WMF temporary (unofficial) patch

http://www.hexblog.com/2005/12/wmf_vuln.html

Also for x64

jud

 

Thanks, great. Just installed it. Is there a way to know if it is working?


Tony. . .

 

Open an infected WMF ;-) Just kidding of course, but it's probably the only
way to test it. I think it's best to keep an eye on Ilfak Guilfanov's blog,
as people are testing it. I am not going to try opening an infected WMF, as
the best and safest repair is a full re-install of Windows

jud

 

No offence, Jud, but I would MUCH rather folks got any unofficial patch from
someplace I recognize. In this case:
http://isc.sans.org/diary.php?storyid=994

The Internet Security Center (ISC) FAQ on the vulnerability including a link
to their patch.

 

Charlie:

Thank you for that link, it's very informative. One thing also
listed was un-registering a DLL file along with installing the patch. I've
never un-registered a file and I'm not sure how to proceed. Thank you for
your time.

 

Charlie,

Is this supposed to work on x64 as well? I didn't see anything about x64 at
this link.

Also, has anyone applied the patch and did it screw anything up?

 

"Some CPUs, like AMD's 64 Bit CPUs, will provide full DEP protection and
will prevent the exploit."

Does that mean we're already covered?

 

I would, at the least, unregister the DLL. Follow the instructions there, or
even better, follow the MS posted instructions in their security advisory.
http://www.microsoft.com/technet/security/advisory/912840.mspx

 

Try these instructions (under actions)

http://www.microsoft.com/technet/security/advisory/912840.mspx

 

I believe it should, but I also think that simply unregistering the DLL and
waiting for the official MS patch is probably sufficient.

 

Not offended Charlie. I got this patch via the F-Secure weblog. I assume I
can trust F-Secure in verifying it's safety The page where the patch is
mentioned is http://www.f-secure.com/weblog/ (Under "Saturday, December 31,
2005"). The patch you refer to is exactly the same patch by the way.

jud

 

Yes, I generally trust F-Secure. But I'd rather point people to something
where they can see where they're going. These days...

I have some other, independent, indications that it's safe as well. But for
x64, I think we're probably fine with the hardware DEP and unregistering the
DLL. At least until we have an official patch.

 

Charlie:

Thank you for the prompt reply. Sorry for the delayed response.
Also the "Windows Live Safety Center" looks like a viable test for existing
security systems in place. Thank you again and Happy New Year to all.

 

No offence either - but you might like to check the source of the SANS
patch...

 

Absolutely right on that

The patch included the sources for everyone to check.

OK. Well I have DEP + patch and reregistered the DLL. I just hate that I
can't see preview icons on my system. My extra safety for now, is to only
go to websites I can trust to be safe, and blocking all
advertisements-servers via the hosts-file (the yoyo.org list), up till the
patch.
Rumour said it would take until the 9th of January for the patch to arrive,
but I hope the good people at MS will be quicker.

jud

 

Probably a dumb question but are we safe(r) if we use IE 64bit?

 

According to http://www.microsoft.com/technet/security/advisory/912840.mspx
we are not:

"Related Software:
Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and
Microsoft Windows Millennium Edition (ME)"

The F-secure weblog says it might even be worse than that, and that all
Windows-versions could be affected:
http://www.f-secure.com/weblog/archives/archive-012006.html#00000761

jud

 

I would say no. At the least, unregister both DLLs (see my post above)