Network News

X My Profile
View More Activity

Microsoft to Patch Windows Flaw Next Week

Microsoft has updated its advisory on an unpatched flaw in Windows that hackers are using to embed spyware and other malicious programs on PCs running the company's Windows operating system. Redmond now says it plans to release a patch on Jan. 10 to fix the problem.

This is not that big of a surprise, really. Jan. 10 is the second Tuesday of the month, also known as "Patch Tuesday" -- the day Microsoft regularly issues software patches and updates.  (It's also called  "Black Tuesday" by system admins who dread the extra hours it takes to test and deploy security patches across thousands of computers).

Had the company not announced plans to issue a patch, that might have been more newsworthy. Given the sheer amount of negative publicity regarding Microsoft's decision to delay releasing the patch for another week, I am willing to bet that the company will switch gears over the next few days and perhaps issue the patch even earlier.

Normally, Microsoft only tells users the Thursday before Black Tuesday how many patches it will issue and what the highest severity rating will be. Microsoft is offering more details in this case because, well, the company wants to make sure everyone knows that it recognizes this is a serious enough threat.  Well-respected members of the security community are even urging users not to wait for the patch from Microsoft and to instead install a fix developed by an independent programmer.

The original site where the unofficial patch was posted was quickly knocked offline by massive traffic spikes following a hilarious yet deadly serious post by the SANS Internet Storm Center urging people to download and install the patch. Subsequently, the SANS site itself was also swamped by patch seekers, even after the organization set up a second server to handle all of the requests.

Before you do anything else, it would be a good idea to read this entire post, and then review SANS's frequently asked questions (FAQ) on this vulnerability. If after reading this post and the SANS FAQ, you still want to download and install the unofficial patch, you should be able to retrieve it from this link here. It works on Windows 2000, Windows XP Home and Pro systems, as well as Windows Server 2003.

Windows users also can use the following workaround that should help mitigate the threat from this flaw:

    * Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks, and then click OK.

    * A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

A couple of things to note about the SANS FAQ, which states in part: "If you're still running on Win98/ME, this is a watershed moment: we believe (untested) that your system is vulnerable and there will be no patch from MS.  Your mitigation options are very limited. You really need to upgrade."

While it is true that neither the above-mentioned hack nor the unofficial patch will fix the problem on Windows 98 and Windows ME (or for Windows 95 Windows 3.0 for that matter, where this flaw also apparently resides), none of the security experts I've talked to have seen an exploit so far that successfully attacks this flaw on those systems. That said, it may only be a matter of time before attackers figure out a way to use this flaw to target the still-substantial number of Windows 98 and ME users worldwide, who tend to be (flamebait inducing generalization here) among the less experienced and street-smart 'Netizens.

If Microsoft's patch next week does not fix this flaw on Windows 98 and Windows ME -- and the reply to that open question from a Microsoft security response director I spoke with today was not encouraging on that front -- the advice to upgrade or switch to another OS entirely may be the best there is to offer against this threat for those users.

In addition, while this flaw has nothing really to do with Microsoft's Internet Explorer browser, using an alternative browser like Firefox or Opera does help reduce the likelihood that your machine will be compromised by this exploit. That's because Firefox and Opera will ask users to approve a nasty download from a malicious Web site, whereas IE will simply download it without warning.

See my story in today's Post: "Experts Advocate Non-Microsoft Windows Patch."

By Brian Krebs  |  January 4, 2006; 7:45 AM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Microsoft to Patch Windows Flaw Next Week
Next: Microsoft to Patch Windows Flaw Next Week


I for one strongly prefer Windows 9x over XP because it is a leaner and more managable Operating System.

For years I've watched XP users go through alot of additional security trouble that I've not gone through. XP patches alone outweigh the entire size of Windows 9x

I keep up with security issues on Windows. I'm running Windows 95 OSR2. Guess what? I'm not even susceptible to this flaw.

These flaws are built in, man made and well they didn't build this flaw into OSR2.

Just for precations I've decided to put the Internet Explorer in offline mode and stay with other browsers.

It is a lot less work making a secure OS out of 9x than it is XP.

I wouldn't take at face value comments implying that Legacy Windows are more susceptible or that the Netizens are less of anything.

If anyone wishes to maintain there is some hole in the Legacy Windows I'd like to know what it is with some specificity.

If you can't state with specificity even one particular hole, I'd say you were just blowing smoke.

Unpatched browser holes are not OS specific. If you are using IE it is not because you have to, it's because you are usinging it over other browsers which are free and arguably a better browsing experience.

I suppose 98 users could just delete shimgvw.dll not use (disassciate) the Explorer or the picture viewer and fax viewer. Turn off active scripting and etc.

What picture viewer and fax viewer? If there was a picture viewer in 98, I missed it. I like IrfanView and it doesn't have the flaw. I guess the author didn't build the flaw into it. Who knows?

My Windows 95 OSR2 is on high speed connection 24/7. Its not getting clobbered around. It's not ever been compromised either.

The Internet is a potentially very hostile network. Personal computer users are by default the network administrators of this network.

Most people are not up to the task of effectively administering their computers on this Network. Not knowing how to make it safe they rely on others like the vendors.

Microsoft as a vendor doesn't deliver safety in its defaults. For example they think the autorun feature should be enabled by default. Next thing you know Sony installs a rootkit.

They think ActiveX scripts marked safe are safe. Next thing you know you have a drive by download.

The provide a firewall with XP and even it enabled, it doesn't give you any power over outbound exchanges and requests.

There is a current trend of thought that tries to sell the idea of upgrade and patch, upgrade and patch, upgrade and patch as some kind of responsible security behavior.

Before accepting this philosophy, I'd like to consider the question, does it work.

Suppose I feel for the line and kept upgrading and patching. Could I surf the Internet safely and play music CDs on my computer without having the system compromised?

The answer is no to both of these questions.

So the solutions is more upgrades and patches? I think not.

My computer can play audio CDs and not get compromised. The reason why has to do with configuration. All the upgrades and patches in the world will not help your computer is configured to leave you open to these exploits.

I can browse the Internet just as safely as XP users with Firefox. There isn't any Firefox security issues which affects Legacy Windows users over and above XP users.


Posted by: Bruce | January 4, 2006 11:28 AM | Report abuse

You KNOW, Microsoft will use this flaw to leverage users into buying new software. They will ONLY patch Windows XP, and anyone using Windows 2000 or older, who wants their systems fixed or made more secure will be FORCED to buy WIndows XP.
In alot of cases this will force people to have to buy new hardware.

So far Microsoft has seen surges in sales of Windows XP for every flaw and exploit that has come out. THIS IS VERY WRONG! Microsoft should not be rewarded for poor programming. What's to stop them from deliberately creating flaws and vulnerabilities to increase sales.

The LAW needs to step in and FORCE Microsoft to patch "EVERY" version of Windows that is affected by this flaw... AT NO COST TO THE USER.

Posted by: SmartITGuy | January 4, 2006 11:29 AM | Report abuse

I have been virus free for years and years. It's called Mac OS X (and Classic before that). It is a viable alternative to Windows. To a comment posted by "Yeah" Macs are very very serious computers that (in my opinion) far exceed anything that Microsoft has ever made. Before posting "fanboy" comments go and do some research and explain why you don't like them. As for this flaw, there is a permanent fix for all viruses and flaws in Windows......Mac.

Posted by: Foxxxy | January 4, 2006 12:07 PM | Report abuse

SmartITGuy wrote the paragraph below:

"You KNOW, Microsoft will use this flaw to leverage users into buying new software. They will ONLY patch Windows XP, and anyone using Windows 2000 or older, who wants their systems fixed or made more secure will be FORCED to buy WIndows XP."

I think you are right. I'd even go so far as saying they have reasons not to me XP too safe. Their future depends on your perceived need for so-called Trustworthy Computing. If XP was locked down tight would you perceive a need for Trustworthy Computing?

PS this post was produced with Firefox 1.0.7, it seems to work okay :)

Posted by: Bruce | January 4, 2006 12:07 PM | Report abuse

To : SchlitzAndGenny ... the first version ( read reason at isc.sans(dot)org is 87,552 bytes. I've forgoten how long tat take by modem. Good luck. [ file hosted on a Mac/deployed to half dozen XP's/ 2 dozen Macs unaffected ]

To : Yeah ... { not a "flame" to others ! } Yep, they sure are. Just like Christmas morning, I like my toys to still be working on New Year's Day. The 128 still boots up on my office credenza ... go figure

Posted by: Kalama Jim | January 4, 2006 12:29 PM | Report abuse

Macs suck. 'Nuff said.

Posted by: guest | January 4, 2006 1:01 PM | Report abuse

What the heck is this shimgvw.dll that we might remove or unregister? It's not even on my Win98 system. This scare-mongering is only a sales pitch. One of the alternatives to Windows, at least for businesses, is OpenVMS. Users like to brag that their uptimes are longer than Microsoft service contracts.

Posted by: Blinky | January 4, 2006 1:35 PM | Report abuse

Please stop talking about the Apple Mac's superiority to anything done by microsoft. If more people start using Macs then the viruis writters will change their attention from the crap that Microsoft pushes on the public and turn to attacking Apple systems. While Apple software is vastly superior to anything Microsoft has pushed onto an ignorant public, it can be hacked by some really intelligent hackers who now find the number of Mac users not worth the effort to hack. Please let's keep it that way.

Posted by: F&M | January 4, 2006 1:59 PM | Report abuse

OK, I ran "regsvr32 -u %windir%\system32\shimgvw.dll" and, as expected, I can't use fax viewer and don't see thumbnails. Fine...I can live with that in the short term.

Now let's assume a patch comes out next week. Do I need to re-register this dll? And if so, what is the command syntax?

And do I need to re-register the dll before I accept the Microsoft patch? And will there be unpredictable consequences if the patch is applied while the dll is unregistered, say, for instance, if Microsoft decides to push out the patch to auto-update customers before Tuesday?

Maybe trivial, but worth asking.

Posted by: Andy | January 4, 2006 2:15 PM | Report abuse

Well, you asked, so...

Simple reason I don't like Macs:

I like to be able to build and rebuild computers, swapping hardware, changing out video cards, upgrading bits and pieces, frankensteining boxes out of lonely parts rescued from leftover PCs. While I'm willing to admit fragility on the part of the Microsoft OS, I have little desire to accept the other option - proprietary, locked-down hardware from Apple.

Also, I like my computer mouse to have multiple buttons and not look like a toy or a hockey puck.

For all the supposed advantages to the Mac OS, the apple computers themselves are the real turnoff. I intensely dislike the idea of buying a one-piece unit where the monitor is permanently connected to the actual computer, and the whole unit looks like a silly 1960's lamp.

Posted by: Yeah | January 4, 2006 2:19 PM | Report abuse

Andy -- I have covered this in past blog posts, but here it is again. If you want to re-register this DLL, then you may do so by following the same instructions except omitting the /u flag. Here they are:

1. Click on the Start button on the taskbar.
2. Click on Run...
3. Type "regsvr32 shimgvw.dll" to re-enable.
4. Click ok when the change dialog appears.

To your other question, when Microsoft releases this patch, they will have fixed the more basic underlying problem, that with GDI, not this Shimgvw.dll. Which means there should be no need to re-enable the dll before installing the msft patch. Does that answer your question? Clear as mud?

Posted by: Bk | January 4, 2006 2:36 PM | Report abuse

So, if MS is required to patch everything they've ever made, where do we stop? Does GM have to go back and provide upgrades for all the 1950's cars that had weak seatbelt systems? Does Genie have to go back and provide free retrofits for all the old garage door openers suseptible to code scanners?

Does your last boss at the job you quit working at 10 years ago have the right to force you to go back and correct a spreadsheet you put incorrect data into?

I'm tired of so many people claiming their "due" something from a company because they made mistakes or even worse - because something written for an environment that existed years ago no longer works well in todays environment.

Get a clue. Life changes. Stuff isn't perfect. You do the best you can and make the best decision you can, and live with it. If someone is malicously negligent, that's one thing, but it's not what we're talking about here.

I wish the Mac people all the luck in the world too, cause I like the platform. But don't let your guard down guys, cause only an idiot would believe Macs will stay inaffected forever. Hell, I don't think it's too long before automotive systems get complex enough to start being attacked...

Posted by: PC's = Cars = garage door openers? | January 4, 2006 4:12 PM | Report abuse

I'm getting sick and tired of Windows and its security issues. Granted, I know more about computers and the internet than the average person, but I'm still somewhat inexperienced when it comes to switching from one OS to another. If it was as easy to switch to another OS as it is to switch from one browser like IE to another (Firefox), I would have made the change yesterday.

Posted by: Help Me Rhonda | January 4, 2006 4:56 PM | Report abuse

To Rhonda: It will be very easy to switch to the Macintosh OS, simply because the Mac OS is very simple to use (and very stable). I've been a Mac user since 1991, and I keep looking at my Windows colleagues with great astonishment as they keep wasting time, time, and money with the mediocre Microsoft's Windows every year. Switch to the Mac, and you'll finally start to enjoy using a computer!

Posted by: Erica | January 4, 2006 6:35 PM | Report abuse

There is now a patch that is also for 98/SE/ME:

"WMF Patch by Paolo Monti

Paolo Monti has released a temporary patch for the WMF vulnerability ( see Microsoft Security Bulletin 912840 ). This patch intercepts the Escape GDI32 API in order to filter the SETABORTPROC (function number 9). It uses dynamic API hooks avoiding patching/modifying of the GDI32 code. Advantages of this approach: fully dynamic - no reboot is required.
This patch also works on Windows 9x/ME. Administrator rights are required to install it on WinNT,2000,XP, 2003 systems.

Installation: unzip the file WMFPATCH11.ZIP and run the provided INSTALL.EXE file. Follow the instructions of the installer.

Uninstallation: go into Windows Control Panel, Add/Remove Programs, select "GDI32 - WMF Patch" and remove it."

I pass this along as information only. I haven't tried it on my 98SE system, and have only read in newsgroups that it was tested by ESET.

Thanks Brian for your excellent blog.

Posted by: Luke | January 4, 2006 6:40 PM | Report abuse

I would like to send you another story of legal abuse with computers
and some links to publications about my criminal case. I worked for
Mitsubishi Electric Automation in Vernon Hills, IL, USA.
My case are getting public attention now as an example
of miscarriage of justice. I could not defend myself,
because I did not have enough money for computer
expert. I was forced to confess for possession of
child porn. I got browser hijackers while browsing the
web. I was redirected to illigal sites against my
will. Some illigal pictures were found on my hard
drive only after
recovering in unallocated clusters, without dates of
files creation/download.
I do not know how can courts press widely on people to
convict them, while whole Internet is a mess.

This is my story in There is all
information about case written by Irish writer Brian

This is publication in Wired news,1377,63391,00.html

This is publication in Theregester

Article in Globe and Mail newspaper

Article in ZDnet

This is article in Washington Times, May 22, 2004
There is information about my case.

Article in Crime research center:

Article in Dallas, TX Newspaper

Child porn law was declared unconstitutional in Hennepin County, Minnesota, USA'
I am convict with unconstitutional Law. I hired lawyer.

Posted by: Fima Fimovich | January 4, 2006 8:36 PM | Report abuse

I have downloaded and installed the patch as you suggested. However, I've since been told that I should have waited for the MS patch, ok.
BUT, how will I be able to uninstall this patch when MS issues its own patch on Tuesday. Or, what will happen if I leave the third-party patch on my computer?

Posted by: DickA | January 4, 2006 8:58 PM | Report abuse

This is not a conspiracy to increase XP sales. According to their Product Support Lifecycle, MS is committed to providing security update support for Windows 2000 until mid-2010.

This is without a doubt, a critical update so we will see a Windows 2000 patch for it next Tuesday.

To improve overall security and add additional lines of defense against known hostile sites:

a. add a customized HOSTS file to block all access to known hostile sites.

b. add a blocklist to the Internet Explorer Restricted Sites zone AND increase the security settings for the Restricted Zone.

Posted by: Ken L | January 4, 2006 9:02 PM | Report abuse

What is the size of this patch? How long will it take to download this patch over a phone modem? I am waiting for DSL to be available in my area, but I do not want to hesitate downloading this patch.

It's under a megabyte... shouldn't take more than a minute or two even on dialup.

Posted by: Ian H | January 4, 2006 9:38 PM | Report abuse

Unfortunately, I've had this nasty problem on my machine for almost a week now. Can someone please educate me on whether there's a difference between patches and fixes. Earlier I downloaded the recommended (but non-Microsoft) patch, and it's done nothing to rid me of my spyware background screen. I'm guessing the patch only prevents it from happening to you. What do you do if it's already happened? Will Microsoft's solution help the already infected? Do I need to wipe the drive clean and start over. Someone please advise.

Posted by: Brad | January 4, 2006 11:16 PM | Report abuse

Unfortunately, I've had this nasty problem on my machine for almost a week now. Can someone please educate me on whether there's a difference between patches and fixes? Earlier I downloaded the recommended (but non-Microsoft) patch, and it's done nothing to rid me of my spyware background screen. I'm guessing the patch only prevents it from happening to you. What do you do if it's already happened? Will Microsoft's solution help the already infected? Do I need to wipe the drive clean and start over? Someone please advise.

Posted by: Brad | January 4, 2006 11:17 PM | Report abuse

In partial answer to the questions posted below. The patch won't get rid of any spyware or trojan infections. It won't prevent them either, except if they are being delivered via the .wmf exploit.

You will have to identify what particular spyware or trojan or virus or whatever you have is. I guess if it were me, I'd try installing the free version of ad-aware and run a scan. If it didn't show anything I'd install some free anti-virus software and scan for viruses. Why free? Because I like free :)

It will take some work locating the problem and cleaning up. For a good link and reference site I'll recommend

Best of luck to you.

Posted by: Bruce | January 4, 2006 11:48 PM | Report abuse

Determina ( advocates a vulnerability-based approach. They concentrate on all memory-based vulnerabilities, rather than a subset of exploits (e.g. WMF). According to their 12/28 advisory (, users have been protected from WMF with no (official or unofficial) patch necessary.

They just made an announcement tonight about their fix:

Computerworld covered their product last year.

Posted by: Protectdontpatch | January 4, 2006 11:51 PM | Report abuse

nah, im not street smart

like i give a hoot about time-wasting bunk. i learned windows once; why pay for more crap? name one thing missing with 98/me except skype. i'll do vista in two years --unless its as suck heavy as xp AND there's a linux alternative i can learn in a week. 50 bucks every ten years seems right/

give me firefox and web storage and let the hackers fatten their resumes and the NonSentientAdvocates listen in

and at the WP, you should stay clear of hinting others are ossified

Posted by: WhatanIdiot | January 4, 2006 11:52 PM | Report abuse

WhatanIdiot, I case you are interested and I think you are, I'm still not conviced that Windows 98 is susceptible to this .wfm flaw, inspite of the fact that it has been published by many as susceptible.

I searched a 98SE computer a few minutes ago and shimgvw.dll isn't even on the computer.

Posted by: Bruce | January 5, 2006 12:30 AM | Report abuse

Thanks Brian for the continuing excellence covering security issues.

I'm fairly non-religious about computers, and have/will used/use just about anything cybernian. Thus my amusement whenever the Mac sheep begin their hypnotic moonie "our toys are better, thus we are better" bleating. Yeah is correct in his analyses of this borgian phenomenon.

-- stan

Posted by: Stanley Krute | January 5, 2006 5:34 AM | Report abuse

Anyone thinking Microsoft might do something for Windows 98/Me is going to be disappointed. This is what is on Microsoft's site "Although Windows 98, Windows 98 Second Edition, and Windows Millennium Edition do contain the affected component, at this point in the investigation, an exploitable attack vector has not been identified that would yield a Critical severity rating for these versions. Per the support life cycle of these versions, only vulnerabilities of Critical severity would receive security updates."
Microsoft do seem to prefer not to want to bolt stable doors until the horse has bolted.

Posted by: Steve H | January 5, 2006 11:38 AM | Report abuse

Steve H, of course they aren't going to fix 98/ME

That's one issue.

Another issue is - is 98/ME actually vernerable? I'm thinking it likely is not, and they are publishing that it is.

I don't know about ME, but I'm not finding shimgvw.dll on 98. For this reason I doubt it's even affected. I don't know, but I'll keep reading to see what more I can learn.

Posted by: Bruce | January 5, 2006 6:59 PM | Report abuse

Good news. Legacy Windows doesn't need patched as I suspected.

Read this:

Find the article about MS pushing out the patch ahead of time.

Posted by: Bruce | January 5, 2006 7:18 PM | Report abuse

@ Bruce:
>>It is a lot less work making a secure OS out of 9x than it is XP.

Mostly because 9x leaves far fewer network ports open by default.

>>For example they think the autorun feature should be enabled by default.

Not only that -- they think the autorun feature should only be disabled with a Control Panel applet written by them, but which they don't ship with the OS and they officially don't support.

>>The provide a firewall with XP and even it enabled, it doesn't give you any power over outbound exchanges and requests.

Also, Windows Firewall/ICS opens a listening TCP port above 1025.

>>You have to come up with some strategy to download or install these patches on an unpatched computer and not get compromised doing it.

I recommend closing all open network ports before connecting to the Internet.

Network ports left open by default are what account for the unpatched-XP-system time-to-compromise being measured in mere minutes.

Posted by: Mark Odell | January 5, 2006 11:58 PM | Report abuse

Would it be legal to create and spread around an image file with the flaw which, instead of installing spyware, redirects the browser to Microsoft Security Update?

"The intentional use of exploit code, in any form, to cause damage to computer users is a criminal offense" says Microsoft's website. What if it's done to help people?

Posted by: Nick | January 6, 2006 8:52 AM | Report abuse


Yes, federal law doesn't make distinctions like that: It would still be illegal. It's a nice idea in theory, but things like that almost always bring about unintended consequences.

Posted by: Bk | January 6, 2006 1:09 PM | Report abuse

Listen, I'm sick to death of people complaining about people who are "still" using Windows 98. I happen to agree with you but you seem to have forgotten that upgrading co$t$ money. Peraphs, as you are so wealthy and able to throw out oddles of cash every few years simply to 'upgrade' you would be so kind as to send me some money. Basically, to upgrade from Win 98 you need to by new hardware before you buy a new OS. Anybody who suggests upgrading to Windows XP has, speaking figuritivly, a hole in the head because the successor to Windows XP (ie. Windows Vista) is coming out this year. These companies make all their money by 'forcing' people to upgrade. Exactly how long do you think before Windows XP Home edition is going to be abandoned by Microsoft?! An article I read says that although Windows Professional Edition will be supported for several years to come, that aint true for Win XP Home. And seriously, why should I spend $200 Cdn. to buy the full edition of Windows XP Home when it wont be supported much longer?! Certainly I'm not spending $400 Cdn for Windows Professtional. And forget the Windows XP upgrade packs! That's highway robbery! Why should I pay for a 'crippled' operating system when I should be able to buy the full OS at a decent price?! Capitalism without a councious is going destroy humanity. We want people to act like machines and machines to act like people. ... Ok, so those last two sentenses were a little off topic but, well, anyway, I'm venting and so there! These are my thoughts at this moment.

Posted by: Star | January 9, 2006 12:26 AM | Report abuse

Problem with the MS patch? My online banking will not remember my sign-on number, even if I reenter it and check the "remember this" box. BofA says the problem is that IE makes some errors during shutdown. Microsoft says don't come crying to me, call Dell. anyone else have this? Anyone have a fix? Changing privacy settings didn't help.

Posted by: Chris | January 9, 2006 9:02 PM | Report abuse

Try posting your question in one of the forums at .

Posted by: Anonymous | January 10, 2006 8:26 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company