Re: A Very Dangerous Worm in Windows Metafile Images (WMF)

From: Mike Monett <gqtacfwfjfmx@xxxxxxxxxxxxx>
Date: Mon, 02 Jan 2006 02:56:03 -0800

JeffM wrote:

> A patch for NT-based systems [1]
http://66.102.7.104/search?q=cache:G_h4wrg3BDYJ:www.grc.com/sn/notes-020.htm+Download-Ilfak's-Temporary-WMF-Patch+the-seriousness-of-the-WMF-vulnerability
> .
> .
> [1] There is no patch for DOS-based Windoze.

There is a vulnerability checker at

http://www.hexblog.com/2006/01/wmf_vulnerability_checker.html#more

Several people report their results on Win98. Apparently Win98 shows as
being vulnerable, but two people running Win98SE say their system reports
not vulnerable.

I am running Win98SE with the Final Update. The test report says it is
not vulnerable. A brief look at the source indicates it may not be able
to find the entry points in the Win98SE version of gdi32.dll.

Wishful thinking says maybe the virus writers could have the same problem
with Win98SE, and anyway they will be going after w2k and xp systems.
Somehow that doesn't make me feel better.

The author emphasizes he checks only one vulnerability and there may be
more. So it is not safe to assume that Win98SE or later OS's are
invulnerable to this problem even if the temporary patch is applied.

This is a very serious problem. Watch the internet melt tomorrow when
everyone comes back from XMas vacation.

Mike Monett
.

Follow-Ups:
- Re: A Very Dangerous Worm in Windows Metafile Images (WMF)
  - From: Frank Bemelman

References:
- A Very Dangerous Worm in Windows Metafile Images (WMF)
  - From: Mike Monett
- Re: A Very Dangerous Worm in Windows Metafile Images (WMF)
  - From: Mike Monett
- Re: A Very Dangerous Worm in Windows Metafile Images (WMF)
  - From: JeffM

Prev by Date: Re: Low noise IF3601/02 don't meet specs
Next by Date: Re: Super OT: America - the good and the, um, room for improvement
Previous by thread: Re: A Very Dangerous Worm in Windows Metafile Images (WMF)
Next by thread: Re: A Very Dangerous Worm in Windows Metafile Images (WMF)
Index(es):
- Date
- Thread

Relevant Pages

Re: Unofficial WMF fix gets thumbs up by SANS.org and NIST.org
... > Has anyone news on vulnerability or otherwise of win98se? ... > yesterday from some security site to see if i'm vulnerable and got the ... Your particular configuration of 98se ...
(alt.computer.security)
Re: Starting a Pen-Testing Career
... Perhaps my perceptions of the business are a bit naive, ... Buinsesses don't care about security and vulnerabilty and exposure. ... How else would they be able to provide such a report in isolation - ... written vulnerability scanner' to produce reports. ...
(alt.computer.security)
RE: MBSA scanner
... the license must state clearly what is restricted. ... that referred to the nature of the vulnerability or exploit itself would be ... > all the suggestions on how to fix a vulnerability that a report might ... > nothing preventing Nessus, Internet Scanner, Cybercop, Retina, ...
(Pen-Test)
Re: MBSA scanner
... all the suggestions on how to fix a vulnerability that a report might ... > Nessus is another example; the GPL has the same restrictions on distribution ... And also read the GPL FAQ: ...
(Pen-Test)
RE: Netstumbling
... to their network, ... If I find a vulnerability and expose it to access ... >> Are your vulnerability scans producing just another report? ... > Manage the entire remediation process with StillSecure VAM's ...
(Pen-Test)