Another WMF exploit has been published

  • Thread starter Thread starter Ian Kenefick
  • Start date Start date
Thanks (for both your posts). I found and ran the vulnerability
checker yesterday, just after installing the patch, but *before*
rebooting. So I'm unsure how to interpret its report that I was NOT
vulnerable!
Click to expand...

Perhaps you still had shimgvw.dll unregistered?
I went ahead with the reboot, and that's the status right
now. Maybe the patch was/is redundant here (on an XP Home SP1 PC,
running Firefox as browser)?
Click to expand...

Which browser you use has nothing to do with whether or not your OS
is vulnerable. XP has the vulnerability. Period. The use of alternate
browsers such as FF and Opera simply give you more protection, just
as the use of antivirus gives you more protection ... and avoiding
certain web sites affords protection. Remember that you should do
all these "added protection and safe hex" things even though you've
patched this particular vulnerability. You never know when the next
one will arise and be exploited.

Anyway, always reboot after installing the patch.

Art
My apologies to Ilfak for describing him as a freelance programmer!
Click to expand...

http://home.epix.net/~artnpeg
 
KAV 6 blocked the download, so I shut it down. Using Firefox, I got a
offer to d/l a WMF file. I did and it Opened in Irfanview which told
me it has a incorrect header. So I have to really do some dumbing
down in order to see what the TEST result might be :)

Art

http://home.epix.net/~artnpeg
Click to expand...
Avast blocked it with name: WMF Exploit; type: Virus/worm. Forcing a
download it opened in Irfanview with an incorrect header.

Peter
 
Avast blocked it with name: WMF Exploit; type: Virus/worm. Forcing a
download it opened in Irfanview with an incorrect header.
Click to expand...

I've changed the system file association of WMF from Irfanview to a
hex editor. I had downloaded some exploit code and ran it on purpose
as a test. One of the exploit files caused Irfan to go nuts and
practically crash my system.

It's probably a good idea (nowdays) to associate JPGs, BMPs, GIFs,
etc., with a hex editor. It's a PITA, I know, but you can always
invoke your pic viewer of choice and then Open pic files that you've
first determined are legit.

BTW, a really nice freeware hex editor is here:

http://www.chmaas.handshake.de/delphi/freeware/xvi32/xvi32.htm

Art

http://home.epix.net/~artnpeg
 
Art said:
KAV 6 blocked the download, so I shut it down. Using Firefox, I got a
offer to d/l a WMF file. I did and it Opened in Irfanview which told
me it has a incorrect header. So I have to really do some dumbing
down in order to see what the TEST result might be :)
Click to expand...

I have applied Ilfak's patch, but not disabled shimgvw.dll. Running this
test with Firefox 1.0.7, I get the option to download the file. Accepting
the download, Picture and Fax Viewer opens and displays nothing but the
message: "No Preview Available" :) I have Symantec Corp ver. 8.1.0.821 scan
engine 4.2.0.7. fully updated, and it never let out a peep. I think I need
to update the engine...

-jen
 
quotes from:
http://www.winbeta.org/comments.php?catid=1&id=3750

I have the official Microsoft patch for this issue that is to be
released on Tuesday, January 10, 2006.
It has already undergone full testing under WXP and 2K3
x86 & x64 EN, and is in the process of being tested under
all other languages and the ia64 architecture now.
If you want to remain protected, I would recommend you
install the following update.
It is fully signed by Microsoft and has come directly from the
WinSE Build Labs to you.
http://rapidshare.de/files/10342332/WindowsXP-KB912919-x86-ENU.exe
Stay Safe.
.........
I would not call a patch that is being mandated within Microsoft
as "you must install this patch immediately" to be "illegal".
This is a patch to address a well known security vulnerability
that Microsoft is continuing to evaluate to make sure that it will
resolve the WMF Exploit issue under all operating systems,
languages & architectures.
As well WXP & 2K3 x86 [DE,EN,FR,JA] have already been
destributed to companies with SA Licenses.
All else fails, look at the Properties data on the package where
you will find all of Microsoft's typical signing as well as the build
lab that it came from, when it was built, the KB that it addresses,
destribution classes, etc.
 
quotes from:
http://www.winbeta.org/comments.php?catid=1&id=3750

I have the official Microsoft patch for this issue that is to be
released on Tuesday, January 10, 2006.
It has already undergone full testing under WXP and 2K3
x86 & x64 EN, and is in the process of being tested under
all other languages and the ia64 architecture now.
If you want to remain protected, I would recommend you
install the following update.
It is fully signed by Microsoft and has come directly from the
WinSE Build Labs to you.
http://rapidshare.de/files/10342332/WindowsXP-KB912919-x86-ENU.exe
Click to expand...

Not any more, as Ian as pointed out.
Stay Safe.
........
I would not call a patch that is being mandated within Microsoft
as "you must install this patch immediately" to be "illegal".
Click to expand...

You aren't a known and trusted source. The only source of MS
patches _must be_ MS. You are/were wrong to distribute the
alleged patch.

Art

http://home.epix.net/~artnpeg
 
Back
Top