The vulnerability is caused due to an error in the handling of Windows Metafile files (".wmf")... Such records allow arbitrary user-defined function to be executed when the rendering of a WMF file fails. This can be exploited to execute arbitrary code by tricking a user into opening a malicious ".wmf" file in "Windows Picture and Fax Viewer" or previewing a malicious ".wmf" file in explorer (i.e. opening a folder containing a malicious image file).

The vulnerability can also be exploited automatically when a user visits a malicious web site using Microsoft Internet Explorer.

NOTE: Exploit code is publicly available. This is being exploited in the wild. The vulnerability can also be triggered from explorer if the malicious file has been saved to a folder and renamed to other image file extensions like ".jpg", ".gif, ".tif", and ".png" etc.

"F-Secure reports detecting 57 different malicious WMF files in the wild so far."
http://www.sans.org/newsletters/risk Alert Vol. 4 No. 52

If your concerned for you security on the web please follow these steps until Microsoft releases a patch for it. This will unregister, or "disable" for want of a better word, the file that is causing this exploit.

1. Click on the Start button on the taskbar.
2. Click on Run...
3. Type "regsvr32 /u shimgvw.dll" to disable.
4. Click ok when the change dialog appears.


Patch for
Microsoft Security Bulletin MS06-001
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (912919)


Second Tuesday again
Microsoft Security Bulletin MS06-002
Vulnerability in Embedded Web Fonts Could Allow Remote Code Execution (908519)

The recent WMF patch protects IE from dodgy images, this one is to protect IE from dodgy text. Also there is some speculation that the WMF hole in GDI.exe could have been present as far back as Windows 3.0 so you can't assume IE will ever be safe even if it goes 6 months without needing a patch.

Alternatives to IE
http://www.opera.com - Best out of the box browser, closed source but so far the most secure windows browser.
http://www.mozilla.com - most tweakable browser, open source, generally needs patching more often than opera


On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit.



The vulnerability could allow remote code execution if a user views a specially crafted Web page using Internet Explorer


Lots of patching to do next week.


Nine of the bulletins earn the dread rating of critical, while the other seven grapple with flaws rated as important. All supported versions of Windows will need patching on 14 June along with various server-side software packages and applications, including the .NET framework and SQL Server. Internet Explorer, which is affected by two bulletins, will also need some fiddling under the bonnet.

Office suites also need to be updated thanks to a security fix for Excel that also affects the Mac OS X version of the product as well as virtually all versions of the spreadsheet software on Windows, including the most recent 2010 and 2011 editions of the software.


Must say I'm impressed with the new version. It will patch most of your applications with minimal fuss. You could set it up for your Granny.

1 person has thanked this post

Reminder - new patches for windows / IE out now.


Just a reminder it's that time of the month again.

Patches for IE6 through IE10 and Office , usual Remote Code Execution stuff

The first patches say there might be less damage if you aren't logged in with admin rights, which is then undermined because the last patch is about attackers gaining elevated privileges anyway.

Want to share your thoughts?

Login here to discuss!