Update on the WMF exploit – more sites to block



I haven’t checked to see if these are already on other block lists for the WMF exploit, but the following addresses are advised to be blocked (from f-secure)….

toolbarbiz[dot]biz
toolbarsite[dot]biz
toolbartraff[dot]biz
toolbarurl[dot]biz
buytoolbar[dot]biz
buytraff[dot]biz
iframebiz[dot]biz
iframecash[dot]biz
iframesite[dot]biz
iframetraff[dot]biz
iframeurl[dot]biz


The “unregister workaround” is the best at this point because it will prevent ANY file extension image being used to trigger the exploit. It is possible for other image types to be used.

1. Click Start, click Run, type “regsvr32 -u %windir%\system32\shimgvw.dll”
(without the quotation marks), and then click OK.
2. A dialog box appears to confirm that the un-registration process has succeeded.
Click OK to close the dialog box.
Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started
when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.

From… f-secure reporting on MS security advisory.

   Send article as PDF   

Similar Posts