Spyware Sucks

IE7 Beta 2 Preview has gone live

Yay! Its out (released in the middle of the night my time)
http://www.microsoft.com/windows/ie/ie7/

Please remember that this build has been released to allow Developers and IT Professionals to start evaluating IE7 against their Web sites and applications.  The preview is not intended for, and should not be installed in a production environment.  Casual users should not install it unless they understand and are willing to take the risk inherent in using betas.

There's a fantastic, funny video advertisement "Everyday tasks made easier with IE7" available for viewing at:
http://www.ifilm.com/ifilmdetail/2693343?htv=12

Download IE7 Beta 2 Preview here:
http://www.microsoft.com/windows/ie/ie7/ie7betaredirect.mspx

Important Release notes - please read:
http://msdn.microsoft.com/ie/releasenotes/default.aspx

To celebrate the release of IE7 Beta 2 Preview, www.ie-vista.com has undergone a massive update, with lots of new content and information.  Enjoy.

Heads up for SBS Sites using self-signed certificates

SBS (Small Business Server) uses self-signed certificates by default.  This may cause an issue for your users if they are running Internet Explorer 7.  As you can see from the screenshot, direct navigation to the Outlook Web Access log-on URL is blocked by IE7 when self signed certificates are used. 

To help avoid confusion I'd recommend you alert your users to this change in behaviour sooner rather than later, so that they understand that there is nothing wrong with your site or their computer.

Here are the hoops your user will have to jump through to stop the warning page from appearing every time they go to your site.

First, they will see this page.

Your users need to click on Continue to this website (not recommended)

They will be presented with the red Address Bar and certificate warning:

Click on the Certificate Error button to open the information window.

 ;

Click on View Certificates.  Then click on Install Certificate.

You'll see yet another warning.

 ;

Click on Yes, then you're done.

IE7 on Windows Vista

We see the same problem with self-signed certificates when using IE7 on Windows Vista, but the option to install certificates will not be available unless you run IE with administrator rights (right click the IE icon, select "Run as Administrator").

Today's "You're an IDIOT" award goes to...

Anybody who embedded Robin Schuil's graphic into their blogs.

Info about the graphic:
http://news.com.com/2061-10789_3-6031795.html

<Cue Rick Springfield singing "Don't talk to strangers...."> No!!  No Springstein!!  Springfield!!

Seriously people... think about this... how hard would it be to replace an innocuous animated GIF with... say, a WMF exploit???

Have a look at the spread of this allegedly innocent prank:
http://www.moox.nl/blogworm/

For heavens sake people WAKE UP TO YOURSELVES!!!!

I don't know Robin Schuil... I've never met Robin Schuil.... therefore I don't trust Robin Schuil.  You should not trust Robin Schuil.

Let me ask you something... what is the NUMBER ONE reason that viruses and malware spread so easily? Why are so many people infected with crap via email or freeware?  (Fair warning - the first person to blame Windows will be hit over the head with my freshly charged flamethrower).

I'll tell you the answer - trust combined with naivity (aka Social Engineering).  It simply doesn't occur to us that some complete stranger who is offering something that *looks* fun or funny could possibly have an ulterior motive.

"Ah, but its a GIF, not a WMF" I hear you say.... well, check this out from the Security Bulletin for the WMF exploit:

"The only image format that is affected is the Windows Metafile (WMF) format. It is possible, however, that an attacker could rename the file name extension of a WMF file to that of a different image format. In this situation, it is likely that the Graphics Rendering Engine would detect and render the file as a WMF image, which could allow exploitation."

Ok, so I'm not saying that Robin Schuil is a bad person; I'm not saying that this particular case is an attempt to infect the world by stealth. 

What I *AM* saying is that we have to grow up - social engineering is how the bad guys spread.  Trust is how the bad guys spread.  Did *anybody* who added this script to their Blogs ask themselves what they know about Robin? Did any of them ask what would happen if virus.gif was replaced with virus.wmf?  Don't fool yourself into thinking that renaming a WMF file as GIF will stop an exploit from working.... MIME handling enforcement wasn't introduced until XP SP2:
http://www.microsoft.com/windows/IE/community/columns/improvements.mspx

What do you think will happen *when* (not IF) a bad guy followed Robin's lead and used the same innocent "this is fun" trick to convince people to help spread malware or crapware?

Edit: Something else occurs to me.  When I last checked Robin was publishing links to pages that have added a blogworm; any one of those sites could take the opportunity to use the gif as a lure and embed a security exploit on their page.

The End Game... again....

Yes, I know I've said it before....

Back in April 2005 I attended a very private session in Singapore about Rootkits and their potential for harm.  Way back then the guy giving the presentation mentioned the possibility of infecting a computer's BIOS.

I remember those of us in that session left with a global sense of "we're screwed" (I know some of you who were at that session are reading this...feel free to chime in). 

I had hoped that the bad guys on the net would not start using such tricks and, more importantly, that the rest of the net would not realise that the BIOS trick was possible.  If they did realise, I hoped and prayed they would not talk about it or publicise it.

Ok, so now its out :o(   A few days ago I was sent this URL at securityfocus.com:
http://www.securityfocus.com/news/11372

I had really really really hoped that this trick would not see the light of day. 

The URL predicts that it will be a month before malware purveyors start experimenting with this trick.

We have a few things in our favour... the most important of all being BIOS diversity - the bad guys will only succeed if they happen to target the BIOS on your system.  The second protection is write protection of the BIOS.  Some boxes require hardware jumpers to be set correctly to enable a flash of the BIOS to succeed.

Important point: our idea of "succeed" is different to *their* idea.  To suceed, malware purveyors only need to infect a system... if the infection leaves a system unbootable... if it constantly blue screens... if nobody actually buys anything advertised in those damn popups... they don't care.  The fact of infection is all that is important.

What is seriously scary is that a failed BIOS flash can leave your computer so damaged it will be no more than an overpriced paperweight.  The only fix is to replace the BIOS chip (*if* it is available and *if* it is replaceable).

Those who know me well know that I have never been alarmist, and I know that this sounds like pretty extreme stuff, and that there are a lot of obstacles standing in the way of those who would want to use the BIOS for malware, but I can tell you this... two years ago I did not anticipate rootkits being used for malware - it is inherently difficult to write kernel mode code... it is very easy to get things wrong, causing the infamous "blue screen", therefore I surmised that that malware purveyors wouldn't bother...after all, what's the use of using rootkits if they are more likely than not to crash a system... I assumed that, in the end, the number one goal for the bad guys was sales - I was wrong.

You see, the worst malware purveyors don't care about system stability.  They don't care about whether or not their pop-ups actually appear on screen.. they play the odds, just like the spam kings play the odds... in reality, may be one in 10,000 spam recipients will click on the link or buy something from spammers, but that 1 in 10,000 is enough to make spamming cost effective, because the cost of spamming is so low.

The same goes for malware.. the cost of spreading malware is so small it may as well be free.

The malware purveyors don't care about a 100% success rate.  If they happen to fry your PC because your BIOS doesn't match what they're trying to flash they won't care, any more than the spammers care about those whose inboxes they fill, any more than malware purveyors care about the PCs that are crippled by malware infections so severe PCs grind to a halt under the load. The old school didn't care about the stability of your system. If your computer slowed to a crawl and was completely unusable under the load of spyware, they didn't care.

They will target the most common BIOS in the marketplace... AMI, Award, Phoenix... and they will target the BIOS according to default settings for the most common PC manufacturers out there... Dell, HP, Gateway, Toshiba etc etc etc. 

Have you set a password to protect your BIOS?  No?  I didn't think so. Are your motherboard jumpers set so that the BIOS cannot be flashed?  You don't know? Nor do most other people.  We're getting in an area of PC maintenance that only the most experienced of technicians should venture.

BTW, MAC users.. you are not safe from the bad guys:
http://www.securityfocus.com/news/11359

You'll note I mentioned the "old school" of malware pushers.  There's a reason for that.  Recently I have seen popular press and various experts starting to acknowledge that the bad guys are getting more subtle.. instead of infecting as many machines as possible, and damn stability, they are writing their malware so that their presence has as little effect as possible on system performance, and they keep the infection count low enough that they fall under the radar of the anti-spyware and anti-virus products.  I agree that this is what is happening; The guy behind HackerDefender, for example, has been offering for sale unique rootkits that are not detected by classic antivirus and antispyware products for a long time now.

It is a reality of life that antivirus products will not detect a virus or other infection unless and until a certain number of PCs are infected.  It is not commercially viable to track down and create protection for an infection that may only infect a few hundred, or few thousand, PCs.  But, a few thousand PCs can do a lot of damage if they are recruited into a bot-net for targeted DDoS attacks.  I discussed the problem of library and heuristic detection back in May last year:
http://msmvps.com/blogs/spywaresucks/archive/2005/05/05/45762.aspx

So, where do we go from here? I honestly don't know.

Y'all know that I hate spyware....

The Title of my Blog says it all.

A big area of concern for me recently has been Google Ads.  Far too many people are being directed to sponsored advertisements, and far too often these sponsored advertisements are for malware.

Let's look at the recent complaint laid by the State of Washington against "Secure Computer LLC" (what a misleading name *that* is).

A PDF of the complaint for injunctive relief is available online at http://seattlepi.nwsource.com/dayart/20060125/spywaresuit.pdf.  On page 28 that complaint shows a screenshot of a Google web search.  The sponsored links include a link to "Microsoft Antispyware", but the link does not take users to the *real* Microsoft Antispyware product.  Instead it directed users to the fake antispyware product described in the complaint.

I do not believe for a moment that Google were not aware that there was a legitimate product called "Microsoft Antispyware".  I also do not believe, for a moment, that Google do not have the technical ability to cross check "sponsored advertisements" to ensure that they are not deliberately misleading and deceptive.

So, what do we do?  For some reason the world loves Google.  This is a company that is gathering more and more and more data about the Web and how we use it every day.  Will we, one day, suddenly wake up and wonder whether it was a good idea to let one company be so pervasive?

Anyway, I digress.  Ben Edelman in his latest blog entry (http://www.benedelman.org/news/012606-1.html) refers to a product called "SiteAdvisor".  What SiteAdvisor apparently does is vet sponsored links with the intention of warning users about "dangerous" links (dangerous being my description). 

I have not tested this product, but it looks like a good idea (assuming that SiteAdvisor themselves prove to be trustworthy as time goes on).

If I get the chance to download and test SiteAdvisor I'll publicise the results.  It would be wonderful to be able to protect users from the crooksters on the Internet, especially considering Google seems to be willing to take their money, but not willing to check their bona fides *before* complaints are received and users are harmed.

How easily things can go wrong....

...here it is... Saturday morning...and the transformer for my HP nx6120's power cable dies without warning.  Not a good thing when there is a *lot* of work to be done and my battery is flat :o(

HP (of course) are closed.  All HP Resellers are closed.  All the open repair shops do not have a replacement transformer in stock. 

Finally I find *one* store that with a brand of universal power supply with connectors that will fit into my laptop which is just as well because I was just about to call in a favour along the lines of "Hey, remember those 20 PCs you want me to buy off you?  Meet me at your office in an hour" - $150 later I'm back working.  Here is my lifesaver:
http://www.kerio.com.tw/products_b.html

This laptop is not that old.  HP are *so* going to hear about this on Monday.

Wow.. is it 20 years already?

20 years ago what many call the first *PC* virus was discovered in the wild, named "Brain"
http://news.bbc.co.uk/2/hi/technology/4630910.stm

How ironic that the first *computer* virus is noted in the article as affecting the Apple II ;o)   That little gem is almost as much fun to reveal as the fact that Internet Explorer and Netscape have a common grand-parentage... check out my Internet Explorer Community article for more information about that:
http://www.microsoft.com/windows/IE/community/columns/historyofie.mspx

The virus and malware landscape has changed since 1986.  Brain was very restricted in how it could be spread - it could only be passed from PC to PC via an infected floppy and was relatively easy to remove.  Nowadays viruses are network aware, spread automatically, and can sometimes infect a PC with no interaction from a victim apart from visiting a website or viewing an email in Preview Pane.

It must have been more than two years ago that I gave a presentation in Sydney regarding malware.  At the time we were beginning to deal with self-aware, co-dependent, super hidden malware services that monitored each other for interference so that they could reinstall, using random file names, automatically if we dared to try and remove them.  The malware was intelligent enough to detect, and disable, the most popular antivirus and antispyware software.  I had seen PCs with *dozens* of randomly named files generated by failed cleanup routines.  Back then, during the presentation, I called the situation as it was then the 'end game'. 

How wrong I was.... a year later I attended a seminar in Singapore, where the security expert in question (whose name I cannot mention thanks to a continuing NDA), discussed what was then the early emergence of rootkits.  HackerDefender was just grabbing a foothold.  Rootkits were were not yet being used in malware.  Back then, his advice when faced with potential rootkits was 'nuke the box from orbit'.

But, sometimes it is not possible to nuke a box from orbit, and even if you do nuke it the problem may not be solved.  Look at the laptop I was dealing with last weekend.  Its owner is a very senior member of management of a very large corporation... this person allowed his kids to use his corporate laptop to surf the web and, inevitably, the laptop was infected with malware. 

The problem was... what if the laptop was infected with a network aware rootkit?  Was the entire corporate network of a multi-million dollar corporation at risk because of the actions of a couple of kids?  Imagine the reaction if I had been forced to tell the company that I could not guarantee the integrity of their network?  You do not lightly tell multi-million dollar corporations that their network is f*cked.

So where are we today?  The worst malware is using rootkits.  Criminal elements have become involved now that they have realised how much money is to be made.  The problem is not going to go away.

Our only defence is education and safe hex best practice.  We cannot rely on anti-spyware or anti-virus products to keep us safe... we cannot hide behind the skirts of protective software in the (vain) hope that it will keep us safe when we're being stupid or careless.

Even the latest XSS exploit, if we are paying attention, is plainly obvious to the alert surfer.  The addressbar and statusbar, the title bar and even the mouseover tooltip, shows us, before we click on anything, that the URL that will be loaded from a link in an email is not quite kosher.

After we click on the link and view the page in IE, we get even more clues...

We have to take responsibility for our safety; check the URL in the status bar, check the URL in the addressbar, check the Title Bar (at top of screen) to see what is displayed there.

It is a very rare phishing site that gets everything right... there are *ALWAYS* clues... ALWAYS.

Be careful out there guys.. there are some infections, if they get on your PC, that give us no choice but to wipe out everything... forget about saving your data.. anything may have been infected.

Be safe, don't be sorry.

Do we depend too much on antivirus and antispyware software when attacking malware?

I spent a fair few hours this weekend helping out a fellow MVP by using VNC to remotely clean up his client's laptop which was showing signs of being infected with malware/adware - our primary concern was trying to assess what was on the PC, and whether the system may have been infected with a rootkit.  Depending on our findings, we also had to look seriously at whether the client's corporate network may have been compromised.

We approached this task from a perspective of the MVP and his team having run Trend Antivirus and Microsoft Antispyware to see if anything was detected.  The primary symptom they were trying to fix was Internet Explorer starting up at random with the page pre-populated by a porn site.

Trend and Microsoft Antispyware both came up clean, therefore the guys assumed that they needed to call in somebody more experienced (me) to have a look-see on the basis the malware may be new/sneaky/a rootkit.  Thankfully this does not seem to have been the case.

Compared to some machines I have worked on this proved to be quite an easy cleanup - no sign of rootkits, no self aware malware services, pretty old fashioned stuff.

So, as per my standard clean-up instructions at http://inetexplorer.mvps.org/tshoot.html, the first thing I do is go to Add/Remove Programs to check for malware.  I immediately spot "sexy_blondes_au" which, I think, we can blame for the porn popups.

I also found a downloader trojan (Downloader.Win32.Dluca.b) listed as dxvid, an autosearch hijacker listed as ms1src, and a few other bits and pieces.

I'll be honest; I was very surprised that something as 'in-your-face' as an sexy_blondes_au entry in add/remove programs had not been spotted.  As part of our debriefing, my friend made the comment that he hadn't thought to check add/remove programs.  He had come to depend on the accuracy of Trend and Microsoft Antispyware and was very concerned that his software did not detect the malware that I found via old fashioned eyeballing, research and diagnosis. He was also concerned that perhaps he and his team were depending too much on software when checking for malware.  I have to agree with both sentiments.

What are the lessons that can be learned from this weekend's events?  First, no antivirus or antispyware product is perfect.  They can only detect *known* infections, and there is a window of opportunity between a new virus or malware being released, and detection libraries being updated.  The chances of infections not being detected are increased because, for example, random file names are in common use, services and files can be hidden, rootkits are becoming more common.  Also, there have been cases where malware detection has been *removed* from an antispyware product after lawyers became involved - check out the list of lawsuits described on benedelman.org:
http://www.benedelman.org/spyware/

As my friend's experience illustrates only too well, we cannot depend on detection software alone.  There is no substitute for an in-depth familiarity with what is 'normal' in a Windows PC.  At the very least, anybody who wants to succeed in the fight against malware needs to get to know the standard services that run on a PC by getting up close and personal with services.msc or msconfig.  They need to become familiar with the Windows registry and learn about all the autoload locations that may be used by malware.  They need to learn what to eyeball, and when, and how to take advantage of non-spyware specific reporting and analytical software such as Rootkit Revealer, Silent Runners, Autostart Revealer and Advanced Process Manipulation. And most importantly they must ensure that they don't forget the basics (like add/remove programs) ;o)

Ciao Las Vegas.. thanks for having us

The only interesting thing that has happened in the last five hours at the Las Vegas Airport is a shortlived power failure in the US Airways Members Lounge.  From that moment on, no power points were working so my laptop battery is it :o(

CES was amazing.... overwhelming... enormous.... exciting.

Las Vegas was all that is good and bad about the USA squashed into one small area.  Neon abounds, decadence abounds, street hawkers shoving 'free' tickets in your face.

I was lucky enough to be able to man the IE7 booth at CES for an hour or so (and also the Communities booth).  The reactions of those I chatted to were not always what I expected, and helped refresh the level of excitement I feel about the browser.

Only once did a wannabe comedian-aka-flamer-aka-lamer say to me "IE is only catching up with Firefox" <sigh>  What'cha saying? We shouldn't bother?  Excuse me while I search out an intelligent conversationalist.

Surprisingly, the reaction that I saw to tabs overall was quite muted - probably because so many browsers have tabs already.   That being said, once we drilled down into what we can do with said tabs the excitement levels increased.  It makes me wonder how many people only scratch the surface of their Web browser's abilities - even those who use Firefox, or Opera, or Netscape.

Multiple home pages was a big hit, as was Favorite Groups, Refresh All and Close Other Tab.  Quick Tabs was a showstopper, as I knew it would be:
http://www.ie-vista.com/tabs.html#quick_tabs

It was great demonstrating RSS to those who had not used it before, and every person that I spoke to loved the new way of searching in IE7.  Yes, you can have Google as a Search Engine in IE7.  Some people were concerned about the Phishing Filter until it was explained to them that nobody is blocked from going to a site AND that not only can sites be reported as bad, they can also be reported as good AND that reports are not automatically accepted but instead are checked and substantianted.  As I said to one particularly worried gentleman, his competitors are not going to be able to report his site as bad and get away with it.  It simply doesn't work that way.

Uh oh.. gotta run.. battery about to go flat.  I'll post more from Los Angeles (if I can find a working power outlet).

Sorry guys we're overbooked...

I've seen it on TV - I've heard of it happening to others - but this is the first time its happened when I'm around.  Pity those travelling to Reno.

"We seem to have an overbooking situation. We're looking for volunteers to take a later flight. We'll give you a $250 travel voucher good for America West and US Airlines if you'll get our asses out of this sling and give up your seat".

Heh... I'm not seeing any takers - pity the poor suckers who are booted unwillingly .... they are NOT booting me off my flight if this happens with my LA flight.  I have an international connection ;o)

WMF Security Patch is being released today!!

A patch to fix the WMF exploit was released at 2.00pm PST today.

The downloads can be found at the URL below, Windows Update and the Microsoft Download Centre:
http://www.microsoft.com/technet/security/bulletin/ms06-001.mspx

Microsoft will hold a special Web cast on Friday, January 6, 2006, to provide technical details on the MS06-001 and to answer questions.
Registration details will be available at http://www.microsoft.com/technet/security/default.mspx. 

Microsoft will still release security patches on January 10 as scheduled.

CES 2006 Keynote...

"Going Beyond: Microsoft at 30"

I'm sitting here watching the CES Keynote via Satellite link.... this is going to be rough and all over the place.

Stats and snippets:

Windows PCs - 11% growth last year.  I'll admit, I found that kind of surprising.

100 million broadband users in the USA (and that's not the biggest user number out there).

5 million Windows Mobile devices will be shipped this year.

Starting tomorrow a new phone goes on sale that is a collaboration between Microsoft and *Palm* (Yes, Palm) will go on sale.

Microsoft, Phillips and Uniden have collaborated to create new cordless phone that can do VOIP calls using "Windows Messenger Live Call Services".

Windows Vista will be shipped by the end of the year, as will Office 12.

URGE Music Service (in association with MTV):  A new online music service integrated with Media Player with over 2 million tracks. Drag 'n' drop to create playlists.

Cool stuff:

Parental controls in Vista:  think MSN Explorer parental controls on steroids.

Windows Vista will have an inbuilt photo editing ability in Windows and Picture Viewer... and not only that, if you edit your photograph and save the changes the original version will be saved by Vista so that even years later, if you want to, you can go back to the original version of the photograph!!

Media Centre PC: High Definition DVDs. Imagine a (for want of a better word) information bar along the bottom of screen.  We've all watched a movie with the Director's commentary. With HD-DVD the Director's Commentary will be a movie quality, animated, *small* floating head of the Director superimposed over a portion of the movie screen talking us through the movie.  We will also be able to do many things like search through chapters without interrupting the movie.  There is information available about the actors in the movie being viewed, but the cool thing is the information bar is intelligent enough to automatically highlight the actor in the current scene.

Xbox and HD-DVD – there will be an external HD-DVD drive released.

Want to look at your song list in Windows Explorer? In Vista you can see the album art as well.

The Word Wheel is all over the place - Bryan Starbuck demoed the OE version of the Word Wheel on his blog:

http://spaces.msn.com/members/bryanstarbuck/Blog/cns!1psJjwgBAsV-Ph1H_Wpa4AUg!261.entry

Bill G demoed the coolest wall mounted touch screen for the family home; the location of every family member could be (optionally) displayed on a map in real time.

Video conferencing - drag 'n' drop to add people to the video conversation.

Did you know that the Bill and Melinda Gates Foundation is worth $29 billion?  That figure is equivalent to the World Health Organisation.

Viva Las Vegas !!!!

Here I am in Las Vegas to attend the Consumer Electronics Show.

So far, the trip has been charmed; free Business Class upgrade from Perth to Sydney, Exit Row Window from Sydney to LA, and First Class from LA to Las Vegas.

Getting off the plane in Las Vegas was like stepping into another world - slot machines everywhere.  $5.00 purchased a shuttle ride from the airport to my time share apartment.

Officially there is no internet access here except for in the CES Press Room and during certain Featured Community sessions, but my HP laptop's wireless antenna is strong enough to pick up a useable signal from the McDonald's store I can see outside my window - $2.95 for two hours access time ain't too bad ;o)   I'm registered as Press so get access to the Press Room with its special SWAG, internet access, tea, coffee, nibbles etc etc etc.

Met up last night with a good friend, Tom Koch of www.insideoe.com  fame.  After wandering around checking out the most amazing sights (we both can't quite believe we're in Las Vegas) we headed to Smith & Wollensky for dinner.  What a blast of a night.  Tom had Alaskan King Crab - I'm talking HALF an Alaskan King Crab... absolutely massive - as for me I had the most marvellous fillet.

At the end of the night, the waiter handed over what he thought was the bill .. but he gave me two bill folios... I open them and they both have cash inside (not a small amount, btw) ... so, Tom and I being honest types called over the waiter and gave the money back.  Our reward?  Our drinks and dessert were free - considering I'd had four double shots of MacAllans 18 year old during the night - that was one hell of a thank you,

Ok, the Keynote has just started... watch this space.  Howdy Bill Gates.

The WMF exploit that has been in the news so much..

Update: MS will be releasing a patch for this problem on 10 January.

What a mess.  I've been sitting back waiting for information to soldify about what works, and what doesn't work before posting.  First it was said that Software DEP (Data Execution Prevention) would work, and then it was said that it wouldn't.  Same thing about hardware DEP.  First it was said that deregistering shimgvw.dll would make us safe, then it was discovered that it wouldn't.

Very early on there was a Web forum that recommended replacing GDI32.DLL with a version supplied by a member of the forum.  But, to get the file to stick you had to mess around with cached copies of the file (gdi32.dll is protected by Windows File Protection).  The changed file was also causing Windows Update to offer old security patches.  Frankly, it was a good idea, but too messy in practice.

IMHO the best information on the net about this problem is at the Internet Storm Centre:
http://isc.sans.org/diary.php?storyid=994
And here:
http://isc.sans.org/diary.php?date=2006-01-01

One thing I see missing is instructions on how to reregister the DLL, which can be done using this command:
regsvr32 %windir%\system32\shimgvw.dll

Deregistering shimgvw.dll will stop Windows Picture and Fax viewer from working.

Early in the article it mentions 'indexing software'.  What is that? Things like Google Desktop or MSN Desktop.

The article says that Hardware DEP will protect you from the exploit depending on hardware.  I am not convinced of the safety/accuracy of this claim.  One thing the article does not mention is that you must make sure you enable the option to "Turn on DEP for all programs and services except those I select".   If you have DEP available, you will find it at Control Panel, System, Advanced.  Click on the Performance Settings button then navigate to the Data Execution Prevention tab.  If you do not have Hardware DEP there will be a warning at the bottom of that tab. 

The official Microsoft advisory can be found here:
http://www.microsoft.com/technet/security/advisory/912840.mspx

If somebody tells you to "dump IE and you'll be safe", hit them over the head with a cluestick.