Version 2 of the WMF exploit vs Windows 98 SE



Ok, I wasn’t quite satisfied with the results of the tests against the first version of the WMF (Windows Metafile) zero day exploit that’s now up to 4 or 5 days or so… Windows 98 is listed as being vulnerable, but there are no patches or workarounds currently available for Windows 98 users. I was mostly curious to see if current exploits could wreck a Windows 98 system. The answer at this point is not that I can see.


It’s possible that with certain software configurations maybe the exploit would have a better chance, but I ran a first round of tests against readily available exploit samples (all seem to be the original exploit). I just now finished trying to use the latest metasploit exploit samples (released the 31st…) Still, no luck at infecting the system. Explorer loads the page asks if it should save or open the file. This was a wmf and tried to open with Kodak Imaging and I then get a message that “the document’s format is invalid or not supported” Nothing further

Another file from the same metasploit session has been scanned by clamav and appears ok in spite of the fact that I know it’s not. (Signatures for this second approach to the exploit are going to be hard to come by given the random nature of the exploit generation.) In other words, I cannot get the exploit to work on a default Windows 98 SE install (within a virtual machine). Neither the first or second variation on the exploit seem to gain any traction on the platform. No payload seems to be run. No DoS, just an error with the file type.

I’m opening this one up to comments in case anyone has found a way that windows 98 is susceptible to what’s going around. (I suspect that different software configurations might be vulnerable? I just tested the base OS with a fairly default install (NO antivirus or firewalling).) As I mentioned before, this doesn’t necessarily mean that Windows 98 is safe. It is reported as having the same vulnerability. The effects of the vulnerability are possibly different, or the exploit can’t be done the same way for Windows 98. Hopefully since the Windows 98 install base is so small it won’t be a tempting enough target that someone finds a way to infect it.

–update 1/2/06–

I just played around again with the exploit using a different payload (upload and execute file) That fails also. I did notice that the metasploit for this has been updated. I think the only change is that it now includes Vista as a target (I don’t recall seeing that before.)

Related Posts

Blog Traffic Exchange Related Posts
  • Antivirus vs. WMF exploit There are a number of references out today to a December 31st article (on a study by av-test) about how well antivirus products were keeping up with the shifting signatures of the WMF exploits. There was a list of about 12 products that were at 100% detection. Unfortunately, the important......
  • Windows Vista upgrade clean install workaround You had to know it would be a matter of time. Not long after I wrote about the limitations of Vista's upgrade version I found this. First let me reset. Previous versions of Windows upgrade versions would allow you to do a "clean" install (format the drive) if you had......
  • Zero-day ( 0-day) Microsoft Word exploit There was some news on this last night at Incidents.org, today F-secure has some details as well on the trojan that's dropped in this circulating, exploit. It seems as though the initial attack was very targetted against a specific organization. Antivirus packages did not recognize the trojan that the exploit......
Blog Traffic Exchange Related Websites
  • Microsoft Security Bulletin Summary for September 2010 - Issued: September 14, 2010 ******************************************************************** Microsoft Security Bulletin Summary for September 2010 Issued: September 14, 2010 ******************************************************************** This bulletin summary lists security bulletins released for September 2010. The full version of the Microsoft Security Bulletin Summary for September 2010 can be found at http://www.microsoft.com/technet/security/bulletin/ms10-sep.mspx. With the release of the bulletins for September 2010, this......
  • What is Patch Tuesday? Excellent explanation of Patch Tuesday by TMI Engineering Patch Tuesday is the second Tuesday of each month, the day on which Microsoft releases security patches. Starting with Windows 98, Microsoft included a "Windows Update" system, that would check for patches to Windows and its components which Microsoft would release intermittently. With......
  • Gators Top Troy with 56 to 6 on Saturday The Florida senior quarterback, our favorite allstar Tim Tebow managed to throw a total of four touchdowns, rushing for another as the No. 1 team Gators chalked their second win for the season, their 12th straight win after claiming 56 to 6 against the Troy Trojans who are currently......
www.pdf24.org    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

5 Responses to “Version 2 of the WMF exploit vs Windows 98 SE”

  1. The PC Doctor Says:


    Much more on the WMF exploit

    A lot has happened since last night so let me try to bring you up to speed on things.
    First, Ilfak Guilfanov  (the researcher who came up with the unofficial patch) has come out with a WMF vulnerability checker to allow you to test your systems …

  2. The PC Doctor » Blog Archive » WMF exploit - Quick Guide Says:


    [...] Further research seems to show that Windows 98, Windows 98 SE and Windows ME might be harder to infect  than later versions , although they still contain the exploit and may be targeted with greater ferocity soon. [...]

  3. TomW Says:


    Nice article on Win98 testing for wmf exploit! I am also in the process of doing some tests myself as I know and/or have several clients still stuck on Win98 systems.

    You said, “Windows 98 is listed as being vulnerable, but there are no patches or workarounds currently available for Windows 98 users”, just wondered if you had seen this “patch” linked below or might have tested it??

    http://www.nod32.ch/en/download/tools.php

    It says it works with Win98 and other OS’s that are not patched by Microshaft… cause they are not “critical” …. yet

  4. Avery Says:


    Yes, I’ve seen the nod32 patch. I haven’t tested it yet. It appears that Microsoft has backed off on the Windows 98/ME systems being as vulnerable… like you say they’re not “critical” it would be nice if they’d patch the thing pre-emptively though, who knows maybe two months down the road a way might be discovered that it can be more easily exploited in Windows 98. I’ll try the patch and see how it looks. I don’t have an extensive set of things installed in a VM, so testing it that way will be a bit limited.

  5. Avery Says:


    Just did a modest test of it in a VM, and did an updated post (hopefully the last on the whole WMF mess…) the post is at http://www.averyjparker.com/2006/01/06/windows-98-wmf-patch/

Leave a Reply

You must be logged in to post a comment.


Switch to our mobile site