wrote:
>
>> You might see if IrfanView uses shimgvw.dll to do its thumbnails, and if
>> not, deregister, and use IV to look at those folders with images.
>
> Apparently it does not, since I had already deregistered the DLL &
> IrfanView can still display thumbnails.
>
> Among IrfanView's other benefits are:
>
> 1. FREEWARE, and a damn good program.
> 2. Has plugin for my camera's RAW format files, which windows does not.
> 3. Small & fast.

I still prefer Explorer's Thumbnail display, at least for .jpg files.

To refine the thought that Thumbnail View being okay for folders such as My
Pictures, but not for eg, \System32\ , I re-register shimgvw.dll for working
in folders containing pictures I've taken or otherwise trust, then
unregister it again when I've finished.

Shane

--


The Sugitive

Chapter One: http://tinyurl.com/bcevp

Chapter Two: http://tinyurl.com/ag92o

Chapter Three: Coming to an URL near you soon!

------------------------------------