[pmwiki-users] WMF vulnerability in Windows systems

Peter redfive at gmail.com
Tue Jan 3 14:46:58 CST 2006


On 1/3/06, Joachim Durchholz <jo at durchholz.org> wrote:
>
> Robin schrieb:
> > On Monday 02 January 2006 17:00, Patrick R. Michaud wrote:
> >
> >>There are literally millions of Windows systems vulnerable to this
> >>exploit, and Microsoft has not yet provided a patch.
> >
> > Apparently they are providing a hotfix for this, as the next Patch
> Tuesday
> > is a while away I think.
>
> According to heise.de, Microsoft will include a patch with their regular
> update on Jan 10th.
>
> > In the interim, Windows users should either
> > avoid using IE (preferably for good ;)
>
> As Chris said, this doesn't protect. Anything that shows an image is
> vulnerable (unless it refuses to show WMF, but I'm not aware of any
> program that has such a policy in place).
>
> > or do the DLL unregistering trick
> > on that SANS page.
>
> DLL unregistering isn't a complete safeguard, either.
> Download Ilfak Guilfanov's patch from
> http://isc.sans.org/diary.php?storyid=999 for the best currently known
> patch.
>
> > Whoever thought it was a good idea to design a file format that is a
> > collection of GDI invocations allowing callbacks deserves to be slapped
> > about with a wet trout anyway.
>
> Well, it was designed at a time when viruses lived on floppy disk boot
> sectors, and the Internet wasn't covering home computers.
> The *real* problem is that capability-based security still isn't the
> norm in current-day OSes.
>
> Regards,
> Jo


If you would like to see if your systems are vunerable then click on this
link.  http://r-1.ch/test.wmf

This is a site that was created to test the exploit.  This will not infect
you!  You are vunerable if the Windows NT Authority box opens up and
initiates the countdown.  You can remove that box by clicking Start - Run
and typing in 'shutdown -a'

Currently I know that NOD32 catches it only and I think I read that Computer
Associates has updated their signatures.
--
Gmail shoots first
-------------- next part --------------
An HTML attachment was scrubbed...
URL: /pipermail/pmwiki-users/attachments/20060103/f6bc1fce/attachment.html 


More information about the pmwiki-users mailing list