WMF exploit unofficial patch



Sans is talking about the unofficial patch for the WMF vulnerability. One of their handlers has helped with it to extend it to work on XP SP 1 and Windows 2000. They’ve also looked at the patch thoroughly and it sounds as though it’s very well done.


We want to be very clear on this: we have some very strong indications that simply un-registering the shimgvw.dll isn’t always successful. The .dll can be re-registered by other processes, and there may be issues where re-registering the .dll on a running system that has had an exploit attempted against it will cause the exploit to succeed.

For those of you wanting to try an unofficial patch with all the risks involved, please see here.
Initially it was only for Windows XP SP2. Fellow handler Tom Liston worked with Ilfak Guilfanov to help confirm some information required to extend it to cover Windows XP SP1 and Windows 2000.

Note: Tom has taken this thing apart and looked at it very, very closely. It does exactly what it advertises and nothing more. The wmfhotfix.dll will be injected into any process loading user32.dll. It then will then patch (in memory) gdi32.dll’s Escape() function so that it ignores any call using the SETABORTPROC (ie. 0×09) parameter. This should allow for Windows to display WMF files normally while still blocking the exploit. We want to give a huge thanks to Ilfak Guilfanov for building this and for allowing us to host and distribute it.

Note #2: When MS comes out with a real patch, simply uninstall this from Add/Remove programs on the Control Panel. Mr. Guilfanov did a great job with this …

Patching with unofficial patches is very risky business, this comes without any guarantees of any kind.
Please do back out these unofficial patches before applying official patches from Microsoft.

Also there are new Bleeding Snort signatures for the NEW version of the exploit. There is a good deal of text information that you should read before using them. Also it should be noted they haven’t been thoroughly tested for false positives/negatives.

Related Posts

Blog Traffic Exchange Related Posts
  • Update on the Internet Explorer VML vulnerability Just catching up on the days VML vulnerability news from today.... It looks as though... the exploit is now MUCH more widespread this blog has some video of an infection, what's notable is that the first take was VERY UNEVENTFUL, it was used to stealthily install a keylogger. (So that......
  • Microsoft October 2006 patch Tuesday The first thing I should mention is that this months update from Microsoft is the last for XP SP1 users should plan a migration path to SP2 to keep getting updates to XP. Multiple vulnerabilities this month have been patched in Office There are 4 advisories, but a total of......
  • Exploit Thursday - this months winner - Powerpoint The SecurityFix reminds us of what usually comes close behind Patch Tuesday.... exploit Wednesday or Thursday and this month, the exploits seemed to start coming out Thursday. There's a new Powerpoint exploit starting to make the rounds right on the heels of Patch day. The main goal is likely to......
Blog Traffic Exchange Related Websites
  • How to use Debt to Improve Your Credit Many of us have the wrong idea when it comes to debt. After years of being told that it is a bad thing and should be avoided, most of us never want to get into the problem of having to deal with debt. Millions more are in over their heads......
  • Microsoft Security Bulletin Summary for September 2010 - Issued: September 14, 2010 ******************************************************************** Microsoft Security Bulletin Summary for September 2010 Issued: September 14, 2010 ******************************************************************** This bulletin summary lists security bulletins released for September 2010. The full version of the Microsoft Security Bulletin Summary for September 2010 can be found at http://www.microsoft.com/technet/security/bulletin/ms10-sep.mspx. With the release of the bulletins for September 2010, this......
  • Jailbreak iOS 5 Beta 7 with redsn0w 0.9.8b7 [Download Links] Apple recently seeded iOS 5 Beta 7 to Developers. The good news for Jailbreak developers is that iOS 5 Beta 7 is jailbreak friendly. iOS 5 Beta 7 can be jailbroken by using redsn0w 0.9.8b7. Note: If you're on jailbroken iOS 5 Beta 6, you cannot update to iOS 5......
www.pdf24.org    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site