Unofficial WMF fix gets thumbs up by SANS.org and NIST.org

Discussion in 'Computer Security' started by NIST.org, Jan 3, 2006.

  1. NIST.org

    NIST.org Guest

    The SANS recommended hotfix (by: Ilfak Guilfanov) intercepts calls to
    the exploitable program routines in the vulnerable shimgwv.dll file.
    It completely mitigates any threat from this vulnerability. No need to
    run Microsoft suggested unregister command but it doesn't hurt to do so
    (belt and suspenders is what SANS called it).

    My only problem with this fix is that its not very enterprise friendly.
    It requires installation on every machine through non-automated
    processes (yes, you can automate an install yourself) and should be
    uninstalled after Microsoft releases their fix.

    The latest exploit kits being circulated allows creation of WMF files
    with varying signatures. This was intended to make detection by
    IDS/IPS and antivirus programs much harder or impossible. So this
    unofficial hotfix maybe all we have at the moment.

    You can download the hotfix and read more at http://www.NIST.org
    Check back often for updates or subscribe to the NIST.org RSS feed.
     
    NIST.org, Jan 3, 2006
    #1
    1. Advertisements

  2. NIST.org

    Quaoar Guest

    Ilfak's site is up again, http://www.hexblog.com/ or
    http://216.227.222.95/ since the server has changed. The latest SANS
    logs are here http://isc.sans.org/diary.php?storyid=1013
     
    Quaoar, Jan 4, 2006
    #2
    1. Advertisements

  3. NIST.org

    Peter Guest

    Peter, Jan 4, 2006
    #3
  4. NIST.org

    John Hyde Guest

    Here is an article with more info. Don't skip the reply comments.
    (Though it's more discussion than I could wade through all in one sitting.)

    http://blog.ziffdavis.com/seltzer/archive/2006/01/03/39684.aspx

    JH
     
    John Hyde, Jan 4, 2006
    #4
  5. NIST.org

    Todd H. Guest

    It's a topic of some debate. Your particular configuration of 98se
    may not be vulnerable, but the OS as a whole is suspect. Certain
    configs appear to be according to some researchers.
     
    Todd H., Jan 4, 2006
    #5
  6. NIST.org

    Peter Guest

    Cheers, I'll take a look. There's no way .wmf can render automatically
    on my win98se system. No way will I ever use XP.

    win98se/ modified by Win Lite
    IE completely blocked at firewall (and never use it)
    default browser/email; Mozilla v.17.12
     
    Peter, Jan 4, 2006
    #6
  7. NIST.org

    SteveB Guest

    I've just installed a freeware WMF viewer and set it as the default app in
    XP. I don't know for sure if it will avoid the vulnerability but it seems
    plausible to me.
     
    SteveB, Jan 4, 2006
    #7
  8. NIST.org

    Art Guest

    Ilfak's hotfix for the WMF vulnerability can be downloaded from any
    the following URLs:

    http://www.grc.com/miscfiles/wmffix_hexblog14.exe
    http://handlers.sans.org/tliston/wmffix_hexblog14.exe
    http://castlecops.com/modules.php?name=Downloads&d_op=getit&lid=496
    http://csc.sunbelt-software.com/wmf/wmffix_hexblog14.exe
    http://www.antisource.com/download/wmffix_hexblog14.exe
    http://hexblog.axmo12.de/wmffix_hexblog14.exe
    http://www.dsinet.org/files/wmffix_hexblog14.exe
    http://lab.nsl.it/wmffix_hexblog14.exe

    The MD5 checksum of the file is 15f0a36ea33f39c1bcf5a98e51d4f4f6.

    MSI repackages can be downloaded here:

    * http://accentconsulting.com/wmf.shtml by Brian Higgins (MD5:
    a5108c0fa866101d79bb8006617641ee)
    * http://handlers.sans.org/tliston/WMFHotfix-1.1.14.msi by Evan
    Anderson (MD5: 0dd56dac6b932ee7abf2d65ec34c5bec)
    * http://hexblog.axmo12.de/WMFHotfix-1.1.14.msi by Evan Anderson
    (MD5: 0dd56dac6b932ee7abf2d65ec34c5bec)

    The WMF vulnerability checker can be downloaded from the following
    URLs:

    http://www.grc.com/miscfiles/wmf_checker_hexblog.exe
    http://castlecops.com/modules.php?name=Downloads&d_op=getit&lid=495
    http://csc.sunbelt-software.com/wmf/wmf_checker_hexblog.exe
    http://www.antisource.com/download/wmf_checker_hexblog.exe
    http://hexblog.axmo12.de/wmf_checker_hexblog.exe

    The MD5 checksum of the file is ba65e1954070074ea634308f2bab0f6a.

    Note that the fix is not applicable to Win 9X/ME

    Art

    http://home.epix.net/~artnpeg
     
    Art, Jan 4, 2006
    #8
  9. What is Win Lite?
    How did you prevent the bug without any fix?
    I'd like to do it on my 95 system if possible, and later on a 98SE.

    I'm with ya on the XP hate!
    Unfortunately, M$'s 98 support ends (I think in July) which means no more
    security fixes for their garbageware. Dunno if it'll be worth the risk of
    lesser threat and no updates for 98 vs huge threat but updates for XP.
     
    see.my.sig.4.addr, May 9, 2006
    #9
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.