«
»

WMF exploit unofficial patch



Sans is talking about the unofficial patch for the WMF vulnerability. One of their handlers has helped with it to extend it to work on XP SP 1 and Windows 2000. They’ve also looked at the patch thoroughly and it sounds as though it’s very well done.


We want to be very clear on this: we have some very strong indications that simply un-registering the shimgvw.dll isn’t always successful. The .dll can be re-registered by other processes, and there may be issues where re-registering the .dll on a running system that has had an exploit attempted against it will cause the exploit to succeed.

For those of you wanting to try an unofficial patch with all the risks involved, please see here.
Initially it was only for Windows XP SP2. Fellow handler Tom Liston worked with Ilfak Guilfanov to help confirm some information required to extend it to cover Windows XP SP1 and Windows 2000.

Note: Tom has taken this thing apart and looked at it very, very closely. It does exactly what it advertises and nothing more. The wmfhotfix.dll will be injected into any process loading user32.dll. It then will then patch (in memory) gdi32.dll’s Escape() function so that it ignores any call using the SETABORTPROC (ie. 0×09) parameter. This should allow for Windows to display WMF files normally while still blocking the exploit. We want to give a huge thanks to Ilfak Guilfanov for building this and for allowing us to host and distribute it.

Note #2: When MS comes out with a real patch, simply uninstall this from Add/Remove programs on the Control Panel. Mr. Guilfanov did a great job with this …

Patching with unofficial patches is very risky business, this comes without any guarantees of any kind.
Please do back out these unofficial patches before applying official patches from Microsoft.

Also there are new Bleeding Snort signatures for the NEW version of the exploit. There is a good deal of text information that you should read before using them. Also it should be noted they haven’t been thoroughly tested for false positives/negatives.

Popularity: 1% [?]

PDF Printer    Send article as PDF   
Blog Traffic Exchange Related Posts
  • Exploit Thursday - this months winner - Powerpoint The SecurityFix reminds us of what usually comes close behind Patch Tuesday.... exploit Wednesday or Thursday and this month, the exploits seemed to start coming out Thursday. There's a new Powerpoint exploit starting to make the rounds right on the heels of Patch day. The main goal is likely to......
  • WMF exploit vs. Windows 98 again... If you've visited here in the last few days, you'll have noticed that I've been trying to test the WMF exploit against a Windows 98 Virtual machine since January 1st. I initially started out with a default install, which didn't work, (for the exploit), then added irfanview (didn't work), tried......
  • Windows 98 and the WMF exploit I've seen breathless headlines that say "Windows PCs face 'huge' virus threat; Affects every MICROSOFT OS shipped since 1990..." and really would like to try to clarify (again) what the situation is. Yes, the bug or vulnerability that's currently being exploited exists as far back as Windows 3.0, but as......
Blog Traffic Exchange Related Websites
  • How to use Debt to Improve Your Credit Many of us have the wrong idea when it comes to debt. After years of being told that it is a bad thing and should be avoided, most of us never want to get into the problem of having to deal with debt. Millions more are in over their heads......
  • Security News: US report blasts China, Russia for cybercrime; Duqu Malware: Still No Patch; MIT server hijacked in drive-by download campaign US report blasts China, Russia for cybercrime By LOLITA C. BALDOR, Associated Press – 4 hours ago WASHINGTON (AP) — Cyberattacks by Chinese and Russian intelligence services, as well corporate hackers in those countries, have swallowed up large amounts of high-tech American research and development data, and that stolen information......
  • Our Family At The Pumpkin Patch Our little family goes to the Pumpkin Patch every year. We started this little tradition about three years ago at a place that allowed us to bring our little Tinky, and have continued going to the same place every year. My poor husband had to take me to at least 3......

Similar Posts


This entry was posted on Saturday, December 31st, 2005 at 9:28 pm and is filed under Computers, Security. You can follow any responses to this entry through the RSS 2.0 feed. Responses are currently closed, but you can trackback from your own site.

See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.

Switch to our mobile site