Windows WMF Metafile Vulnerability HotFix

This week a new vulnerability was found in Windows:
Browsing the web was not safe anymore, regardless of the browser. Microsoft will certainly come up with a thouroughly tested fix for it in the future, but meanwhile I developed a temporary fix – I badly needed it.

The fix does not remove any functionality from the system, all pictures will continue to be visible. You can download it here:
It should work for Windows 2000, XP 32-bit, XP 64-bit, and Windows Server 2003.
Technical details: this is a DLL which gets injected to all processes loading user32.dll.
It patches the Escape() function in gdi32.dll. The result of the patch is that the SETABORT escape sequence is not accepted anymore.
I can imagine situations when this sequence is useful. My patch completely disables this escape sequence, so please be careful. However, with the fix installed, I can browse files, print them and do other things.
If for some reason the patch does not work for you, please uninstall it. It will be in the list of installed programs as “Windows WMF Metafile Vulnerability HotFix”. I’d like to know what programs are crippled by the fix, please tell me.
I recommend you to uninstall this fix and use the official patch from Microsoft as soon as it is available.
The fix can be applied in the automatic mode using the following command line:


These switches do not suppress dialog boxes about installation errors.
The /LOG=”file” switch can be added to the command line to create a log file.
The usual software disclaimer applies…
File: wmffix_hexblog14.exe (the source code is included)
UPD: more error checking
UPD: Version 1.1 with Win2000 support
UPD: Version 1.2: if the hotfix has already been applied to the system, inform the user at the second installation attempt.
UPD: Version 1.3: added support for Windows 2000 SP4
UPD: added information about silent mode
UPD: comments are turned off. a discussion forum is available here
UPD: Version 1.4: completely silent mode, suitable for use in the scripts (see this entry for more details)
There is no need to reinstall anything!
Old hotfixes are perfectly ok.

190 thoughts on “Windows WMF Metafile Vulnerability HotFix”

  1. Thank you for this, though a ready-made MSI package would be nice for us who would like to spread this through group policies or clear documentation what exactly this installs so I could make one myself.

  2. Achtung: WMF-Exploit unter Windows! (Update)

    Seit einigen Tagen gibt es unter Windows eine Lücke die einen Fehler in der Library SHIMGVW.DLL ausnutzt um über WMF-Bilder Schadcode ins System zu injizieren.
    Dem Anschein nach nutzen diesen Exploit nun schon tausende Websites aus und es ist wirkli…

  3. Ok, I’ll see how to prepare an MSI package (never tried before).
    As about the installer, it does the following:
    – extracts and tries to use wmfhotfix.dll on the target system
    – if it fails, it informs the user and quits
    – otherwise it copies wmfhotfix.dll to the system directory and creates/updates this registry key:
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows
    – the installer also creates the WindowsMetafileFix directory in the “Program files” and copies there the source code of the dll. These files are not required for the dll to work.
    The most difficult thing is to update the registry key because we can not simply overwrite it but have to preserve its contents. I had to program it manually since InnoSetup does not support this type of update (or did I miss it? It is a great setup, I like it a lot!)

  4. I could not try it (I don’t have Windows2003 here) but most likely it will work.
    Please try it – if a compabitility issue arises, it will quit without modifying anything in the system.

  5. Indexing and the WMF exploit (plus some extra information)

    It seems that indexing programs (that is, programs that index your hard drives to make searching faster, such as Google Desktop) can, if they come across an infected WMF file, run the file and trigger the exploit.  As such, SANS  and F-Secur…

  6. I just made an MSI file that does the things listed above. It installed and uninstalled cleanly on my test machine XP Pro SP2. I’m still just wondering about some metadata on the package before putting it for download (publisher, product url etc).

  7. You are fast! I just read Microsoft’s article how to create MSI packages and was wondering about a clean machine…
    You can put my name and in package + plus your name to reflect the fact that you repackaged it.
    One more thing: I updated the wmfhotfix.dll. The previous version could silently fail at VirtualProtect() – well, in theory.

  8. Will this work on XP Pro SP1? This is the OS that it is really needed for as I have read of several good workarounds for XP SP2. Plus, how about a fix for all of us who have other older computers running 98SE?

  9. Nice, but what exactly is happening, are you simply patching gdi32.dll ? if so what about hexediting gdi32.dll and changing the callname SETABORT to something else? I’d like to see some tech stuff such as hex data since this one is only 4 XP, hexediting is possible on any system.

  10. Thank you, one and all, for sharing your knowledge and efforts on this issue.
    I got hit by a wmf-borne Desktop Hijacker and had to wade through my registry with a machete and half-a-dozen virus cleaners (including F-secure) in order to dig it all out and get back in shape. (I was using rage and frustration as weapons where you guys were using skills and education. =:-o
    The following day, I read about this wmf thing, and then you guys came up with the antidote almost as soon as I had digested the information.
    Thank you tons. The Dark Side cannot win while there are people like you working for the Powers of Good. You guys ARE the Force! Thanks again.

  11. Seems to be working fine on the five XP SP2 PC’s I’ve installed it on. Spent 5 hours trying to remove the adware/spyware garbage loaded on the one I didn’t get to before it got infected. Misery… Thanks for the patch/workaround!

  12. VS and ilfak, you guys have been a tremendous help in this. I want to thank you profusely for your quick response to these issues. I’m a network admin who was previously facing the daunting task of rolling out this or the unregister dll “fix” on a couple hundred PCs, so this really saved my skin. Do either or both of you have a paypal account so I can throw a coupla bucks your way? Thanks again.

  13. Mele wrote:
    Will this work on XP Pro SP1? This is the OS that it is really needed for as I have read of several good workarounds for XP SP2.
    What workarounds have you heard of for sp2? All I have seen is the very familiar shimgvw.dll disable. This has been shown to be fair at best. What else is there that is so good?

  14. wmffix.exe fails on my machine with a the following error:
    “Sorry, this fix is not compatible with your system”
    However, ilfak’s MSI re-package of same installs w/o complaint. I have no idea why this is so.
    I have MS Windows XP Pro, Version 2002, Service Pack 2, v.2055

  15. Mas sobre el IE WMF 0-day exploit: Ataques via popups – Primer Gusano via MSN – Parche no oficial

    Es oportuno hacer notar -una vez m�s- que la explotaci�n exitosa de esta grave vulnerabilidad en el procesamiento de archivos de imagen WMF, depender� en gran medida del navegador utilizado por el usuario atacado:
    Basta con acceder a un sit

  16. Microsoft’s WMF screen door still open but small patch available

    Earlier this week Microsoft announced a Zero-Day buffer overflow vulnerability in its Windows Metafile (WMF) graphics format affecting all version of Windows. Here it is days later and there’s still no resolution. Unfortunately, F-Secure is reporting t…

  17. Ilfak’s hotfix for the Windows XMF vulnerability

    There is currently no patch from Microsoft to fix the WMF vulnerability problem, but Ilfak Guilfanov made and published a hotfix on his blog. […]

  18. We are currently working on the version for W2K.
    It is quite possible that the W2K version will work on other systems too.
    For the moment, if the wmffix.exe installer says that the fix can not be applied to your system, please do not try MSI.
    P.S. Do not try to install the hotfix twice, it will fail.

  19. Update: Windows2000 version is available. Most likely it will handle vanilla XP and XP SP1 too. If not, please tell!

  20. Just an FYI, you have probably seen this already but here it is:
    Yahoo antispyware detects the patch as follows (and gives a pop up window on reboot that says the file must be uninstalled from the command prompt):
    12/31/2005-17:55:18,29756979,1553861216,Detected,CWS,ppclean pest,453075759,Key “hkey_local_machine \software\microsoft\windows nt\currentversion\windows” Value “appinit_dlls” Data “c:\windows\system32\wmfhotfix.dll”,-1
    12/31/2005-17:55:19,29756979,1559331216,Quarantined,CWS,ppclean pest,453075759,Key “hkey_local_machine \software\microsoft\windows nt\currentversion\windows” Value “appinit_dlls”,-1
    12/31/2005-17:55:19,29756979,1559331216,Permanently deleted,CWS,ppclean pest,453075759,Not Applicable,-1
    12/31/2005-17:55:19,29756979,1559331216,Detected,CWS,ppclean pest,453075759,File “c:\windows\system32\wmfhotfix.dll”,-1
    12/31/2005-17:55:19,29756979,1560271216,Quarantined,CWS,ppclean pest,453075759,File “c:\windows\system32\wmfhotfix.dll”,-1
    12/31/2005-17:55:19,29756979,1562301216,Detected,CWS,ppclean pest,453075759,File “c:\windows\system32\drivers\etc\hosts”,-1
    12/31/2005-17:55:19,29756979,1563081216,Quarantined,CWS,ppclean pest,453075759,File “c:\windows\system32\drivers\etc\hosts”,-1

  21. Art,
    What version info do you have for Win2K’s GDI32.DLL file in your \WINNT\System32 directory?
    I’ve successfully applied Ilfak’s current v1.1 release both on a very old SP4, GDI32.DLL dated 6/19/2003 with a version of [5.0.2195.6660] and also a much more recent edition dated 10/6/2005 with a version of [5.0.2195.7069].
    What do you have?

  22. XP Home SP2 updated. file installed. Haven’t tested it. However I’ve lost recognition of my CD drive with default XP burning app. Files are not burnable and RWs are not erasable. Drive has disappeared from right click “send to” menu, and message says drive is unavailable. Files are still burnable however with Nero 6.6 and CD Burner XPPro 3.0

  23. That’s *REALLY* bizarre. I’ve studied Ilfak’s code, and there’s just no way to explain that sort of interaction.
    Could you try removing the patch (and rebooting) and see whether it restores things? Ilfak’s code is NOT modifying anything permanently, all of its patching is in RAM only, so there’s no way it could “persist” after being removed.

  24. hi,
    wat are the limitations of this fix? can i still see the photos using my picture viewer?
    pls help

  25. someone commented at dslreports that this tool is not reliable anymore, is it true?
    [quote]TEST it, TRY it, you will see that the best protection CURRENTLY is to use the OS to un-register it, because the current TOOLS created by I might add, by very respected people, are being PULLED apart as we speak.
    Secondly, since we KNOW Microsoft is NOT Sony, do you think that if Microsoft THOUGHT that HOOKING SETABORT would truly be a WORKABLE temp fix, that they would NOT have released it?
    Remember PLEASE, that these tools that are being created as temp fixes are using HOOKS to provide that, and HOOKS can be just as EASILY removed as they can be created, which is what is being DONE now.
    However, it is MUCH more complicated to re-register a .dll than it is to REMOVE a hook since the NOW non-existent .dll is not around to even ALLOW the code to execute in the first place.[/quote]

  26. I describe the way Ilfak’s patch works here:
    There are no limitations to this solution, other than it kills a “probably never needed” error-handling function of Windows metafile processing.
    Since it is subtly patching the core Windows’ GDI32.DLL on the fly, whenever it’s loaded into a process space, you SHOULD remember to remove this after Microsoft has updated Windows to repair the GDI32.DLL. But until then it simply and cleanly cures the problem without any known side effects.

  27. Sorry about that.
    Essentially it means that Ilfak’s “patch” is automatically loaded into a program’s memory space whenever a program like Windows Explorer or Internet Explorer is loaded by the operating system and starts to run.
    At the moment that Ilfak’s patch is loaded, it immediately seeks out and locates the specific function that we now know is “broken” in the current Windows GDI32.DLL program library file. When it finds it, it “patches” the defective code in memory so that it does nothing if any malicious image file attempts to abuse the file’s defect. In that way we are all protected from the danger in this defective Windows file until Microsoft fixes if “officially”.
    It’s a very nice, elegant and clever solution to tide us over until Microsoft fixes it permanently.

  28. Hi Steve. Based on my layman reading of your explanation, am I correct in interpreting you as stating that Ilfak’s patch works by:
    (1) searching for specific gdi32.dll code in Windows versions 2000 and above,
    (2) and when it does find the code in that file, it patches that portion of the file, whereby the fix is some sort of “intervention mechanism” against the ESCAPE function?
    (3) Does this mean that it is the ESCAPE function that is specifically being exploited by the WMF malware?
    As for the portion of the quoted comment: “However, it is MUCH more complicated to re-register a .dll than it is to REMOVE a hook since the NOW non-existent .dll is not around to even ALLOW the code to execute in the first place.”
    My understanding is that the .dll, even if it is being unregistered, is not being wiped from the hard disk, so what’s to prevent a malware from re-registering it just as easily as removing a patch of gdi32.dll?

  29. Oops. I took too long to type my questions. Thanks for your responses (emphasis on the plural), Steve.

  30. Steve, picking up on wmfsucks’ earlier comment about countermeasures for Ilfak’s patch, this poster claims to have already seen exploit code variants which defeat it:-;15142923;15143094;15143172;15142958;15143054
    If true, then should your current advice (at ) not to bother with unregistering the DLL be changed to do both (i.e. to unregister and rename the DLL, and apply Ilfak’s patch)?

  31. It seems that my MSI repackaging does less checking about the target system. This might mean that if Ilfak’s package won’t install and the MSI package will, the MSI might not work either and may create a false sense of security.

  32. Regarding that posting on DSLReports: You can safely ignore it. I’m sure that the poster had good intentions, but his logic is flawed. It presumes that something has already penetrated the user’s system in order to remove Ilfak’s patching hook. But if something has penetrated the user’s system well enough to do that, then the penetration has already occured. Ilfak’s temporary patch simply prevents the WMF exploits from being able to gain a foothold in the first place.

  33. Installed it on Win x64 without problems. Not going to try and find injected WMF’s though 😉 Thanks!

  34. IMORTANT: Windows WMF Metafile Vulnerability HotFix

    From Ilfak Guilfanov’s HexBlog: “Browsing the web was not safe anymore, regardless of the browser. Microsoft will certainly come up with a thouroughly tested fix for it in the future, but meanwhile I developed a temporary fix – -I badly…

  35. ravi: Yes, you will still be able to see all image files using the picture viewer. Even if you try to open a malicious WMF file, the picture viewer will clearly inform you that the file can not be rendered. You will not be infected by the worms exploiting this vulnerability.

  36. IMPORTANT: Major security hole in Windows WMF

    Your Windows PC can now be infected with the nastiest malware imaginable just by viewing an image, or just by (say) Google Desktop or Lotus Notes or some other software accessing the image without you even seeing it. Using a…

  37. In response to Steve Gibson’s
    inquiry about the date and version of my gdi32.dll file
    on Win 2K Pro sp4 in the \system32 folder:
    4/8/2005 version 5.0.2195.7011

  38. Katom,
    To run the setup in the silent mode, try this:
    wmffix_hexblog12.exe /VERYSILENT /SUPPRESSMSGBOXES

  39. Windows Metafile Vulnerability: Update 1

    There have been a few developments since I published the first advisory post about this vulnerability, on December 28, 2005: 0-day Windows Metafile image file vulnerability currently being exploited in the wild. Some of these are good. Most of them…

  40. Is there a good way to know if a system has already been hit by the WMF exploit? (Other than the obvious adware/spyware pop-ups or other strange behavior.) Like checking a file version or something that would have been modified by the WMF exploit?
    After the wmffix is installed, would it still be prudent to unregister the shimgvw.dll to be 100% safe?
    Also, is there an easy way to deploy this wmffix via Windows login script? If so, could someone please give some details, thanks.

  41. Sorry for the quick 2nd posting, but I was wondering if there is a way to ‘test’ that the wmffix is actually working as intended?
    Is there some non-malicious WMF file that you could post to allow people to check if the wmffix is installed and working?

  42. baze68,
    It is rather difficult to detect if the system was hit by a WMF exploit. The problem is that the exploit code could do anything including hiding itself, installing a rootkit, or any other software on the system. There will be no trace of the exploit itself in the system logs but the system will be compromised.
    The fix renders your system invulnerable against WMF worms. I did not unregister the shigvw.dll on my system (well, I did it for the research stage but after reenabled it) but if you want to be on the safe side, unregister it – in theory this will make your system less vulnerable but also less useable at the same time.
    I like your idea of having a method to check if your system is vulnerable against WMF exploit!

  43. I found that there are many graphic viewer use GDI32 library to play windows metafiles so it is not good just to unregister shigvw.dll

  44. Ilfak, thanks so much for this. Can you please post the MD5 sum for the current version of the patch?

  45. Is it possible for you to create a patch for Win9x (ME)?
    We with no money for new OS would appreciate!

  46. Does this patch install correctly if the user is not an Administrator on the local system, i.e. User/Power User?

  47. Newest WMF Exploit Patch Saves the Day

    Interim WMF Exploit Savior
    We’ve all been following the dramatic story of the whole wmf exploit and how it is easily spoofed into other image types. The last day of 2005 the wmf exploit exploded into other various venues such as instant messages, ema…

  48. With this installer, what is the command-line to uninstall once the MS fix is out? I am going to run the install process in an AD script (runs as admin rights as users don’t have install rights)and then would like to later remove it.

  49. Ilfak: First of all, great job on getting this fix out. You’re saving a lot of us a many hours of unpaid overtime over the coming days and weeks.
    I am working on a new MSI file to deploy this now. Is it possible that you could provide me the source to the InnoSetup installer you made? I’m sure I can translate that into something that can be compiled into an MSI with the WiX toolkit.
    I will publish the WiX source to my installer once I’ve gotten it done, along with instructions on how to re-compile it with WiX (so that nobody has to download an untrusted MSI file from me and people can rebuild it from scratch if the WMFFIX patch is updated).

  50. Per the request above for a simple logon script:
    IF EXIST c:\wmf_fixed.log GOTO DONE
    \\yourserver\softlocation\wmffix_hexblog13.exe /VERYSILENT /SUPPRESSMSGBOXES
    copy \\yourserver\softlocation\wmf_fixed.log c:\wmf_fixed.log

  51. After I posted about losing the CD burning app, my whole system crashed. Because of that it has taken me awhile to get back here. As far as I can tell, the fix WASN’T the cause of the problem but rather the issue was unrelated. I’ve since loaded the file onto a fresh install, and the system is running fine.

  52. Does the wmffix install have an option to create a log file to verify/confirm that a ‘silent’ install, i.e. login script, completed successfully?

  53. Kudos to Ilfak for the patch!!! I too, found like to verify the errorlevel upon install (perhaps sending it to a server log file for review) So that we don’t have a false sense of security. We could institute a software restriction policy for the dll on 2003 AD or could unregister the dll via a startup and logon script (to ensure it is not re-enabled), but would like to avoid this do to the loss of functionality.

  54. Hi,
    what about Windows 9x?
    No patch possible??
    Thanks in advance, a lot of people has still a computer running Win 98/Me.

  55. Can anyone try this: locate gdi32.dll, open it with a hexeditor, find ‘SetAbortProc’, change it into something else (same length), write back the changed file to gdi32mod.dll, backup your gdi32.dll and replace your gdi32.dll with the mod one in dllcache and system32. (Mikko if you read this pse test this one)

  56. Why don’t you post the source code so people don’t have to reverse engineer this to check it does what you say it does?

  57. Hey Ilfak, just installed the 1.3 fix and seems to work great. I had a couple of ideas.
    The main GUI windows still says 1.2, which is very minor. Also, I think a command-line uninstall switch would be a cool thing to have. If there is already one, I missed it. Thanks for the patch

  58. Hi, happy new year…. not…
    Anyone been testing this on Windows 2000/2003 terminal servers ?
    Please share info if anyone has tested…

  59. Any Windows server administrators in this audience…have you, or are you going to apply this wmffix to your Windows 2000/2003 servers? Just curious how many Windows administrators have or are planning on actually deploying this patch to their production desktops and/or servers?
    Thanks for this patch Ilfak…has Microsoft called yet to ask if they can use your patch code?!? (Are those guys in Redmond asleep at the wheel or what?!?)

  60. I’m a contracted Windows server admin working with several Customers who have a mix of NT 4.0 and AD domains, and client computers running Windows 2000 and Windows XP Professional. I’ve got about 1,200 client PC’s and 20 servers in my largest client site w/ an AD domain that I need to deploy this patch onto.
    I’m trying to get an MSI package built using the WiX tools now, because I really would prefer not to deploy this with a script (e.g. I don’t want to uninstall it with a script later– I want to back it off w/ MSI).
    V. Suuronen (poster above) gave me his MSI, and it compares to what I’m doing. I’ve got more details on my blog, but essentially I’ve got the skeleton MSI built now, but I’m going to have to write some custom actions to finish it up. I’ll post updates to what I’ve gotten done to my blog.

  61. Let’s assume that Microsoft patches this thing 😉 If ilfak’s fix is installed, and ‘Auto Update’ is enabled, is it likely that machines will break after the Microsoft patch gets put on automatically (without first removing this fix)?
    I realize it depends on what Microsoft does to patch this, but just a little worried about the systems that have auto update enabled.

  62. Hi Ilfak,
    Just a quick note a sincere appreciation for your dedication, expertise and availability for so rapidly producing a fix for this exploit (on a new year’s eve no less) while the 60,000+ MS workforce could only come up with a very partial workaround so far. And the same goes for all those who participated in fine tuning the code for this fix (Steve Gibson comes to mind…).
    A great and highly commendable job.

  63. Does the fix require the restart to actually be effective or is it live as soon as it’s installed?
    I would install it on a few servers but they can not be restarted untill “patch tuesday…”
    Also, saw the new v1.3 added support for “Win2K SP4” but I installed v1.1 on a “Win2K SP4” machine and it went ok… v1.3 says it does not need to be installed twice on that machine now…

  64. Well it was only a matter of time.

    The WMF worm has arrived. We heard about it here first on Dec 27th. The title of this article just about sums it up “WMF 0-day: Exploit spreads, defenses few” Talk about an equal opportunity vulnerability. You are screwed using…

  65. Hi Per,
    I’ll answer for Ilfak since I’m very familiar with the operation of his code.
    First, machines do NOT need to be restarted for the patch to start taking effect. However, any already running programs that might attempt to render an image would not be protected. So the rule is, once Ilfak’s “patcher” is installed, any processes that are subsequently started will have their own instances of GDI32.DLL patched, but previously running instances would not be patched. Therefore, the restart is just a clean way of assuring that all possible instances of GDI32.DLL running will have been dynamically patched.
    Also, if the v1.1 patch installed on your system, then it found a version of GDI32.DLL that it understood and you should be okay. What Ilfak has been doing since v1.0 is (mostly) adding additional recognition signatures for the function entrypoints which vary a bit from one GDI32.DLL version to another.

  66. Hello all,
    Kaspersky has provided a patch for that trouble. Do you think it is useful to use Ilfak’s patch after KAV’s ?
    Does anybody knows the difference between the two.
    Thank you all and happy new year 🙂

  67. Limerick,
    Which ‘patch’ from Kaspersky are you referring to? If it is just a virus def update then yes, you should still use Iifak’s patch. The reason is because the antivirus software companies need to come out with new updates for each variation to this WMF exploit. As of the last check i think there were over 70 different variations. This patch prevents ANY of these from being run.

  68. I was just trying to create a program that hooks the Escape function in windows 98. Now I’m not exactly sure what to do with it. How can I get it tested and see if it works?

  69. Is there a way I can automatically install this patch? I would like to put it in the logon script, have it silently install and force the machine reboot afterwards. Of course, the second time the patch runs, and if it’s installed, it would silently exit.

  70. This is odd, well I did an odd thing. For some reason I only located the dll in win32…. so I unloaded it, ran the installer, restarted and realised here that there are 2 more. I unloaded the other 2 dlls. Uninstalled the hexblog. Restarted and now when I try to run hexblog I get “Sorry this fix is not compatible with your computer” 😕

  71. Lim …
    Kaspersky’s update is for detection of WMF exploits of the vulnerability, but it does nothing to actually eliminate the vulnerability. Ilfak’s dynamic patching solution actively “suppresses” the vulnerability, thus also prevent new exploits that Kaspersky’s scanning might not catch. So, yes, doing BOTH makes lots of sense.

  72. Thank you for the patch, very impressive how fast this came about. I had friends and family downloading the Ubuntu Live CD to use to until MS came out with a patch. I only had 2 people decide to ditch their Windows completely because of this but now I can let them know that if they want to go back to using their Windows computer, that they can feel a little more secure using this fix. Thank you a bunch.

  73. Would the following steps reduce the probability of downloading an infected file or having an infected file be triggered by automatic indexing? Even if they work, they are just band-aids, but might reduce the attack surface:
    1. Turn off images in Internet Explorer [Tools > Internet Options > Advanced > Multimedia > Show Pictures (uncheck)
    2. Disable indexing by Windows [drive by drive right click > Properties > Allow indexing service to index this disk (uncheck)] or alternatively disable the indexing service via Services menu

  74. Would the following steps reduce the probability of downloading an infected file or having an infected file be triggered by automatic indexing? Even if they work, they are just band-aids, but might reduce the attack surface:
    1. Turn off images in Internet Explorer [Tools > Internet Options > Advanced > Multimedia > Show Pictures (uncheck)
    2. Disable indexing by Windows [drive by drive right click > Properties > Allow indexing service to index this disk (uncheck)] or alternatively disable the indexing service via Services menu

  75. Lim,
    To me it sounds like that Kaspersky patch is just making it so that the software actively scans .wmf files in real time, rather than during a scheduled scan. The problem with that is that the WMF exploit can actually be disguised as other file types (most commonly .jpg files).
    As Steve mentioned, your best bet is to update Kaspersky AND use this patch.

  76. I have been experiencing problens installing the WMF HotFix. I ran v.1.2, but it did not install (no icon under Programs). I removed 1.2 and then ran v. 1.3. When it boot up, it showed v. 1.2 (again) and was still not shown in Programs. Any suggestions would be appreciated.
    [email protected]

  77. There is no icon in the programs – this is perfectly normal, the fix does not require any user intervention after the installation.
    As about the version number mess – sorry, this is by mistake, I forgot to change it.

  78. Parche no oficial para vulnerabilidad WMF recomendado por el SANS ISC y F-Secure

    Despu�s de haber revisado cuidadosamente el parche no oficial creado por Ilfak Guilfanov (que indiqu� al final de este post del d�a de ayer), el SANS Internet Storm Center recomienda la instalaci�n del mismo, ya que el parche hace lo que promete%2

  79. I’m having problems with this patch..
    I installed v1.3 ealier today and then tried to uninstall again (for checking). Now after rebooting i was trying to install it again.
    Everything seems ok, but after another reboot the changes seem to be undone because your WMF exploit checker says i’m vulnerable again?!
    Don’t know how to secure my system now… Patch is still installed but it says it’s vulnerable…
    Seems like your program unregisters the patch after every reboot?! …
    What can I do now? Tried uninstall/install a few times now…
    Thanks for any help!

  80. Thanks for telling! We will try to gather more information about these cases and hopefully will find a solution. Meanwhile please uninstall the fix.

  81. Hey Ilfak,
    Do you have a paypal account? I would like to send you a small token of appreciation for what you did.

  82. Ilfak…
    The trouble with Western Digital’s retrospect software being disabled might be some side-effect in AppInit registry handling. (Just a thought.)

  83. Daniel,
    Thank you! I created this fix to help others like me, who were left exposed to the wildest malware by the breach in the system secirty. No need to send any money, I’ll be happy if my fix helped you!

  84. Steve,
    Just installed/uninstalled/installed the fix to recheck how it behaves with AppInit – seems to be ok. The key contents are never erased.
    BTW, Greg, what exactly happened to Restrospect? Does it fail to start, fail to backup or something else?

  85. I decided I wanted to see if the patch would uninstall correctly for
    when microsoft realeses a patch. I rebooted after the uninstall. Then
    tried to reinstall it and it says it is already installed.
    The uninstall entry does not show up in add/remove
    My only worry is that it thinks its installed but not working.

  86. WMF Exploit fix.

    If you’re running Windows 2000/XP/2003/x64, I really recommend installing the following patch, and use it until Microsoft releases an official fix (if ever).
    Click here for details/download

  87. I would love to have some info how to uninstall this patch manually…
    maybe this could solve my problem i described above. even did a windows system recovery in the meantime and tried to install the patch again.
    same problem… after a reboot, there’s no protection anymore…
    could this be a language specific problem, maybe due to some other paths? (e.g. “c:\programme” instead of “c:\programs”?)

  88. To manually uninstall the patch:
    – remove any mention of wmfhotfix.dll from HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
    – reboot
    – if you want, you can delete %system%wmfhotfix.dll from the disk. This is ‘the meat’ of the fix, the only file that patches the system in the memory. It should be freely deletable after the reboot
    There are some text files in %programfiles%WindowsMetafileFix, if you want, you can delete them too.

  89. Thanks for this workaround Ilfak,
    I have it running on my Windows 2003 Server/Workstation and I cannot prove or disprove if your fix is the cause of this either way I feel a great deal more comfortable having it.
    What I am seeing on this system is when I try to open a new application. Notepad, Outlook or pretty much any application I am having a 1-2 second delay before the application opens up. Is this due to the fact each application is calling GDI32.DLL or USER32.DLL on execution and the delay is from your ‘fix’ sitting in the middle acting as ‘policeman’.

  90. Ok, just checked if the fix got uninstalled correctly.. it did..
    just installed the fix again, rebooted…
    and now i realized this:
    the value of “AppInit_DLLs” is set to “” after restart…
    why could this happen? :\

  91. Alex,
    Please check for ‘antispyware’ or similar programs. Try regmon from sysinternals – it might help you to find who is cleaning it.

  92. Stephen,
    I hardly can imagine any delays caused by the hotfix. It does its job at the lightning speed.

  93. Windows WMF Metafile Vulnerabilityfix from reverse engineer

    meta-technorati-tags=worm, microsoft, malicious, exploits, patch
    Well is this is a good way to start 2006 Microsoft. A very serious exploit was found in Windows during last week, and this time its a 0day exploit which means there’s no patch availabl…

  94. I found that with wmffix_hexblog13.exe, the value of “AppInit_DLLs” is set to “” after restart.
    For this reg entry to work, you have to turn off the Automatic Blocking in Lavasoft’s Ad-Watch.
    Windows Registry Editor Version 5.00
    Otherwise, Ad-Watch just stomps it.

  95. just found this entry in AppInit_DLLs:
    google says it’s a dll from bitdefender.
    shit 🙁

  96. Thanks! You have my trust, and I will be mirroring this for my friends to ease the traffic on your site!

  97. Unofficial Wfm Vulnerabilitpatch Has Been Released

    An unofficial patch for the WMF vulnerability patch has been released. This program will patch in memory the Escape() routine of GDI32.dll so that it will not accept the SETABORT escape sequence that is being used to exploit this vulnerability.

  98. Any idea how an official patch might react with the unofficial patch if the unofficial one is not uninstalled prior to installing the MS one? I.e. automatic update goes ahead and installs MS one when it is available before I have a chance to uninstall the unofficial one?
    I’ve got it on several 2k/xpsp1/xpsp2 boxes with so far no ill effects, but some are set to autoupdate when MS comes out with critical updates..

  99. as a slashdot comment points out “There is no [official] patch for Windows ME, 98, or 95 and there will never be as these OSes are unsupported. These systems will ALWAYS have this vulnerability.”
    Do you have any advice for us users of those OSes? Can we do anything to assist you in expanding your patch? or do it ourselves manually somehow?
    much thanks.

  100. Hi.
    Thanks for providing useful info and a patch. Why I wanted to make a comment is because I did run all the tests at and had no problem at all, saw no pictures (just red X where they should have been) and no system reboot neither.
    I probably should mention that I have WinXP Pro SP2 fully updated, AVG Free, ZA Free, Spybot S&D, Wormguard and SpywareBlaster as real time protection. The SHIMGVW.dll is unregistered here since the first day I heard about the .wmf issue.
    Just for your info in case you want to know. Thanks!

  101. Ok guys.
    I ran a test on the link provided above on two different computers.
    Both had KAV’s patch and only one had ilkak’s one.
    The result is the same : no exploit image displayed but several alerts from KAV about the riskware.

  102. Hi,
    Would there be possibility to get version of the wmffix that can be installed unattended in large networks?
    I would need that functionality urgently in my network.

  103. so, should I install this patch first and then unregister shimgvw.ddl or the other way around?

  104. Doesn’t packaging the source code in an EXE sort of defeat the purpose of publishing the source code? Why not put it up in plain-text or ZIP form, so we can see what it does without running it first? Anyone?

  105. i just unregistered the dll’s and installed the patch, now i cannot view thumbnails of images in my picture folders etc and windows picture viewer doesnt work, is this normal because if it is i think i might have to go back as it is hard to run windows like this.

  106. This fix seems to break ACDSee (latest version) for displaying all files (not just WMF) – just FYI, not a criticism!

  107. Apologies – turned out to be unrelated. Had to add ACDSee to my DEP exclusion list to get it to work.

  108. I installed 1.1 on XP Pro SP1 and it broke windows. I could not boot into windows normally and had to boot to safe mode and use System Restore. Does 1.3 work properly on SP1?
    I had a better experience with 1.1 on XP Pro SP1 on my VMWare guest machine where it installed with no problems.

  109. I renamed shimgvw.dll. Will that eliminate the vulnerability (yes, I realize there is loss of functionality) until M$ comes up with a fix? Thanks.

  110. What about Windows 98??
    Are you going to expand the patch??
    There are a lot of us still using the old Windows!!

  111. The WMFFIX installer was apparently built using Inno Setup ( The commandline options seem to be well-documented on this page:
    which also includes a commmand to suppress reboots. I have yet to test that.
    The /LOG option also seems to create a new file and error out if it already exists, rather than append or overwrite. This is a problem if you wanted to log to a singe file on a network store, unless you
    a) script things in such a way that after installation you append the output to another file and delete the original for the next login.
    b) name the log file after the username/machine.
    Kind regards,

  112. I had Pest Patrol i.d. version 11 of the patch as a pest and offer to remove it. It would have removed the patch on reboot if I hadn’t stopped it on a Laptop running Win XP Home. Doesn’t happen w/ other Pest detectors and other Windows combos as far as I can see.

  113. The WMFFIX installer was apparently built using Inno Setup ( The commandline options seem to be well-documented on this page:
    which also includes a commmand to suppress reboots. I have yet to test that.
    The /LOG option also seems to create a new file and error out if it already exists, rather than append or overwrite. This is a problem if you wanted to log to a singe file on a network store, unless you
    a) script things in such a way that after installation you append the output to another file and delete the original for the next login.
    b) name the log file after the username/machine.
    Kind regards,

  114. I have made a patch that seems to work in Windows 98 and XP (probably Win 2000) as well. The WMF vulnerability checker says the systems are protected. Send me an email at mail1%[email protected] if you want to try it.

  115. I just downloaded the fix via CastleCops, installed it and ran the regsvr32 command, then the check program (after rebooting). The checker still tells me the PC is vulnurable.

  116. After installing wmffix_hexblog13.exe the mappings from the login-script didn’t work anymore.
    This is what my login-screen shows:
    LOGIN-LGNWNT32.DLL-923: An unexpected error has occurred: 15 (8819).
    LOGIN-LGNWNT32.DLL-923: An unexpected error has occurred: 9 (8801).
    Drives A,C,D,E map to a local disk.
    —– Search Drives —–
    S1: = C:\WINDOWS\system32
    S2: = C:\WINDOWS
    S3: = C:\Program Files\COMPAQ\INSIGHT MANAGER
    S4: = C:\WINDOWS\system32\WBEM
    S5: = C:\WINDOWS\system32\nls
    S6: = C:\WINDOWS\system32\nls\ENGLISH
    S7: = C:\Program Files\Novell\ZENworks\
    LOGIN-LGNWNT32.DLL-923: An unexpected error has occurred: 15 (8801).
    I’m using Novell Client 4.90 SP2, Version
    Windows XP Professional SP1
    McAfee Enterprise 8.0i
    Novell Netware 6.0 SP5
    After uninstalling the fix and restarting the computer the Novell-drives could be mapped again.
    Kind regards,
    R. Evers

  117. Hi,
    I Applied the patch, re-boot the PC and ran the “WMF Vulnerabilty Checker”, and came up with the “Error: your system is VULNERABLE…etc”
    So, I proceeded to UN-install the patch.
    I am running:
    Windows 2000Pro Ver. 5.00.2195 SP4
    Intel Motherboard D845GVSR
    Pentium4 2.26 Ghz
    RAM 1G
    AV: BitDefender 9-defs Up to date(it did NOT detected the vulnerability checker as other AV´s do)
    CounterSpy 1.5.82-Defs.Up to date.
    ZoneAlarm 4.5.594 (Stealth mode)
    WinPatrolPlus (latest)
    Router w/FireWall (Stealth mode)

  118. Works fine and everything went as described on this page. NOD32 virus protection remained silent during the whole procedure.
    Tested on XP SP2 (32Bit).

  119. I strung up a 98:
    Win 98 SE Y2K indicates not vulnerable.
    There is no SHIMGVW.DLL file so if escape->setAbort is in the WMF files it is using a different route.

  120. Diazruanova,
    same problem here.
    BitDefender 9 changes
    “AppInit_DLLs” under
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    on every reboot!!
    This is why this patch DOES NOT WORK with BitDefender 9!
    Don’t know any workaround for this, sorry…

  121. The patch creates a problem for the Windows CE Emulator, used by developers of software on Windows CE. Often an emulator is used to test the software. This emulator is reachable through a driver which is installed in windows and with the patch it wasn’t loadable anymore. Just a FYI.

  122. yep, `tis a concern all right – mostly I’ve noticed the loss of function in Image Preview MSIE folder customization(s) after -u’ing the SHIMGVW.DLL (some error mssg’s show up afterwards pointing to the relevant imgview.htt), not that big of a “loss” as thumbnails still display & other apps can do the slideshow & preview/rotate/* chores if desired. TNX for the patch & hope it works on my dinosaur WinME – y, `tis a poor alt OS, but ;]

  123. Is there anything that we NT4 SP6a users could do? Checker program says that we need run hotfix. There is not hot fix and I couldnt find that DLL file from system either?

  124. It seems as if the patch has broken the software for transferring photos from my Canon Digicam. Not a big deal, but I thought you might be interested.

  125. Chuchundra,
    I hope that the broken software will be functional after the uninstallation. If it is, please tell us know. Thanks!

  126. Is there anything that we NT4 SP6a users could do? Checker program says that we need run hotfix. There is not hot fix and I couldnt find that DLL file from system either?

  127. Ilfak,
    I’m working on creating an MSI that will do the correct checking on the DLL so it can be reposted. Windows Installer supports Custom Actions that can call an arbitrary DLL function and check the error code. Unfortunately, it treats 0 as success and anything non-zero as a failure. Since the patched_gdi32 function is pretty simple, I think just swapping the 0 and the 1 in the return call will work. Any chance of making this change on the official version?
    I’m downloading the Platform SDK now to recompile the DLL. Will let you know. Feel free to e-mail me if you have questions.
    — Dave

  128. I sent the wmffix_hexblog13.exe to a friend via email, and when he executes it on his system he gets this error:
    Microsoft Visual C++ Runtime Library
    Buffer overrun detected!
    Program: ..s\Content.IE5\0V5VYIJT\wmffix_hexblog_13[1].exe
    A buffer overrun has been detected which has corrupted the program’s internal state. The program cannot safely continue execution and must now be terminated.
    Is this an XP SP2 DEP problem?
    No details on what he’s running yet (OS, patchlevel, etc)

  129. Dave,
    Thank you for creating the MSI package. I will gladly change the interface to the patched_gdi32() function!

  130. Ilfak,
    thanks for great job. It seems that you did someone else’s work perfectly…
    Just one question. Can we expect any problems when MS comes out with official patch, Automatic Updates is turned on and wmffix_hexblog13.exe is installed?

  131. denial,
    No, I do not expect any problems with the hot when you install the official patch from Microsoft. Just do not forget to uninstall the hotfix because you will need it anymore.

  132. You do NOT have to uninstall the hotfix where a specific application that does not handle wmf’s, so cannot be vulnerable, fails when the system is patched.
    AppInit_DLLs is a dynamic registry entry that is read on every application launch, you can temp rename it, then fire up the incompatible application, then restore original registry entry. You could save an enabled and disabled .reg script and enable/disable as and when erquired. When a system wide DLL hook is written for win9x gdi32.dll that will be different as will be a system wide patch, not per-application launch.
    A more sophisticated hotfix would only hook gdi32.dll when spawned by known problem executables or DLLs

  133. Brian Hall,
    Please give your friend direct link to this site. Ther file might got corrupted during the email transfer.

  134. Got error message: “Delete file failed. Code 5.” Any ideas of the cause? Running XP Pro, SP2.

  135. Setup failed:
    “Sorry, could not update the AppInit_DLLs registry key. The fix will NOT work.”
    Any ideas?
    XP Home SP-2

  136. After spending 1 week trying to fix this on my own, I came across your patch. Thank you SOOOOO much!!!

  137. ifaik: I have a question, what do you mean by the comment?
    // 77 is a wildcard and matches any byte
    const BYTE WILD = 0x77;
    Also doesn’t this vuln affect even 9x versions? Don’t we need to patch those as well?

  138. I would First thanks for your hotfix. i installed it at work on all of our computers and it works fine for win xp SP1.
    But there are some computers running win ME that i can’t patch, and i can’t upgrade them because of old softwares running on it
    Just to know (without begging): will you try to extend your hotfix for those systems ?

  139. WMF-tilapäispaikan suosittelijoiden määrä kasvaa

    Ilfak Guilfanovin laatiman tilapäiskorjauksen suosittelijoihin Windows Metafile -haavoittuvuudelle on liittynyt myös kotimainen CERT-FI.Ensimmäisenä koodin saatavuudesta tiedotti ja linkitti F-Securen verkkoblogi lauantaina päivällä. Internet St…

  140. New Windows Exploit… Patch At Your Own Risk

    I should have posted on this earlier today, I’ve been pretty lazy about it though. It seems (let’s have a huge surprised look on our faces now) that there is yet another Windows Exploit making the rounds. Unfortunately, this is…

  141. WMF Patch

    I mentioned the WMF vulnerability in Windows recently. Microsoft has not yet released a fix, which leaves you all out to dry.
    This guy has put together a temporary fix that actually works like a rootkit (while a hacking tool and part of Sony’s D…

  142. Public Service Announcement

    There’s a new computer virus threat described as “huge”: ….the potential for damaging attacks increased dramatically at the weekend after a group of computer hackers published the source code they used to exploit it. Unlike most attacks, which requir…

  143. 【ウイルス出現】Windows脆弱性に関する追加情報【もうだめぽ】

    メールの件名は「Happy New Year」で,添付されているファイルの名前は「HappyNewYear.jpg」。

  144. WMF vulnerability

    I have been desperately trying to avoid blogging, but this is just hectic. A vulnerability (a feature not a bug) in WMF files allows code to be embedded and executed upon viewing the file. The libraries for handling WMF files are pretty universal across

  145. WMF problem in Windows

    Millions of lines of code and yet another bug has been found. And exploited. And temporarily fixed. This time it is a nasty one, where WMF-images are executing code, which was introduced a long time ago and still exists in current Windows versions.

  146. WMF-sårbarheten i Windows

    Ett allvarligt säkerhetsproblem har upptäckts och det har ägnats en del åt att lösa problemet. Dock har inte Micrsoft gjort detta, och det kan ta länge. De har gjort något de kallar en lösning, men detta är ingen total lösning alls.
    Ilfak G…

  147. 友情提示:春节假期小心WMF木马

    MS06-001提前发布 修补WMF 0day漏洞
    WMF 0-day漏洞�…

Comments are closed.