GoogleIt Mail IT Print IT PermaLinkLotus Notes Vulnerable to WMF Exploit On Windows
09:30:16 AM
Written By : Richard SchwartzCategory : Spam And Security
Location : Nashua, NH

Via SANS and NIST:

Lotus Notes uses the same vulnerable shimgvw.dll graphics rendering engine file implicated in the Microsoft Security Advisory (912840) to view image file attachments. Because of this all Lotus Notes users are vulnerable to the WMF zero-day exploit. At this point there is little that be done but block all incoming images at the perimeter.

Someone (or an email worm) simply needs to email a person a message with a graphics file attachment. It doesn't matter if the person Views or Opens (Runs) the attachment the shimgvw.dll will be used to render the image and the malicious file can compromise the computer.

Remind users to avoid opening or viewing file attachments from unknown users. Better yet, block image file attachment extensions (listed in the SANS posting) altogether using a rule similar to the one Chris describes.

Some general info about the vulnerability is availbable in eWeek and InfoWorld.

This page has been accessed 1414 times. .
Comments :v

1. Ken Yee12/30/2005 10:05:37 AM

Just unregister the shimgvw.dll like so:
regsvr32 /u shimgvw.dll
I've done it on all my machines. This is actually a WMF design flaw so I doubt they'll be able to patch this...

2. Richard Schwartz12/30/2005 10:22:40 AM

From SANS: "John Herron at discovered today that Lotus Notes versions 6.x and higher is vulnerable to the WMF 0-day exploit. In the advisory, located on the NIST website here, John reports that Lotus Notes remained vulerable even after running the regsvr32 workaround in the Microsoft security advisory."

3. Chris Whisonant12/30/2005 11:24:42 AM

I'm wondering if the "Show inline MIME images as attachments" setting under User Preferences would work to prevent it from executing the code? I guess it all depends on what the definition of an inline MIME image is...

4. Ken Yee12/30/2005 01:12:15 PM

Dohhh. That's horrible. I'll bet the shimgvw.dll is only for Windows Explorer and Notes uses another API to display WMF files :-P
The inline MIME image question is a good one for Lotus. I suspect that'll work until someone double clicks one of the image files...

5. Chris Whisonant12/30/2005 02:40:14 PM

Ken, yeah, I was thinking that too. But if people use the preview pane and delete one document with that infected file being the next document it may prevent the infection from that. And hopefully even if they open a message from someone they don't know maybe they wouldn't open the attachment too!!! lol

6. Gerco Wolfswinkel12/30/2005 03:42:33 PM

Perhaps a combination?

-use a policy to enable "Show inline MIME images as attachments" for all Notes users
-create the mailrule to strip attachments with .jpg, .bmp etcetera from incoming email

Wouldn't that solve most of the problems?

7. Gerco Wolfswinkel12/30/2005 03:59:27 PM

on second thought.. the 'show inline MIME.. ' stuff gets done at the workstation level, so the mailrule wouldn't filter those out. No catchall solution there

8. Ken Yee01/03/2006 11:22:40 AM

Looks like there is a workaround. Linked to Ilfak's blog from mine as well:

9. Julian Robichaux01/03/2006 03:23:05 PM

Here's a way to keep the Notes client from displaying WMF files:

doesn't really help with the other Windows apps, though...

10. J Herron01/03/2006 11:51:34 PM

I've posted an update to the Lotus Notes issue at

J Herron

11. Richard Schwartz01/05/2006 10:10:48 PM

The microsoft patch is available:

12. vesoftware11/05/2013 11:09:49 PM

Agen Bola Promo 100% SBOBET IBCBET Casino Poker Tangkas Online
ITUPOKER.COM AGEN POKER ONLINE INDONESIA TERPERCAYA : Toko belanja online murah, Promo heboh jual barang hanya Rp 1,-

13. generic_cialis09/08/2016 10:10:44 AM

Hello! , ,

14. chenyingying10/17/2016 12:03:45 AM

15. 20161125caihuali11/25/2016 12:13:48 AM

Enter Comments^

Email addresses provided are not made available on this site.

You can use UUB Code in your posts.

[b]bold[/b]  [i]italic[/i]  [u]underline[/u]  [s]strikethrough[/s]

URL's will be automatically converted to Links

:-x :cry: :laugh: :-( :cool: :huh: :-) :angry: :-D ;-) :-p :grin: :rolleyes: :-\ :emb: :lips: :-o
bold italic underline Strikethrough

Remember me    

Monthly Archive
Responses Elsewhere

About The Schwartz


All opinions expressed here are my own, and do not represent positions of my employer.