WMF vulnerability

Our Google quality guidelines include specific behaviors that can result in penalties or removal from our index, but the guidelines also include this message:

These quality guidelines cover the most common forms of deceptive or manipulative behavior, but Google may respond negatively to other misleading practices not listed here…

In case anyone has doubts, pages which exploit browser security holes to install software (esp. malware/spyware/adware/scumware/viruses/worms/trojans) are outside our quality guidelines. Pages that use security holes to install software may be removed from Google’s index.

The Sunbelt BLOG mentions a new exploit of the Windows WMF graphics rendering engine that applies to Windows versions from 98 to XP. This is a pretty nasty exploit, esp. if you surf around scuzzy neighborhoods of the net (I sometimes have to for my job, for example). One thing you can do is to disable the DLL that is exploited. You’ll lose some thumbnail previews and such, but if you want to be safe until a patch is available, click Start->Run and then type “regsvr32 /u shimgvw.dll” to disable the vulnerable DLL.

Update: Note that if you disable this DLL, you’ll lose the ability to preview images with a double click. What to do about that? I’d install the excellent Paint.net program from Washington State University. Then follow this support page from MSFT on how to change your file associations to use Paint.net to open your images. You’ll have to do it once for each filetype (.jpg, .gif, .png) that you want to view.

39 Responses to WMF vulnerability (Leave a comment)

  1. I remember back a few months ago that there was a buzz about going after those kind of websites and laying down the law. It seems to have taken a back burner for some reason. I can understand if it is a legit situation and those instances are rare, but installing something without consent should be a fellony.

  2. It’s VERY nice to finally see someone mentioning this and associating it with the “scuzzy part of the internet”, as opposed to the typical “we’re all doomed, m$ is evil” FUD so common with vulnerability mentions.

    A shame you have to browse “that part” of the internet, but at least you’re better informed/prepared than the typical user.

    Mike – there’s always a buzz about shutting down “those sites” but it always fades down when they realise they’re hosted in Russia/China/whatever less-scrupulous country.

  3. Ben- Excellent point. Can’t do much about that.

  4. Hi Matt

    NIce to see you post again.

    ” pages which exploit browser security holes ..)

    Does that apply to all browsers including Netscape 7.2, for example?

    Thanks.

  5. with the new hacking laws in the U.S. i doubt anybody from the U.S. would try and exploit this sort of bug. then you never know., glad google is taking some action!

  6. “Does this help my users? Would I do this if search engines didn’t exist?”

    For some reason that makes me laugh, I miss the days when I didn’t know a thing about search engines, then the “Florida” update hit and I started visiting forums to try to figure out what the hell was going on. We sadly have to pay attention to search engines because they can and do get it wrong Matt.

  7. “I sometimes have to for my job, for example”

    Life is tough sometimes, hey? LOL

  8. RE: “Does this help my users? Would I do this if search engines didn’t exist?”

    Hold on! I wouldn’t make a Google site map for my users 🙂

  9. RE:RE: “Does this help my users? Would I do this if search engines didn’t exist?”

    Yes, i’ll make 40 sites selling the same products and then will crosslink them together.

    This will be good for my users as they will find my products easily. Also, this is good for me because they will purchase the products from my sites only. And finally, this is good for Google, because i’ll use slightly different templates so Google will not trigger a filter and will not catch me 🙂

    P.S. Hey this is not me! I’m innocent 🙂
    But i have a good example of this performing really good in SERPS

  10. Dear Mattcutts

    Our site http://www.spiritindia.com was removed from G’s esteemed index in Aug.

    Then we examined our site with your guidelines throroghly… in last 4 years, it had some duplicate urls, and some hidden text (as one of my assistent did mistake to boost SE rankings), and other related issues. After correcting all issues, and religiously following G’s guidelines, I applied for re-inclusion ([#32688030] Re-inclusion Request) on 29th Aug. But I have not recd. any feedback… Please help me if there is any issues with http://www.spiritindia.com, we can take further steps to make it more compatible with G’s guidelines. We can assure you that we will be following G’s guidelines always now.

    Wishing you all a very very Happy New Year 2006.

    Thanks & warm regards

    Dr. Anil Singhal, MD.

  11. Excelent point Dave… Maybe MSN or Yahoo! will penalize you for running Google sitemaps 🙂

  12. Hi Matt

    With the test DC you talked about improvements with Canonical and 301 issues.

    I can see that a lot of Home Page Canonical issues now seem to be resolved – however, these pages still dont rank – often out ranked by internal pages (old supplementals) from the site.

    In time now that you have identified the Canonical Homepage would you expect that these pages actually regain some rank – so at very least when you look for the site by company name the homepage would be the first returned from the site.

    Thanks if you are able to give any indication on this – it just seems at this stage that the identification of the correct canonical has occured – but the rankings are still poor for sites that have suffered from the problem for a while.

    Hope you had a Good Xmas and Happy New Year.

    Cheers

    Stephen

  13. >Maybe MSN or Yahoo! will penalize you for running Google sitemaps

    MSN parses Google XML Sitemaps and spiders the harvested URLs, submit the XML file here: http://search.msn.com/docs/submit.aspx?FORM=WSDD2

    For Yahoo convert your XML sitemap to RSS or plain text (one URI per line) and submit it here: http://submit.search.yahoo.com/free/request

    And for your users add an XSLT stylesheet to the header: http://enarion.net/google/sitemaps/stylesheet/

  14. I think the Google ‘policing’ is great. What is very frustrating however, is when you spend a great deal of time (5 years) and money creating what you feel is a good, quality site. The site is an integral, if not primary source of income for the owner, and then Google arbitrarily removes it from the index (not lowers its rank, but removes altogether), with NO clue as to WHY. The site would be changed if the problem was brought to our attention, but we have NO clue. We can’t find out. No one will communicate. When someone supposedly does something ‘wrong’, one can usually find out WHY and then correct it. Except when “Big Brother Google” is watching. Then you just take your lumps and go out of business. It does not seem fair.

  15. Fred – What I am going to do in the new year is clone my websites to my hard disk. If I do something that the engines are not yet smart enough to understand I will put it back online just the way it was before I made a change.

  16. Would this include certain affilate programs that offer toolbars too?
    I know these are classed as adware/spyware etc.

    The program Im thinking of doesnt install without the users consent

  17. Fred, from what i’ve seen, it takes a LOT to get removed from Google.

    Example: http://www.txt2nite.com has been reported by tons of people, tons of times for having hidden text at the very bottom.

    It’s still regarded highly in google, in some places even as an authority site (as evidenced by the #1 result, and the “more results from this site” feature)

    I keep seeing sites rewarded for their hidden text etc.. It starts to make me think that hidden text is not only OK, but is a good way to get a high Google rank.

  18. Great post, Matt. I’m glad to hear Google is penalizing the crooks who do this stuff. Thanks for the tip, too.

  19. I think this would make a nice add-on for the Google toolbar. US surfers can already play with anti-phishing extensions for FireFox via Google but everyone would benefit if the Google toolbar warned you if you surfed to a spyware-banned URL.

  20. Matt what is the switch to turn the DLL back on again?

  21. Ryan:

    Oh I know….. my favorite one is http://www.tommangone.com/HomePage This nut has MOST of his page filled with hidden text/ keywords. It’s a horrible site but ranks well on Google and has for a long time. Yet, he’s still there. Again, it really doesn’t make any sense sometimes. He is clearly in violation in regards to every search engine, yet he’s still there ranking high!

  22. Ryan,

    Maybe it does “take a LOT to get banned from Google” — sometimes. But not always. Sometimes it is, apparently, quite easy to find oneself gone from the listings.

    I still can’t figure out why SOS Math has been banned. It’s an educational site of long standing, highly regarded, with loads of quality in-links. But it’s been completely gone from Google for months now. And nobody seems to know why.

    Note: I’m not affiliated with the site in any manner. However, having a non-commercial educational site of my own, I’m worried that I might some day accidentally do whatever the heck SOS Math did and find myself banned, too.

    I’m afraid I find your assurances to be cold comfort.

  23. I don’t mind those crappy sites showing up in google. It’s only when they’re #1 does it bother me.

    They’re still helpful to the user, however they gained their rank unfairly and it shouldn’t count.

    I think it’s time for the google spider to start comparing background colors to text colors. All of that stuff is easily enough accessible.

    If the background color is too similiar to the text color.. don’t count any text in that color. They’re HEX values. comparing them is easy.

    That might actually be a funproject. Writing a spider that tries to identify a black hat site versus a white hat site. I wish I had the time.

  24. This was from the AP story about the vulnerability:

    “Current exploits use the Windows Picture and Fax Viewer to attack any application that can handle Windows Metafiles. Disabling the Windows Picture and Fax Viewer will not eliminate the risk as the flaw exists in the Windows Graphical Device Interface library.

    The flaw has also raised concerns that Google Desktop may be another potential attack vector, and that various antivirus software products cannot detect all known exploits for this vulnerability. ”

    The second paragraph is what interests me. Any Comments Matt?

    lots0, to turn it back on you would do the same thing without the “/u” so “regsvr32 shimgvw.dll” would be the command, you can type regsvr32 /? to get all the command details

  25. Regarding re-inclusion requests I run a website and the hosting was hacked over a year ago which resulted in a Trojan downloading to vistors to certain pages. After I reallised what was going on I deleted the offending pages however a few weeks later the site was removed from the Google index. I thereafter decided to have a fresh strart and I deleted the site completely, started again with a new design and new hosting and replaced absolutely every item of the old site except the page urls and the text. I had it looked over by an SEO professional and submitted a re-inclusion request about a year ago. To date the site has not re-appeared in Google. The point of this diatribe is to ask, in all sincerity, whether or not all re-inclusion requests are actually considered. If they are then I won’t waste Googles time any more by submitting other requests however if not all re-inclusion requests are actually considered then I will continue to submit.

  26. So Matt: when’s Astalavista gonna drop from Google for that stuff? 🙂

    Seriously…I think that the anti-jerkoffware measure on the part of Google is a good idea, but I’d like to see it taken one step further.

    You guys already can detect and block popup coding (not all the time, but I’d say in about 3/4 of the cases). Why not punish those guys too? After all, part of relevancy is perception of satisfaction by the user, and popups decrease satisfaction.

    Elizabeth: I might (don’t hold me to this, but it’s a very slight possibility and in your case, I’d try anything I could) have your answer.

    By the way, I assumed your site is http://www.sosmath.com .

    First of all, where it says Copyright © 2005…replace the © with © (this is proper HTML copyright code).

    Then, run it through the validator at http://validator.w3.org . An error will reveal itself here:

    Error Line 80 column 55: end tag for “FONT” omitted, but its declaration does not permit this.
    &lt:font color=”blue”>&lt:b>Search our site!&lt:/b>&lt:/font>&lt:/FORM>
    You forgot to close a tag, or
    you used something inside this tag that was not allowed, and the validator is complaining that the tag should be closed before such content can be allowed.
    The next message, “start tag was here” points to the particular instance of the tag in question); the positional indicator points to where the validator expected you to close the tag.

    Info Line 79 column 0: start tag was here.
    <font size=”-1″>

    Since you didn’t close this tag, it might appear to a crawler that all of the text from this point on is of size -1 (which would render it as invisible/hidden text…and that’s bad.)

    So…try getting your code to fully validate on as many pages as possible and submit a reinclusion request.

    It’s not very much of a chance…it’s a longshot at best. But the good part about doing things like validation is, if nothing else, it will improve user experience (since browsers aren’t messing with bad code.) So the way I see it, you’ve got nothing to lose.

    By the way, I like the site content concept.

  27. About a year ago at this time (seems an eternity SEO-wise) I tried to build a pop music directory by scraping Google pages and then manually editing the results…

    I stopped this practice because the results were so filthy with spyware and drive-by downloads that I spent more time restoring my system than editing music sites.

    I tried to have a bot custom-made to detect and delete these scoundrels from my database before they infected my system but the project bogged down and I found it easier to just develop a profile and blacklist for likely spyware sites. I think Google could actually do this where I failed though, spyware-free results would keep searchers away from those other search engines.

    shimgvw.dll is now disabled…
    I used to have all my graphics file associations pointing to tiny windows/system32/mspaint.exe, (332 KB) but any small graphics pgm should work–no need to load all of 50 MB just to peek at a pic.

  28. “I still can’t figure out why SOS Math has been banned. It’s an educational site of long standing, highly regarded, with loads of quality in-links. But it’s been completely gone from Google for months now. And nobody seems to know why.”

    Elizabeth/Ryan, I took a guess here:
    http://www.mattcutts.com/blog/directory-of-home-page-widgets/#comment-8101

  29. >> Elizabeth said,
    >> “I still can’t figure out why SOS Math has been banned….
    >> Note: I’m not affiliated with the site in any manner.”

    > Adam Senour said,
    >”I assumed your site is http://www.sosmath.com ….”

    When I said that I wasn’t affiliated with the site in any manner, I meant in part that. SOSMath is not my site.

    > Matt said,
    > “I suspect that pages like:
    > http://www.sosmath.com/payday-loans/payday-loans.html
    > http://www.sosmath.com/payday-loans/cash-advances.html
    > ….had very little to do with trigonometry or matrix algebra….”

    I’m getting 404 errors for these links…? And I can’t find the referenced directory in the Internet Archive version of the site (which, to be fair, only goes up through March 2005). Sorry.

  30. hi, a friend’s website was hacked recently (hosted by ipowerweb). The hackers inserted an iframe at the top of the site’s index.php. The iframe pointed to a wmf file with the exploit. The site – trust4free.ws(do not go to this site) is currently listed in Googles index.

  31. Note that some software may re-register shimgvw.dll when it doesn’t see it there, so another workaround is to both unregister it, as Matt described above, and then rename the file to maybe something like shimgvw.dll.dead

  32. Elizabeth, check the most recent archive.org version of the sosmath.com home page. Here ya go:
    http://web.archive.org/web/20050329015405/http://www.sosmath.com/

    Note on the left-hand side at the bottom of the column:
    “Featured Loans:
    Payday loans”

    then start clicking. I believe sosmath.com was selling text pages and link on its site.

  33. Matt,

    Thank you for the info. I agree that the “payday loans” pages, entirely off-topic for the site, could easily have lead to the entire site having been banned.

    While it’s disappointing that this otherwise-valuable educational site made such a poor marketing decision, it’s reassuring to me personally, since I would never degrade my site in this manner. I’d been concerned that my educational site might accidentally be banned, and now I know that I needn’t be worried.

    Thank you!

  34. Hi,
    I agree with Elizabeth that it was a poor marketing decision. For more on this is ssue please go to:
    http://www.mattcutts.com/blog/directory-of-home-page-widgets/#comment-9299
    By the way I am one of the three creators of SOSMATH.
    Cheers,
    Mohamed

  35. RE the SOSMath disappearance: I don’t see how those two pages shown (the ones with ads) are violations of the webmaster guidelines. Perhaps I’ve not read it carefully enough. What part of the guidelines cover this particular offense?

    What scares me (as a webmaster for a small group of web sites) is that I will unknowingly commit an error of this kind..

    Google really should try to find a way to communicate the nature of an offense to a webmaster – I know that G wants to prevent hacking the algo, but this is really bad – having a site drop out of G’s index without the webmaster knowing what caused it is just scary. And I would think it tends to build up animosity from webmasters who are not really trying to game the system.

  36. ABC Amber Image Converter , The software supports a batch conversion, a run from command line, more than 50 languages and comes with an embedded viewer. Batch conversion ability allows you to convert a unlimited number of images at a time.

    http://www.yaodownload.com/video-design/imagecompression/abc-image-converter_imagecompression.htm

  37. I’m mildly amused that many of the people responding to this thread think the only sites that have these types of scripts in them are those “bad sites” from the “other side of the web”.

    Hate to burst all your bubbles (not really) but many of the sites with these scripts in them have been breached, or the entire shared server has been breached. Hundreds of innocent sites infected and nothing is being done about it by anyone.

  38. Funny enough for the past couple weeks I’ve been searching for a good
    mathematics site to update my limited math’s skills.

    Thanks,sosmath.com looks to be jus what the doctor ordered.
    Its funny how sometimes you find exactly what youre looking for
    in the most unlikely of places.

  39. Additional info:

    According to: (which I found via Google)
    http://snort.iatp.by/acid/acid_qry_alert.php?submit=%236-(2-507)&sort_order=
    the code leads to a page on this site: (which has a GPR = 5)
    http://www.red.by

    What is the point of this?
    How can this code be of any use against email spamming as suggested above?

css.php