Version 2 of the WMF exploit vs Windows 98 SE

Ok, I wasn’t quite satisfied with the results of the tests against the first version of the WMF (Windows Metafile) zero day exploit that’s now up to 4 or 5 days or so… Windows 98 is listed as being vulnerable, but there are no patches or workarounds currently available for Windows 98 users. I was mostly curious to see if current exploits could wreck a Windows 98 system. The answer at this point is not that I can see.

It’s possible that with certain software configurations maybe the exploit would have a better chance, but I ran a first round of tests against readily available exploit samples (all seem to be the original exploit). I just now finished trying to use the latest metasploit exploit samples (released the 31st…) Still, no luck at infecting the system. Explorer loads the page asks if it should save or open the file. This was a wmf and tried to open with Kodak Imaging and I then get a message that “the document’s format is invalid or not supported” Nothing further

Another file from the same metasploit session has been scanned by clamav and appears ok in spite of the fact that I know it’s not. (Signatures for this second approach to the exploit are going to be hard to come by given the random nature of the exploit generation.) In other words, I cannot get the exploit to work on a default Windows 98 SE install (within a virtual machine). Neither the first or second variation on the exploit seem to gain any traction on the platform. No payload seems to be run. No DoS, just an error with the file type.

I’m opening this one up to comments in case anyone has found a way that windows 98 is susceptible to what’s going around. (I suspect that different software configurations might be vulnerable? I just tested the base OS with a fairly default install (NO antivirus or firewalling).) As I mentioned before, this doesn’t necessarily mean that Windows 98 is safe. It is reported as having the same vulnerability. The effects of the vulnerability are possibly different, or the exploit can’t be done the same way for Windows 98. Hopefully since the Windows 98 install base is so small it won’t be a tempting enough target that someone finds a way to infect it.

–update 1/2/06–

I just played around again with the exploit using a different payload (upload and execute file) That fails also. I did notice that the metasploit for this has been updated. I think the only change is that it now includes Vista as a target (I don’t recall seeing that before.)

Related Posts

Blog Traffic Exchange Related Posts
  • Windows Vista upgrade clean install workaround You had to know it would be a matter of time. Not long after I wrote about the limitations of Vista's upgrade version I found this. First let me reset. Previous versions of Windows upgrade versions would allow you to do a "clean" install (format the drive) if you had......
  • Update on Internet Explorer Zero Day exploit Yesterday I mentioned a SANS report on a possible zero day exploit against Internet Explorer. Today they have more details in the handlers diary. Among other things SANS has issued a patch for it. Essentially the zero day (or previously unknown) vulnerability deals with a .Net framework file, msdds.dll .......
  • Spyware news and musings It's funny, in the last couple days 180solutions had a blog post that was somewhat... what's the term I'm looking for ? well they were quite defensive and concerned about "anti-spyware zealots" about "Scanning companies" and trying to work with them to explain their business model. Of course, legal action......
Blog Traffic Exchange Related Websites
  • Microsoft Security Bulletin Summary for September 2010 - Issued: September 14, 2010 ******************************************************************** Microsoft Security Bulletin Summary for September 2010 Issued: September 14, 2010 ******************************************************************** This bulletin summary lists security bulletins released for September 2010. The full version of the Microsoft Security Bulletin Summary for September 2010 can be found at With the release of the bulletins for September 2010, this......
  • How to Install Window Boxes Window boxes add charm to any home and they are so easy to install that anyone can do it. You're going to need to get a few things together before you get started. Your tools will include: window box brackets a level that is longer than the window box you......
  • What is Patch Tuesday? Excellent explanation of Patch Tuesday by TMI Engineering Patch Tuesday is the second Tuesday of each month, the day on which Microsoft releases security patches. Starting with Windows 98, Microsoft included a "Windows Update" system, that would check for patches to Windows and its components which Microsoft would release intermittently. With......    Send article as PDF   

Similar Posts

See what happened this day in history from either BBC Wikipedia
Amazon Logo

5 Responses to “Version 2 of the WMF exploit vs Windows 98 SE”

  1. The PC Doctor Says:

    Much more on the WMF exploit

    A lot has happened since last night so let me try to bring you up to speed on things.
    First, Ilfak Guilfanov  (the researcher who came up with the unofficial patch) has come out with a WMF vulnerability checker to allow you to test your systems …

  2. The PC Doctor » Blog Archive » WMF exploit - Quick Guide Says:

    [...] Further research seems to show that Windows 98, Windows 98 SE and Windows ME might be harder to infect  than later versions , although they still contain the exploit and may be targeted with greater ferocity soon. [...]

  3. TomW Says:

    Nice article on Win98 testing for wmf exploit! I am also in the process of doing some tests myself as I know and/or have several clients still stuck on Win98 systems.

    You said, “Windows 98 is listed as being vulnerable, but there are no patches or workarounds currently available for Windows 98 users”, just wondered if you had seen this “patch” linked below or might have tested it??

    It says it works with Win98 and other OS’s that are not patched by Microshaft… cause they are not “critical” …. yet

  4. Avery Says:

    Yes, I’ve seen the nod32 patch. I haven’t tested it yet. It appears that Microsoft has backed off on the Windows 98/ME systems being as vulnerable… like you say they’re not “critical” it would be nice if they’d patch the thing pre-emptively though, who knows maybe two months down the road a way might be discovered that it can be more easily exploited in Windows 98. I’ll try the patch and see how it looks. I don’t have an extensive set of things installed in a VM, so testing it that way will be a bit limited.

  5. Avery Says:

    Just did a modest test of it in a VM, and did an updated post (hopefully the last on the whole WMF mess…) the post is at

Leave a Reply

You must be logged in to post a comment.

Switch to our mobile site