Unofficial WMF fix gets thumbs up by SANS.org and NIST.org

Discussion in 'Computer Security' started by NIST.org, Jan 3, 2006.

  1. NIST.org

    NIST.org Guest

    The SANS recommended hotfix (by: Ilfak Guilfanov) intercepts calls to
    the exploitable program routines in the vulnerable shimgwv.dll file.
    It completely mitigates any threat from this vulnerability. No need to
    run Microsoft suggested unregister command but it doesn't hurt to do so
    (belt and suspenders is what SANS called it).

    My only problem with this fix is that its not very enterprise friendly.
    It requires installation on every machine through non-automated
    processes (yes, you can automate an install yourself) and should be
    uninstalled after Microsoft releases their fix.

    The latest exploit kits being circulated allows creation of WMF files
    with varying signatures. This was intended to make detection by
    IDS/IPS and antivirus programs much harder or impossible. So this
    unofficial hotfix maybe all we have at the moment.

    You can download the hotfix and read more at http://www.NIST.org
    Check back often for updates or subscribe to the NIST.org RSS feed.
     
    NIST.org, Jan 3, 2006
    #1
    1. Advertising

  2. NIST.org

    Quaoar Guest

    NIST.org wrote:
    > The SANS recommended hotfix (by: Ilfak Guilfanov) intercepts calls to
    > the exploitable program routines in the vulnerable shimgwv.dll file.
    > It completely mitigates any threat from this vulnerability. No need
    > to run Microsoft suggested unregister command but it doesn't hurt to
    > do so (belt and suspenders is what SANS called it).
    >
    > My only problem with this fix is that its not very enterprise
    > friendly. It requires installation on every machine through
    > non-automated processes (yes, you can automate an install yourself)
    > and should be uninstalled after Microsoft releases their fix.
    >
    > The latest exploit kits being circulated allows creation of WMF files
    > with varying signatures. This was intended to make detection by
    > IDS/IPS and antivirus programs much harder or impossible. So this
    > unofficial hotfix maybe all we have at the moment.
    >
    > You can download the hotfix and read more at http://www.NIST.org
    > Check back often for updates or subscribe to the NIST.org RSS feed.


    Ilfak's site is up again, http://www.hexblog.com/ or
    http://216.227.222.95/ since the server has changed. The latest SANS
    logs are here http://isc.sans.org/diary.php?storyid=1013
     
    Quaoar, Jan 4, 2006
    #2
    1. Advertising

  3. NIST.org

    Peter Guest

    Quaoar wrote:
    >
    > NIST.org wrote:
    > > The SANS recommended hotfix (by: Ilfak Guilfanov) intercepts calls to
    > > the exploitable program routines in the vulnerable shimgwv.dll file.
    > > It completely mitigates any threat from this vulnerability. No need
    > > to run Microsoft suggested unregister command but it doesn't hurt to
    > > do so (belt and suspenders is what SANS called it).
    > >
    > > My only problem with this fix is that its not very enterprise
    > > friendly. It requires installation on every machine through
    > > non-automated processes (yes, you can automate an install yourself)
    > > and should be uninstalled after Microsoft releases their fix.
    > >
    > > The latest exploit kits being circulated allows creation of WMF files
    > > with varying signatures. This was intended to make detection by
    > > IDS/IPS and antivirus programs much harder or impossible. So this
    > > unofficial hotfix maybe all we have at the moment.
    > >
    > > You can download the hotfix and read more at http://www.NIST.org
    > > Check back often for updates or subscribe to the NIST.org RSS feed.

    >
    > Ilfak's site is up again, http://www.hexblog.com/ or
    > http://216.227.222.95/ since the server has changed. The latest SANS
    > logs are here http://isc.sans.org/diary.php?storyid=1013



    Has anyone news on vulnerability or otherwise of win98se? I ran a check
    yesterday from some security site to see if i'm vulnerable and got the
    ok.
     
    Peter, Jan 4, 2006
    #3
  4. NIST.org

    John Hyde Guest

    on 1/4/2006 8:46 AM Todd H. said the following:
    > Peter <"veryhjdf"@kk.zz$> writes:
    >
    >
    >>Has anyone news on vulnerability or otherwise of win98se? I ran a check
    >>yesterday from some security site to see if i'm vulnerable and got the
    >>ok.

    >
    >
    > It's a topic of some debate. Your particular configuration of 98se
    > may not be vulnerable, but the OS as a whole is suspect. Certain
    > configs appear to be according to some researchers.
    >


    Here is an article with more info. Don't skip the reply comments.
    (Though it's more discussion than I could wade through all in one sitting.)

    http://blog.ziffdavis.com/seltzer/archive/2006/01/03/39684.aspx

    JH
     
    John Hyde, Jan 4, 2006
    #4
  5. NIST.org

    Todd H. Guest

    Peter <"veryhjdf"@kk.zz$> writes:

    > Has anyone news on vulnerability or otherwise of win98se? I ran a check
    > yesterday from some security site to see if i'm vulnerable and got the
    > ok.


    It's a topic of some debate. Your particular configuration of 98se
    may not be vulnerable, but the OS as a whole is suspect. Certain
    configs appear to be according to some researchers.

    --
    Todd H.
    http://www.toddh.net/
     
    Todd H., Jan 4, 2006
    #5
  6. NIST.org

    Peter Guest

    John Hyde wrote:
    >
    > on 1/4/2006 8:46 AM Todd H. said the following:
    > > Peter <"veryhjdf"@kk.zz$> writes:
    > >
    > >
    > >>Has anyone news on vulnerability or otherwise of win98se? I ran a check
    > >>yesterday from some security site to see if i'm vulnerable and got the
    > >>ok.

    > >
    > >
    > > It's a topic of some debate. Your particular configuration of 98se
    > > may not be vulnerable, but the OS as a whole is suspect. Certain
    > > configs appear to be according to some researchers.
    > >

    >
    > Here is an article with more info. Don't skip the reply comments.
    > (Though it's more discussion than I could wade through all in one sitting.)
    >
    > http://blog.ziffdavis.com/seltzer/archive/2006/01/03/39684.aspx
    >
    > JH


    Cheers, I'll take a look. There's no way .wmf can render automatically
    on my win98se system. No way will I ever use XP.

    win98se/ modified by Win Lite
    IE completely blocked at firewall (and never use it)
    default browser/email; Mozilla v.17.12
     
    Peter, Jan 4, 2006
    #6
  7. NIST.org

    SteveB Guest

    I've just installed a freeware WMF viewer and set it as the default app in
    XP. I don't know for sure if it will avoid the vulnerability but it seems
    plausible to me.
     
    SteveB, Jan 4, 2006
    #7
  8. NIST.org

    Art Guest

    On 3 Jan 2006 00:54:19 -0800, "NIST.org" <>
    wrote:

    >The SANS recommended hotfix (by: Ilfak Guilfanov) intercepts calls to
    >the exploitable program routines in the vulnerable shimgwv.dll file.
    >It completely mitigates any threat from this vulnerability. No need to
    >run Microsoft suggested unregister command but it doesn't hurt to do so
    >(belt and suspenders is what SANS called it).
    >
    >My only problem with this fix is that its not very enterprise friendly.
    > It requires installation on every machine through non-automated
    >processes (yes, you can automate an install yourself) and should be
    >uninstalled after Microsoft releases their fix.
    >
    >The latest exploit kits being circulated allows creation of WMF files
    >with varying signatures. This was intended to make detection by
    >IDS/IPS and antivirus programs much harder or impossible. So this
    >unofficial hotfix maybe all we have at the moment.
    >
    >You can download the hotfix and read more at http://www.NIST.org
    >Check back often for updates or subscribe to the NIST.org RSS feed.


    Ilfak's hotfix for the WMF vulnerability can be downloaded from any
    the following URLs:

    http://www.grc.com/miscfiles/wmffix_hexblog14.exe
    http://handlers.sans.org/tliston/wmffix_hexblog14.exe
    http://castlecops.com/modules.php?name=Downloads&d_op=getit&lid=496
    http://csc.sunbelt-software.com/wmf/wmffix_hexblog14.exe
    http://www.antisource.com/download/wmffix_hexblog14.exe
    http://hexblog.axmo12.de/wmffix_hexblog14.exe
    http://www.dsinet.org/files/wmffix_hexblog14.exe
    http://lab.nsl.it/wmffix_hexblog14.exe

    The MD5 checksum of the file is 15f0a36ea33f39c1bcf5a98e51d4f4f6.

    MSI repackages can be downloaded here:

    * http://accentconsulting.com/wmf.shtml by Brian Higgins (MD5:
    a5108c0fa866101d79bb8006617641ee)
    * http://handlers.sans.org/tliston/WMFHotfix-1.1.14.msi by Evan
    Anderson (MD5: 0dd56dac6b932ee7abf2d65ec34c5bec)
    * http://hexblog.axmo12.de/WMFHotfix-1.1.14.msi by Evan Anderson
    (MD5: 0dd56dac6b932ee7abf2d65ec34c5bec)

    The WMF vulnerability checker can be downloaded from the following
    URLs:

    http://www.grc.com/miscfiles/wmf_checker_hexblog.exe
    http://castlecops.com/modules.php?name=Downloads&d_op=getit&lid=495
    http://csc.sunbelt-software.com/wmf/wmf_checker_hexblog.exe
    http://www.antisource.com/download/wmf_checker_hexblog.exe
    http://hexblog.axmo12.de/wmf_checker_hexblog.exe

    The MD5 checksum of the file is ba65e1954070074ea634308f2bab0f6a.

    Note that the fix is not applicable to Win 9X/ME

    Art

    http://home.epix.net/~artnpeg
     
    Art, Jan 4, 2006
    #8
  9. NIST.org

    Guest

    On Wed, 04 Jan 2006 16:51:21 +0000, Peter <"veryhjdf"@kk.zz$> spewed:
    >> >>Has anyone news on vulnerability or otherwise of win98se? I ran a check
    >> >>yesterday from some security site to see if i'm vulnerable and got the
    >> >>ok.
    >> >
    >> > It's a topic of some debate. Your particular configuration of 98se
    >> > may not be vulnerable, but the OS as a whole is suspect. Certain
    >> > configs appear to be according to some researchers.
    >> >

    >>
    >> Here is an article with more info. Don't skip the reply comments.
    >> (Though it's more discussion than I could wade through all in one sitting.)
    >>
    >> http://blog.ziffdavis.com/seltzer/archive/2006/01/03/39684.aspx
    >>
    >> JH

    >
    >Cheers, I'll take a look. There's no way .wmf can render automatically
    >on my win98se system. No way will I ever use XP.
    >
    >win98se/ modified by Win Lite
    >IE completely blocked at firewall (and never use it)
    >default browser/email; Mozilla v.17.12


    What is Win Lite?
    How did you prevent the bug without any fix?
    I'd like to do it on my 95 system if possible, and later on a 98SE.

    I'm with ya on the XP hate!
    Unfortunately, M$'s 98 support ends (I think in July) which means no more
    security fixes for their garbageware. Dunno if it'll be worth the risk of
    lesser threat and no updates for 98 vs huge threat but updates for XP.

    --
    _____________________________________________________
    For email response, or CC, please email .
    Yeah, it's really a real address :)
     
    , May 9, 2006
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Georgette Preddy

    Canon 1Ds gets a 32% "thumbs down" rating from users.

    Georgette Preddy, Jul 11, 2004, in forum: Digital Photography
    Replies:
    12
    Views:
    498
  2. Brian C. Baird

    DxO gets the thumbs down from dPreview.com

    Brian C. Baird, Sep 8, 2004, in forum: Digital Photography
    Replies:
    22
    Views:
    928
    Gisle Hannemyr
    Sep 12, 2004
  3. Jud Hendrix

    WMF temporary (unofficial) patch

    Jud Hendrix, Jan 1, 2006, in forum: Windows 64bit
    Replies:
    17
    Views:
    749
    Charlie Russel - MVP
    Jan 2, 2006
  4. Replies:
    0
    Views:
    1,121
  5. Dianthus Mimulus

    Patch issued for OpenOffice.org WMF vulnerability

    Dianthus Mimulus, Jan 5, 2007, in forum: NZ Computing
    Replies:
    0
    Views:
    531
    Dianthus Mimulus
    Jan 5, 2007
Loading...

Share This Page