WMF exploit unofficial patch



Sans is talking about the unofficial patch for the WMF vulnerability. One of their handlers has helped with it to extend it to work on XP SP 1 and Windows 2000. They’ve also looked at the patch thoroughly and it sounds as though it’s very well done.


We want to be very clear on this: we have some very strong indications that simply un-registering the shimgvw.dll isn’t always successful. The .dll can be re-registered by other processes, and there may be issues where re-registering the .dll on a running system that has had an exploit attempted against it will cause the exploit to succeed.

For those of you wanting to try an unofficial patch with all the risks involved, please see here.
Initially it was only for Windows XP SP2. Fellow handler Tom Liston worked with Ilfak Guilfanov to help confirm some information required to extend it to cover Windows XP SP1 and Windows 2000.

Note: Tom has taken this thing apart and looked at it very, very closely. It does exactly what it advertises and nothing more. The wmfhotfix.dll will be injected into any process loading user32.dll. It then will then patch (in memory) gdi32.dll’s Escape() function so that it ignores any call using the SETABORTPROC (ie. 0×09) parameter. This should allow for Windows to display WMF files normally while still blocking the exploit. We want to give a huge thanks to Ilfak Guilfanov for building this and for allowing us to host and distribute it.

Note #2: When MS comes out with a real patch, simply uninstall this from Add/Remove programs on the Control Panel. Mr. Guilfanov did a great job with this …

Patching with unofficial patches is very risky business, this comes without any guarantees of any kind.
Please do back out these unofficial patches before applying official patches from Microsoft.

Also there are new Bleeding Snort signatures for the NEW version of the exploit. There is a good deal of text information that you should read before using them. Also it should be noted they haven’t been thoroughly tested for false positives/negatives.

Related Posts

Blog Traffic Exchange Related Posts
  • Microsoft releases patch early for WMF exploit Microsoft has released the patch for the WMF vulnerability that's been all over the news early. It was released to http://windowsupdate.microsoft.com ahead of the previously announced January 10th "patch Tuesday". Congrats to Microsoft for getting this out the door early. That should go a long ways to blunting the attacks......
  • Another problem with one of the Microsoft Patches... Last month, April, the Microsoft patch cycle had one problem patch that broke certain explorer extensions (most notable some HP software...) This time around it looks like the Flash patch that they distributed has given a few people fits. For starters, yes it's odd for Microsoft to distribute a patch......
  • Update on the Internet Explorer VML vulnerability Just catching up on the days VML vulnerability news from today.... It looks as though... the exploit is now MUCH more widespread this blog has some video of an infection, what's notable is that the first take was VERY UNEVENTFUL, it was used to stealthily install a keylogger. (So that......
Blog Traffic Exchange Related Websites
PDF24    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site