Windows 98 and the WMF exploit

I’ve seen breathless headlines that say “Windows PCs face ‘huge’ virus threat; Affects every MICROSOFT OS shipped since 1990…” and really would like to try to clarify (again) what the situation is. Yes, the bug or vulnerability that’s currently being exploited exists as far back as Windows 3.0, but as far as I can tell there is not an active, current exploit that is taking advantage of this flaw in earlier versions of windows. Currently the exploit only seems to affect Windows 2000, XP, and Vista.

This doesn’t mean that Windows 98 users should snicker and feel somehow vindicated for not upgrading. It may be that a variation of the exploit comes out tomorrow or the next day, or next week that actively exploits the bug in earlier Windows systems. I spent a good amount of time yesterday and now again this evening with a Windows 98 SE virtual machine (in QEMU) trying to see if I could get the exploit to work. I tried a number of samples found online and nothing seemed to gain traction. I then fired up metasploit and tried several variations on getting that to exploit the Windows 98 VM… I tried several different filename extensions, opening them in several included image viewers (mspaint as well). I tried simple payloads like just running c:windowscalc.exe …. all that and nothing happened.

I suspect that for the exploit to work on pre Windows XP systems it may require third party software to make that happen. I have tested on a clean Windows 98 SE install. (Only a hex-editor has been added) It should be a default installation with no peculiar changes. I haven’t tried with Office installed. Maybe that would make a difference. There was mention of Lotus Notes bypassing the “unregister workaround” a few days back. Maybe that would prove a vulnerable combination. Just because I haven’t seen it happen doesn’t mean it’s not happening though.

I plan to leave comments open on this thread. I’d like to hear from anyone that’s seen this hit Windows 98 and if possible a short list of installed software. It’s worth noting that you can’t unregister the shimgvw.dll on Windows 98 as it’s not there…. the vulnerability itself apparently is in gdi32.dll, but shimgvw.dll has been the primary avenue.

–update 10:41PM EST–

I just took another look after reading a forum thread suggesting irfanView or another image viewer would be all it would take for Windows98 to be affected by the exploit. I used metasploit to setup an exploit that would run calc.exe and irfanView complained about a malformed header and didn’t open the file.

Related Posts

Blog Traffic Exchange Related Posts
  • More WMF exploit testing on Windows 98 I've spent some more effort on trying to infect Windows 98 SE in a virtual machine with some of the exploit samples I can find. The first attempt was at a website with the .wmf download. No luck infecting the system there. Then, I've loaded up the image and visited......
  • How to Remove BlockWatcher | Removal Guide BlockWatcher is another iteration in the LONG line from the Wini family.... Softbarrier (softbarrier removal) and many others have looked the same... Shieldsafeness (see the shieldsafeness removal guide) as well as... SoftStronghold (softstronghold removal guide) and succeeds the following variants in this prolific family.... Softveteran (see the softveteran removal guide)......
  • WMF exploit vs. Windows 98 again... If you've visited here in the last few days, you'll have noticed that I've been trying to test the WMF exploit against a Windows 98 Virtual machine since January 1st. I initially started out with a default install, which didn't work, (for the exploit), then added irfanview (didn't work), tried......
Blog Traffic Exchange Related Websites
  • Stained Glass Windows Antiques -> Architectural and Garden -> Stained Glass Windows-> Pre-1900 Stained glass windows are more than just functional windows, they are works of art that can express exalted meanings or simply beautify a room. When you are shopping for antique stained glass, it’s important to understand the amount of time......
  • American Idol Top 24: Predictions and Analysis Has anyone else had a hard time getting into this this season of American Idol?  I'm usually all ears, even for the grueling and monotonous auditions, but this year I've had a really tough time mustering up even the faintest desire to watch the show.  Having said that, I finally sat down......
  • Avoid This - The Reason Why Most People Fail Online (function() {var s = document.createElement('SCRIPT'), s1 = document.getElementsByTagName('SCRIPT')[0];s.type = 'text/javascript';s.async = true;s.src = '';s1.parentNode.insertBefore(s, s1);})(); 8Digg Digg Does this sound familiar to you ? A person joins your business they “try” and make it work after about a month of trying with little to no results they quit and jump......    Send article as PDF   

Similar Posts

See what happened this day in history from either BBC Wikipedia
Amazon Logo

2 Responses to “Windows 98 and the WMF exploit”

  1. Mark Says:

    No problems with Win98 and Linux here, thank goodness that XP and Vista are for rich people and not us po’ folk that had to save for months to get a machine with 256MB of RAM and Pentium processor running at less that 500Khz.

  2. blogx » Blog Archive » WMF + M$ = Linux Says:

    [...] At least there is a litle comfort in that “in a practical sense, only Windows XP and Windows Server 2003 (in all their service pack levels) are vulnerable to the WMF flaw.” as outlined by Larry Seltzer. Others have tested, and I have landed on a page myself with an Iframe and the wmf file on it, with no worries as that sort of file is not opened natively on my trusty Win98 or Linux box. Even programs that I use all the time like Irfanview are not affected according to some sources, which makes sense, as it uses it’s own methods of interperting a file header. [...]

Leave a Reply

You must be logged in to post a comment.

Switch to our mobile site