B
BoB
Since Win98SE has no copy of SHIMGVW.DLL to un-register, is there
no vulnerability?
The only .wmf on my computer, C:\WINDOWS\SYSTEM\SPBANNER.WMF, which
I can open with Quickview. Are you aware of a safe site that uses
Windows Media Files that I could test Firefox and IE6?
I have been following this topic at http://sunbeltblog.blogspot.com/
for several days but all conversations involve protecting servers,
XP home and Pro.
TIA,
BoB
A
Art
That's odd. Several sources claim Win 98 is vulnerable. Confusion
abounds as usual whenever some new unpatched security threat
arises.
You mean Windows MetaFiles. No I don't.
Well, one of my machines is Win ME, and it definitely has that dll
file. So does my Win 2K Pro. I've unregistered the dll and I've
associated .WMF with IrfanView on both machines. Other approaches
include the following for internet protection/blocking:
Kerio is being used to block the files:
http://sunbeltblog.blogspot.com/2005/12/protect-yourself-from-wmf-exploit.html
and a filter for Proxomitron users (down the page aways):
http://my.opera.com/community/forums/topic.dml?id=117908
And the site you mentioned talks about both software and hardware
enforced DEP (whatever in the hell that is
):http://sunbeltblog.blogspot.com/
Art
http://home.epix.net/~artnpeg
M
me
Art,
A blurb at a.c.f claims that Irfanview is affected, too.
BTW, DEP (data execution prevention): h/w won't allow execution
in memory marked as data storage
J
R
Ron Lopshire
Art said:And the site you mentioned talks about both software and hardware
enforced DEP (whatever in the hell that is
http://sunbeltblog.blogspot.com/
Art
http://home.epix.net/~artnpeg
Art,
I am glad that you bought up DEP. Here is more on the DEP
hardware/software issue:
(http://sunbeltblog.blogspot.com/2005/12/note-on-dep-and-wmf-exploit.html)
Short Version: (http://tinyurl.com/becak)
Last Spring I purchased a WinXP box with a 3GHz Pentium 4. I paid a
hell of a lot more for the P4 instead of a cheap, stripped down
processor, but it evidently doesn't support hardware-enforced DEP. WTF
is up with that?
Ron
R
Ron Lopshire
Art and J,
The latest from Sunbelt:
(http://sunbeltblog.blogspot.com/2005/12/dep-controversy.html)
I absolutely loved his rant about MS using the word "mitigate". LOL. I
agree, I myself am looking for "eliminate", not mitigate.
Ron
A
Art
By Aaron? I saw that speculation and paranoia
BTW, for anyone interested in trying out filtering methods, I put up a
benign WMF file at the top of my web page. You have to use IE for the
test since all you see with Firefox and Opera is the text TEST WMF
FILE. With IE you see the graphic image rendered, and when you click
on it, you see a small popup offering some options, such as to Save or
Print the image file. Presumably, a working filter would block the
download ... you would be unable to Save ot Print the image. The image
file is named IAMHAPPY.WMF
Art
http://home.epix.net/~artnpeg
R
Ron Lopshire
Art said:
Art,
Here is another link for your info list:
(http://secunia.com/advisories/18255/)
1) Has anyone seen this exploit with an email client such as Outlook,
OE, Opera, Thunderbird, Netscape, etc.?
2) Is there anyone with half a brain who still thinks that using HTML,
or God forbid EML, for email is a good idea?
Ron
M
me
By Aaron? I saw that speculation and paranoia
BTW, for anyone interested in trying out filtering methods,
I put up a benign WMF file at the top of my web page. You
have to use IE for the test since all you see with Firefox
and Opera is the text TEST WMF FILE. With IE you see the
graphic image rendered, and when you click on it, you see a
small popup offering some options, such as to Save or Print
the image file. Presumably, a working filter would block
the download ... you would be unable to Save ot Print the
image. The image file is named IAMHAPPY.WMF
Art
http://home.epix.net/~artnpeg
Yeah, pro'ly.
Thanks for putting up the .WMF. It'll be handy for testing of
Proxomitron filters
J
A
Art
Maybe you could/would help us out with that? I took a look at it
and I don't know how to implement the filter.
Art
http://home.epix.net/~artnpeg
M
me
Sure, be glad to. But no promises 'til after N.Y. hangover.
J
L
Larry Sabo
[snip]
Sunbelt Kerio Personal Firewall with the WMF patches seems to work--I
can find the WMF references when viewing source, but no graphic nor
"TEST WMF FILE" shows up on the page when viewed with Maxthon (which
uses the IE rendering engine).
Larry
Sunbelt Kerio Personal Firewall with the WMF patches seems to work--I
can find the WMF references when viewing source, but no graphic nor
"TEST WMF FILE" shows up on the page when viewed with Maxthon (which
uses the IE rendering engine).
Larry
A
Art
O
Offbreed
Art said:
Art, did you see the speculation that gdi32.dll was the real culprit? I
think it was in the privacy ng. I found this dll in my Win98SE machine.
I will be duly and properly embarrassed if that was you who posted the
notice. I cannot relocate it to directly reference.
http://www.viruslist.com/en/weblog?weblogid=176892530
(snip)
Going back to the wmf vulnerability itself, we see number of sites
mention that shimgvw.dll is the vulnerable file.
This doesn't seem correct as it's possible to exploit a system on which
shimgvw.dll has been unregistered and deleted. The vulnerability seems
to be in gdi32.dll.
So while unregistering shimgvw.dll may make you less vulnerable, several
attack scenarios come to mind where the system can still be compromised.
It has to be noted that in this case the attack vector of web browsers
seems significantly smaller than that of explorer+third party programs.
(snip to end)
L
Larry Sabo
Art said:
With Sunbelt Kerio Personal Firewall and the latest WMF patches in
bad-traffic.rlk? I also unregistered SHIMGVW.DLL, so perhaps that's
why.
Larry
A
Art
No. I find I can't use Kerio.
Me too. So maybe the Kerio filter prevents the rendering of the image?
Did you try IE?
Art
http://home.epix.net/~artnpeg
L
Larry Sabo
[snip]
I applied the fix by HexBlog
(http://www.hexblog.com/security/files/wmffix_hexblog11.exe) then
uninstalled Sunbelt KPF and the graphic now displays. Didn't try IE.
I'm now going to re-register SHIMGVW.DLL and wait for a MS update, and
get on with my life.
)
I did find Sunbelt KPF was slowing things down quite a bit, and I have
a router with firewall, so can gladly do without it. However, I'll
keep the SKPF and SHIMGVW.DLL options in mind for my WinME clients. I
use W2K.
Cheers,
Larry
I applied the fix by HexBlog
(http://www.hexblog.com/security/files/wmffix_hexblog11.exe) then
uninstalled Sunbelt KPF and the graphic now displays. Didn't try IE.
I'm now going to re-register SHIMGVW.DLL and wait for a MS update, and
get on with my life.
)I did find Sunbelt KPF was slowing things down quite a bit, and I have
a router with firewall, so can gladly do without it. However, I'll
keep the SKPF and SHIMGVW.DLL options in mind for my WinME clients. I
use W2K.
Cheers,
Larry
A
Art
Yes. Q has posted a link on acv to a hotfix which has now been updated
to include Win 2K as well as XP. However, it refused to install on my
Win 2K Pro for some unknown reason.
I've installed the Kaspersky realtime hotfix (I'm using their Beta
version 6 right now).
It will be interesting to see what MS comes up with in the way of
patches for the various OS ... and whether or not Win 98 will be
included.
Art
http://home.epix.net/~artnpeg
O
Offbreed
Art said:
"Why am I not filled with optimism?"