WMF exploit unofficial patch



Sans is talking about the unofficial patch for the WMF vulnerability. One of their handlers has helped with it to extend it to work on XP SP 1 and Windows 2000. They’ve also looked at the patch thoroughly and it sounds as though it’s very well done.


We want to be very clear on this: we have some very strong indications that simply un-registering the shimgvw.dll isn’t always successful. The .dll can be re-registered by other processes, and there may be issues where re-registering the .dll on a running system that has had an exploit attempted against it will cause the exploit to succeed.

For those of you wanting to try an unofficial patch with all the risks involved, please see here.
Initially it was only for Windows XP SP2. Fellow handler Tom Liston worked with Ilfak Guilfanov to help confirm some information required to extend it to cover Windows XP SP1 and Windows 2000.

Note: Tom has taken this thing apart and looked at it very, very closely. It does exactly what it advertises and nothing more. The wmfhotfix.dll will be injected into any process loading user32.dll. It then will then patch (in memory) gdi32.dll’s Escape() function so that it ignores any call using the SETABORTPROC (ie. 0×09) parameter. This should allow for Windows to display WMF files normally while still blocking the exploit. We want to give a huge thanks to Ilfak Guilfanov for building this and for allowing us to host and distribute it.

Note #2: When MS comes out with a real patch, simply uninstall this from Add/Remove programs on the Control Panel. Mr. Guilfanov did a great job with this …

Patching with unofficial patches is very risky business, this comes without any guarantees of any kind.
Please do back out these unofficial patches before applying official patches from Microsoft.

Also there are new Bleeding Snort signatures for the NEW version of the exploit. There is a good deal of text information that you should read before using them. Also it should be noted they haven’t been thoroughly tested for false positives/negatives.

Related Posts

Blog Traffic Exchange Related Posts
  • Microsoft OneCare and another unofficial patch Brian Krebs at the SecurityFix today has questions about Microsoft OneCare. In fact, with Microsoft saying that OneCare is "more than just antivirus" you wonder whether that's just marketing speak, or if that's really the case.... he speculates about OneCare doing the registry patch that was a recommended workaround and......
  • WMF exploit through indexing software One of the vectors that has been mentioned early on is the infection of a system through the WMF exploit even when the exploited file was downloaded through a dos command shell. At first this seemed absurd, but it appeared that Google Desktop search was indexing files dynamically and once......
  • Microsoft releases patch early for WMF exploit Microsoft has released the patch for the WMF vulnerability that's been all over the news early. It was released to http://windowsupdate.microsoft.com ahead of the previously announced January 10th "patch Tuesday". Congrats to Microsoft for getting this out the door early. That should go a long ways to blunting the attacks......
Blog Traffic Exchange Related Websites
  • Jailbreak iOS 5 Beta 7 with redsn0w 0.9.8b7 [Download Links] Apple recently seeded iOS 5 Beta 7 to Developers. The good news for Jailbreak developers is that iOS 5 Beta 7 is jailbreak friendly. iOS 5 Beta 7 can be jailbroken by using redsn0w 0.9.8b7. Note: If you're on jailbroken iOS 5 Beta 6, you cannot update to iOS 5......
  • Our Family At The Pumpkin Patch Our little family goes to the Pumpkin Patch every year. We started this little tradition about three years ago at a place that allowed us to bring our little Tinky, and have continued going to the same place every year. My poor husband had to take me to at least 3......
  • Palm Warns Users Against Overclocking Patches Palm has officially warned users to stay away from the overclocking patches that promise to spur Palm Pre's performance.  It is interesting to note that one of the overclocking patch boosts the Palm Pre's clock speed from 500 MHz to a whopping 800 MHz. There's another patch which overclocks the Palm Pre......
www.pdf24.org    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site