NEWS FROM THE LAB - Wednesday, January 4, 2006

Hexblog.com overloaded Posted by Mikko @ 06:23 GMT

Turns out half the planet tried to download WMFFIX_HEXBLOG.EXE from Ilfak Guilfanov's personal website (hexblog.com). The resulting traffic amounts were so huge that his hosting provider actually shut his site down.

Update at 09:55 GMT: The site www.hexblog.com is now back up and running in reduced state. It's still under extremely heavy traffic.

Ilfak has set up a temporary site at, offering links to various download locations.

He mentions on his page:

  Due to incredibly high load, the page has been reduced to the bare minimum.
  Thanks for understanding.
  Safe computing!

Our guidance on the "WMF vulnerability" continues to be:

1) Make sure your antivirus is up-to-date and enabled. F-Secure Anti-Virus detects right now all known exploit versions, but new ones are popping up

2) Apply the Microsoft-recommended REGSVR32 /u shimgvw.dll work-around. It doesn't solve all problems - but it does disable the most obvious ways of exploiting this

3) Install the unofficial patch from Ilfak Guilfanov. We've tested and audited it and can recommend it. We're running it on all of our own Windows machines.