Version 2 of the WMF exploit vs Windows 98 SE

Ok, I wasn’t quite satisfied with the results of the tests against the first version of the WMF (Windows Metafile) zero day exploit that’s now up to 4 or 5 days or so… Windows 98 is listed as being vulnerable, but there are no patches or workarounds currently available for Windows 98 users. I was mostly curious to see if current exploits could wreck a Windows 98 system. The answer at this point is not that I can see.

It’s possible that with certain software configurations maybe the exploit would have a better chance, but I ran a first round of tests against readily available exploit samples (all seem to be the original exploit). I just now finished trying to use the latest metasploit exploit samples (released the 31st…) Still, no luck at infecting the system. Explorer loads the page asks if it should save or open the file. This was a wmf and tried to open with Kodak Imaging and I then get a message that “the document’s format is invalid or not supported” Nothing further

Another file from the same metasploit session has been scanned by clamav and appears ok in spite of the fact that I know it’s not. (Signatures for this second approach to the exploit are going to be hard to come by given the random nature of the exploit generation.) In other words, I cannot get the exploit to work on a default Windows 98 SE install (within a virtual machine). Neither the first or second variation on the exploit seem to gain any traction on the platform. No payload seems to be run. No DoS, just an error with the file type.

I’m opening this one up to comments in case anyone has found a way that windows 98 is susceptible to what’s going around. (I suspect that different software configurations might be vulnerable? I just tested the base OS with a fairly default install (NO antivirus or firewalling).) As I mentioned before, this doesn’t necessarily mean that Windows 98 is safe. It is reported as having the same vulnerability. The effects of the vulnerability are possibly different, or the exploit can’t be done the same way for Windows 98. Hopefully since the Windows 98 install base is so small it won’t be a tempting enough target that someone finds a way to infect it.

–update 1/2/06–

I just played around again with the exploit using a different payload (upload and execute file) That fails also. I did notice that the metasploit for this has been updated. I think the only change is that it now includes Vista as a target (I don’t recall seeing that before.)

Related Posts

Blog Traffic Exchange Related Posts
  • Antivirus vs. WMF exploit There are a number of references out today to a December 31st article (on a study by av-test) about how well antivirus products were keeping up with the shifting signatures of the WMF exploits. There was a list of about 12 products that were at 100% detection. Unfortunately, the important......
  • Spyware news and musings It's funny, in the last couple days 180solutions had a blog post that was somewhat... what's the term I'm looking for ? well they were quite defensive and concerned about "anti-spyware zealots" about "Scanning companies" and trying to work with them to explain their business model. Of course, legal action......
  • Update on Internet Explorer Zero Day exploit Yesterday I mentioned a SANS report on a possible zero day exploit against Internet Explorer. Today they have more details in the handlers diary. Among other things SANS has issued a patch for it. Essentially the zero day (or previously unknown) vulnerability deals with a .Net framework file, msdds.dll .......
Blog Traffic Exchange Related Websites
  • How to Do Home Window Installation Replacing and installing windows can seem like a daunting and expensive task, but it can actually be incredibly simple to do yourself. When you do your own home window installation, you’ll be greatly cutting down on the costs since most of the cost of having windows installed is the labor.......
  • Microsoft Security Bulletin Summary for September 2010 - Issued: September 14, 2010 ******************************************************************** Microsoft Security Bulletin Summary for September 2010 Issued: September 14, 2010 ******************************************************************** This bulletin summary lists security bulletins released for September 2010. The full version of the Microsoft Security Bulletin Summary for September 2010 can be found at With the release of the bulletins for September 2010, this......
  • How to Install Window Boxes Window boxes add charm to any home and they are so easy to install that anyone can do it. You're going to need to get a few things together before you get started. Your tools will include: window box brackets a level that is longer than the window box you......    Send article as PDF   

Similar Posts

See what happened this day in history from either BBC Wikipedia
Amazon Logo

5 Responses to “Version 2 of the WMF exploit vs Windows 98 SE”

  1. The PC Doctor Says:

    Much more on the WMF exploit

    A lot has happened since last night so let me try to bring you up to speed on things.
    First, Ilfak Guilfanov  (the researcher who came up with the unofficial patch) has come out with a WMF vulnerability checker to allow you to test your systems …

  2. The PC Doctor » Blog Archive » WMF exploit - Quick Guide Says:

    [...] Further research seems to show that Windows 98, Windows 98 SE and Windows ME might be harder to infect  than later versions , although they still contain the exploit and may be targeted with greater ferocity soon. [...]

  3. TomW Says:

    Nice article on Win98 testing for wmf exploit! I am also in the process of doing some tests myself as I know and/or have several clients still stuck on Win98 systems.

    You said, “Windows 98 is listed as being vulnerable, but there are no patches or workarounds currently available for Windows 98 users”, just wondered if you had seen this “patch” linked below or might have tested it??

    It says it works with Win98 and other OS’s that are not patched by Microshaft… cause they are not “critical” …. yet

  4. Avery Says:

    Yes, I’ve seen the nod32 patch. I haven’t tested it yet. It appears that Microsoft has backed off on the Windows 98/ME systems being as vulnerable… like you say they’re not “critical” it would be nice if they’d patch the thing pre-emptively though, who knows maybe two months down the road a way might be discovered that it can be more easily exploited in Windows 98. I’ll try the patch and see how it looks. I don’t have an extensive set of things installed in a VM, so testing it that way will be a bit limited.

  5. Avery Says:

    Just did a modest test of it in a VM, and did an updated post (hopefully the last on the whole WMF mess…) the post is at

Leave a Reply

You must be logged in to post a comment.

Switch to our mobile site