WMF Exploit patch

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Has anyone checked out the "unofficial" WMF exploit patch found on the
NIST website?  Does it do anything worth trying?

Linked from their article on :

Closest link I think is:


The page says that you still need to unregister shimgwv.dll.  Naturally,
what is really needed is the ability to get back to business as usual.
(I've been amazed at how many things apparently use  shimgwv for image

Thanks for thoughts


Re: WMF Exploit patch

Quoted text here. Click to load it

I was hesitant and finally deployed the patch on my machines once it
showed up in the SANS handler's diary as having be pored over by one
of their folks.  

Todd H.
http://www.toddh.net /

Re: WMF Exploit patch

The SANS recommended hotfix intercepts calls to the exploitable program
routines in the vulnerable shimgwv.dll file.  It completely mitigates
any threat from this vulnerability.  No need to run Microsoft suggested
unregister command but it doesn't hurt to do so (belt and suspenders is
what SANS called it).

My only problem with this fix is its not very enterprise friendly.  It
requires installation on every machine through non-automated processes
(yes, you can automate an install yourself) and should be uninstalled
after Microsoft releases their fix.

The latest exploit kits allow creation of WMF files with varying
signatures.  This was intended to make detection by IDS/IPS and
antivirus programs much harder or impossible. So this unofficial hotfix
maybe all we have at the moment.

You can read more at http://www.NIST.org
Check back often for updates or subscribe to the NIST.org RSS feed.

Site Timeline