They say Microsoft will not release an official patch until next week (Jan 10 2006). When they do, it should appear in Windows Update.
Before you install Microsoft’s patch, you should open the Windows Control Panel, open “Add or Remove Programs”, and remove the program “Windows WMF Metafile Vulnerability HotFix”.
Thanks Doug. Good links. There’s also a SANS version of the patch, that is probably a little easier to sell to your managers than saying “Here’s something a Russian guy cooked up”:
Same code, but from a safer source, I suppose.
Also, Chris Linfoot correctly pointed out that the keyfile.ini mod only keeps the File - View from working, not File - Open. So disabling the keyfile.ini entries only prevents the direct access from the Notes client. You’ll need the patch to fix the whole machine.
Subject: * How to keep Notes Client from displaying WMF files *
This is John H. from NIST.org, I posted the original Notes vulnerability report. I have updated that report at http://www.nist.org/nist_plugins/content/content.php?content.25 to indicate that Lotus Notes code is probably not involved. The Sysinternals Filemon utility was falsely attributing nlnotes.exe as calling the shimgvw.dll file. Further testing using API monitors and debugging software indicates that it is probably Windows XP browser causing this. When attaching or saving a file Notes uses Windows for the file dialog. On a Windows XP computer the browser will call the shimgvw.dll file to retrieve image information. If thumbnails are enable it will generate thumbnails as well. Keep in mind that this activity is enough to trigger the WMF exploit (even if the image is a JPG) so Lotus Notes (and many other applications) can trigger the exploit in an infected image file. Of course users can still open an infected image attachment and trigger the exploit (same as any other email application).
Others have mentioned workarounds to the Notes.ini file for WMF images. This will not help as WMF’s renamed as JPG or GIF files will cause the same problem. SANS.org is highly recommending an unofficial hotfix. NIST.org has tested this hotfix and we’re also recommending it. It’s available on NIST.org at http://www.nist.org/news.php?extend.50. Its going to be 7 days before Microsoft releases their fix. A LOT between now and then.
Subject: * How to keep Notes Client from displaying WMF files *
Here’s some code to automate editing keyview.ini and remarking out these 2 lines. Could be used in an action button for end-users.
Option Public
Declare Sub W32_OSGetExecutableDirectory Lib “nnotes” Alias “OSGetExecutableDirectory” ( Byval szBuf As String )
%INCLUDE “LSCONST.LSS”
Sub Initialize
Dim session As notessession
Dim str_NotesPgmDir As String
Dim szBuffer As String
Dim text As String
Dim filenum As Integer
Dim outnum As Integer
Dim progdir As String
szBuffer=Space$(255)
Call W32_OSGetExecutableDirectory(szBuffer)
str_NotesPgmDir = Trim(szBuffer)
progdir =Strleftback(str_NotesPgmDir,"\")
filenum%=1
Open progdir+"\keyview.ini" For Input As filenum%
outnum%=2
Open progdir+"\keyview.new" For Output As outnum%
Do While Not Eof(1)
Line Input #filenum%,text$
If Right(Ucase(text$),3)<>"WMF" Then
Print #outnum%,text$
Else
Print #outnum%,";"+text$
End If
Loop
Close filenum%
Close outnum%
Kill progdir+"\keyview.ini"
Name progdir+"\keyview.new" As progdir+"\keyview.ini"
that says that keyfile.ini can actually be put in a different location, based on a Notes.ini variable (I never knew that). So you might also need to do some checking, like this: