WMF exploit and Windows 98
Most of the talk on the WMF zero-day has centered on Windows XP, 2000 and 2003. The unofficial patch is available for those three platforms. Microsoft’s (eventual) patch will likely be for those as well. Incidents.org had a comment in one of their posts that this would be a “watershed moment” for Windows 98/ME and that those users should upgrade immediately as there is little/no hope for a patch.
Unregistering the dll doesn’t work for Win98 (SE). Although the vulnerability technicically exists on Win98 and ME, I’ve not seen as easy infection on 98 as I did in XP. I loaded up a Windows 98 SE image and opened explorer to one of the sites serving up the exploit. After the page loaded a popup opened that said… “File download” and went on to say the file name was xpl.wmf type was a WMF file and it was from 85.255.113.242 – there was a warning that this type of file could harm your computer if it contains malicious code. I’m then prompted to open or save or cancel or get more info….
All this is with IE 6 SP1 on Windows 98 SE. At least it prompts. Being the curious sort…. I saved it to the desktop and then chose to open it. I was greeted with the following…. “Open with” “Click the program you want to use to open the file xpl.wmf if the program you want is not in the list click other…” so, Win98SE in this (default) install doesn’t seem capable of being infected so easily. This doesn’t mean that it’s not vulnerable per se, but the most common exploit doesn’t seem to be effective. (Would an exploit masquerading as a jpg infect the system? I’m not certain.) Would ME be affected? Possibly, I don’t have a Windows ME image to test though.
A quick look at my stats shows that just under 2% of this site’s visitors running some form of Windows, run Windows 98 (91.27% windows xp, 5.67% win2k) I suspect that windows 98 isn’t as tempting a target. That does not mean that it’s safe and certainly Windows 98 users should be considering upgrade options. Vista will be coming soon and so, your options are likely upgrade soon to Windows XP or aim towards Vista. It’s probable at this point, either would require hardware upgrades/replacements.
BTW, the same file, scanned with clamav is detected as Exploit.WMF.A