Unofficial WMF fix gets thumbs up by and

Discussion in 'Computer Security' started by, Jan 3, 2006.

  1. Guest

    The SANS recommended hotfix (by: Ilfak Guilfanov) intercepts calls to
    the exploitable program routines in the vulnerable shimgwv.dll file.
    It completely mitigates any threat from this vulnerability. No need to
    run Microsoft suggested unregister command but it doesn't hurt to do so
    (belt and suspenders is what SANS called it).

    My only problem with this fix is that its not very enterprise friendly.
    It requires installation on every machine through non-automated
    processes (yes, you can automate an install yourself) and should be
    uninstalled after Microsoft releases their fix.

    The latest exploit kits being circulated allows creation of WMF files
    with varying signatures. This was intended to make detection by
    IDS/IPS and antivirus programs much harder or impossible. So this
    unofficial hotfix maybe all we have at the moment.

    You can download the hotfix and
    Check back often for updates or subscribe to the RSS feed.
, Jan 3, 2006
    1. Advertisements


    Quaoar Guest

    Ilfak's site is up again, or since the server has changed. The latest SANS
    logs are here
    Quaoar, Jan 4, 2006
    1. Advertisements


    Peter Guest

    Peter, Jan 4, 2006

    John Hyde Guest

    Here is an article with more info. Don't skip the reply comments.
    (Though it's more discussion than I could wade through all in one sitting.)

    John Hyde, Jan 4, 2006

    Todd H. Guest

    It's a topic of some debate. Your particular configuration of 98se
    may not be vulnerable, but the OS as a whole is suspect. Certain
    configs appear to be according to some researchers.
    Todd H., Jan 4, 2006

    Peter Guest

    Cheers, I'll take a look. There's no way .wmf can render automatically
    on my win98se system. No way will I ever use XP.

    win98se/ modified by Win Lite
    IE completely blocked at firewall (and never use it)
    default browser/email; Mozilla v.17.12
    Peter, Jan 4, 2006

    SteveB Guest

    I've just installed a freeware WMF viewer and set it as the default app in
    XP. I don't know for sure if it will avoid the vulnerability but it seems
    plausible to me.
    SteveB, Jan 4, 2006

    Art Guest

    Ilfak's hotfix for the WMF vulnerability can be downloaded from any
    the following URLs:

    The MD5 checksum of the file is 15f0a36ea33f39c1bcf5a98e51d4f4f6.

    MSI repackages can be downloaded here:

    * by Brian Higgins (MD5:
    * by Evan
    Anderson (MD5: 0dd56dac6b932ee7abf2d65ec34c5bec)
    * by Evan Anderson
    (MD5: 0dd56dac6b932ee7abf2d65ec34c5bec)

    The WMF vulnerability checker can be downloaded from the following

    The MD5 checksum of the file is ba65e1954070074ea634308f2bab0f6a.

    Note that the fix is not applicable to Win 9X/ME

    Art, Jan 4, 2006
  9. What is Win Lite?
    How did you prevent the bug without any fix?
    I'd like to do it on my 95 system if possible, and later on a 98SE.

    I'm with ya on the XP hate!
    Unfortunately, M$'s 98 support ends (I think in July) which means no more
    security fixes for their garbageware. Dunno if it'll be worth the risk of
    lesser threat and no updates for 98 vs huge threat but updates for XP.
, May 9, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.