Another WMF exploit has been published

  • Thread starter Thread starter Ian Kenefick
  • Start date Start date
Source: http://isc.sans.org/diary.php?storyid=992
and http://www.f-secure.com/weblog/archives/archive-012006.html#00000758

It might be a good idea to apply that patch Mikko Hypponen (F-Secure)
mentions in his post on the F-Secure Weblog (see link) as new code
exploiting the WMF vulnerability has been published on a well known website.

Still no vendor patch... cringe :-/
Click to expand...

Win 2K/XP users should keep an eye on this web site for Ilkar's latest
hotfix version:

http://www.hexblog.com/2005/12/wmf_vuln.html

I just now sent Ilkar a copy of the gdi32.dll file (per his request)
from my Win 2K Pro machine on which the current version refuses
to install. I expect he will update his patch soon to cover more
situations where it refuses to install.

Maybe at some point Ilkar will expand his fix to include Win 98/ME ...
I dunno.

Art

http://home.epix.net/~artnpeg
 
Art said:
Win 2K/XP users should keep an eye on this web site for Ilkar's latest
hotfix version:

http://www.hexblog.com/2005/12/wmf_vuln.html

I just now sent Ilkar a copy of the gdi32.dll file (per his request)
from my Win 2K Pro machine on which the current version refuses
to install. I expect he will update his patch soon to cover more
situations where it refuses to install.

Maybe at some point Ilkar will expand his fix to include Win 98/ME ...
I dunno.
Click to expand...

Thanks for the update Art. Keep us posted on what you find out.

Happy new year and all that :-)
 
Thanks for the update Art. Keep us posted on what you find out.
Click to expand...

Ilkar just sent me a "1.3" version which worked on my Win 2K. He will
have that up at his site shortly.

I asked him about Win ME and 98 ... and if 98 is truly vulnerable. I
also asked if there's some test site to check his patch. I kinda doubt
he will dig into the 98/ME cases, but we shall see.
Happy new year and all that :-)
Click to expand...

Happy new year to you and all the regulars!

Art

http://home.epix.net/~artnpeg
 
Ian Kenefick said:
Source: http://isc.sans.org/diary.php?storyid=992
and http://www.f-secure.com/weblog/archives/archive-012006.html#00000758

It might be a good idea to apply that patch Mikko Hypponen (F-Secure)
mentions in his post on the F-Secure Weblog (see link) as new code
exploiting the WMF vulnerability has been published on a well known website.

Still no vendor patch... cringe :-/
Click to expand...

One downside of using regsvr32 /u shimgvw.dll here seems to be that it
seems to prevent my viewing photos (JPGs) in Thumbnail mode. I have
re-instated it with
Run | regsvr32 shimgvw.dll and immediately got thumbnails back. Anyone
else able to confirm this please?
 
Terry Pinnell said:
One downside of using regsvr32 /u shimgvw.dll here seems to be that it
seems to prevent my viewing photos (JPGs) in Thumbnail mode. I have
re-instated it with
Run | regsvr32 shimgvw.dll and immediately got thumbnails back. Anyone
else able to confirm this please?
Click to expand...

Yes, the loss of thumbnails is a side effect to unregistering
shimgvw.dll.
 
Yes, the loss of thumbnails is a side effect to unregistering
shimgvw.dll.
Click to expand...

Thanks. Can you also please clarify whether unregistering shimgvw.dll
is *necessary*, if I've run the unofficial patch? Meanwhile I've
re-registered it, as I can't get far without thumbnails <g>.
 
Terry Pinnell - 03.01.2006 08:49 :
Thanks. Can you also please clarify whether unregistering shimgvw.dll
is *necessary*, if I've run the unofficial patch? Meanwhile I've
re-registered it, as I can't get far without thumbnails <g>.
Click to expand...

if you run the unofficial patch (mentioned in this thread) there is no
need to unregister the dll, AFAIK.
 
Thanks. Can you also please clarify whether unregistering shimgvw.dll
is *necessary*, if I've run the unofficial patch? Meanwhile I've
re-registered it, as I can't get far without thumbnails <g>.
Click to expand...

Since Ilfak's fix operates directly with the culprit gdi32.dll file
(in memory), it shouldn't be necessary to also unregister shimgvw.dll

BTW, Ilfak provides this vulnerability check program:

http://www.hexblog.com/2006/01/wmf_vulnerability_checker.html

Note that this is only useful for the NT based OS (not Win 98/ME).
Also, it only checks for the particular vulnerability in question.

Art

http://home.epix.net/~artnpeg
 
Must say it seems bizarre to me that a freelance programmer had a fix
out for this within hours, yet still nothing from MS!
Click to expand...

Ilfak isn't a freelance programmer. He's the author of IDA:

http://www.datarescue.com/idabase/

and a recognized expert on Windows programming. He simply had
a need for a fix and was able to come up with a clever one quickly.
Some of us had to help him out by supplying him with gdi32.dll files
from our machines. For example, his version 1.2 didn't work on my
particular Win 2K PC but it worked on some others. He hasn't
addressed the Win 98/ME cases yet, and may not bother.

So while Ilfak's fix is a real boon to many professionals and home
users alike as a temporary measure, it's not in the same category
as a vendor patch which must go through quite a bit of testing.

Art

http://home.epix.net/~artnpeg
 
Art said:
BTW, Ilfak provides this vulnerability check program:

http://www.hexblog.com/2006/01/wmf_vulnerability_checker.html
Click to expand...

Has anyone come up with a .WMF file that is both an exploit and a
tester? In other words, a .wmf file that performs the exploit and if
successful displays a message saying it was successful?

Or how about a combination of a partially-infective .WMF file and an
executable (OS independent) that can test the wmf file against the OS
and determine if the OS is vulnerable to the exploit?

The above-mentioned vulnerability checker ->probably<- just looks for
the existance of specific files (like gdi32.dll and/or shimgvw.dll
and/or specific versions of those two) and reports back that yup-
you've got them and you're vulnerable).
 
Art said:
So while Ilfak's fix is a real boon to many professionals and home
users alike as a temporary measure, it's not in the same category
as a vendor patch which must go through quite a bit of testing.
Click to expand...

Yup. People expect entirely different levels of reliability, comparing
donated patches and work-arounds with "official" ones from a vendor. We
would be hearing all sorts of screams of bloody murder had MS released a
fix that did not work on some computers.
 
Art said:
Since Ilfak's fix operates directly with the culprit gdi32.dll file
(in memory), it shouldn't be necessary to also unregister shimgvw.dll

BTW, Ilfak provides this vulnerability check program:

http://www.hexblog.com/2006/01/wmf_vulnerability_checker.html

Note that this is only useful for the NT based OS (not Win 98/ME).
Also, it only checks for the particular vulnerability in question.

Art

http://home.epix.net/~artnpeg
Click to expand...

Thanks (for both your posts). I found and ran the vulnerability
checker yesterday, just after installing the patch, but *before*
rebooting. So I'm unsure how to interpret its report that I was NOT
vulnerable! I went ahead with the reboot, and that's the status right
now. Maybe the patch was/is redundant here (on an XP Home SP1 PC,
running Firefox as browser)?

My apologies to Ilfak for describing him as a freelance programmer!
 
Peter Seiler said:
Terry Pinnell - 03.01.2006 08:49 :

if you run the unofficial patch (mentioned in this thread) there is no
need to unregister the dll, AFAIK.
Click to expand...

Thanks. Elsewhere I've seen some contradictory posts on this point, so
thanks to you and Art for the definitive statement. Good news anyway,
as it gives me my thumbnails back <g>.

BTW, another issue on which there seems widely varying opinions is the
*severity* of this threat. Some

Most threads/forums seem to imply it is a very serious flaw.
Yet McAfee says Risk Assessment
- Home Users: Low
- Corporate Users: Low
And Kapersky rates it as "moderate risk":
Yet also adding "The vulnerability itself is regarded as extremely
critical (the highest possible rating). As yet, there is no patch
for this vulnerability."

So, is this low, medium or high risk?!
 
Virus said:
Art wrote:




Has anyone come up with a .WMF file that is both an exploit and a
tester? In other words, a .wmf file that performs the exploit and if
successful displays a message saying it was successful?
Click to expand...

VG,

Andrew Johnson posted this in GRC:

(
Ron :)
 
The above-mentioned vulnerability checker ->probably<- just looks for
the existance of specific files (like gdi32.dll and/or shimgvw.dll
and/or specific versions of those two) and reports back that yup-
you've got them and you're vulnerable).
Click to expand...

Then why does it report vulnerability on a unfixed Machine? Please
engage brain to prevent uttering gibberish.

Art

http://home.epix.net/~artnpeg
 
Back
Top