Re: Patch to fix the latest Windows XP WMG meta file vulnerability.

On Tue, 03 Jan 2006 14:42:59 -0600, Andy <andy@xxxxxxxx> wrote:

>On Steve Gibson's site at:
>http://www.grc.com/sn/notes-020.htm

I downloaded the patch and applied it.

Then I downloaded the patch test program and ran it.

SEEMS I'm Okay for the moment. I recommend everyone gets their a$$
over to the website and shields their computers asap!

Lg
Windows XP home edition

>Windows WMF Vulnerability News & Updates
>Quick Background:
>
> The active exploitation of a very serious vulnerability in all
>versions of Windows was discovered in late December.
>
> Word of this spread rapidly through the hacker community ? many of
>whom where presumably on holiday vacation from school, bored, and
>looking for something to do.
>
> So several days later nearly one hundred different instances of
>exploitation of this newly discovered vulnerability had been found.
>
> Note that this is not a "new vulnerability" ? it (and perhaps other
>similar bugs) have been lying unknown in Windows since 1991. What's
>"new" is the discovery of this long-present vulnerability in Windows'
>metafile processing.
>
> Almost immediately there were reports of an MSN Messenger worm, and
>now F-Secure is reporting that "Happy New Year" SPAM eMail is carrying
>an exploit.
>
> Anti-Virus vendors quickly updated and began pushing out their A-V
>signature files. These have been effective, but a new very flexible
>exploit generation tool has appeared that's able to create so many
>different variations of the exploit that A-V signatures are having
>trouble keeping up.
>
> Microsoft responded with an acknowledgement of the problem which
>included a very weak workaround (the shimgvw.dll unregistration) that
>provides very little protection. There's is not a cure, and it is not
>known how long the Windows user community will now be waiting for a
>true patch from Microsoft.
>
> Ilfak Guilfanov (see GREEN box below) produced a highly-effective
>true patch which successfully suppresses all known exploitable
>vulnerabilities for anyone using Windows 2000, XP, server 2003, or
>64-bit XP. No patch is available for Windows 95, 98, ME or NT, and
>none is expected to be forthcoming. But anyone using Windows 2000, XP,
>server 2003, or 64-bit XP should IMMEDIATELY install Ilfak's exploit
>suppressor into all of their systems.
>
>
>Other Updates
> A special (short) edition of "Security Now!" ? On Sunday, January
>1st, I phoned into Leo Laporte's KFI "Tech Guy" radio program to
>inform him and his radio audience of the availability of Ilfak's new
>patch and real solution. Leo produced a special edition of our weekly
>"Security Now!" audio podcast. Since this was by telephone the audio
>quality is not great, but the high-quality and lower-quality MP3 audio
>files are available here:
>
> Higher-quality (larger) KFI Radio program update (64 kbps, MP3,
>5.4 MB)
> Lower-quality (smaller) KFI Radio program update. (16 kbps, MP3,
>1.4 MB)
>
> Ilfak has produced a WMF Vulnerability Checker ? Many users want to
>verify that their "exploit suppressed" systems are now safe to use.
>And others want to see whether their anti-virus A-V systems are now
>detecting some WMF exploit code. So Ilfak has produced a simple WMF
>Vulnerability tester:
>
> Download Ilfak's WMF Vulnerability Checker (3.6 kb)
>
>You can read more about his checker, and users' experiences, on his
>Vulnerability Checker blog page.
>
> An important Note about A-V signatures: As useful as anti-virus
>protection is as a first line of defense, new WMF exploits are
>succeeding at bypassing them. So A-V cannot be relied upon. The only
>safe measure is to install Ilfak's vulnerability suppression solution
>until Microsoft has updated the GDI32.DLL file and permanently
>resolved this problem.
>
>
> Windows 98/SE/ME users: Microsoft's original advice to "unregister
>the shimgvw.dll" (shell image viewer) was never correct or useful on
>those platforms. The good news is that all current WMF exploits appear
>to be non-functional on the older Win9x vintage platforms . . . so you
>will likely be okay until Microsoft has updated your system with the
>next security patches. There is no short-term workaround for Windows
>9x users.
>

.

Relevant Pages

  • Re: Warning. New Windows vulnerabilty.
    ... > In short - wmf files can carry viruses. ... > Infection will occur if your email application allows a *preview* of a ... It is carried on Windows Metafile images and automatically ... > vulnerability seems to be in gdi32.dll. ...
    (rec.audio.pro)
  • Vulnerability Details for MS02-012
    ... Microsoft released a patch for a denial of service ... vulnerability in the Windows 2000 SMTP component. ... This bug affects all Windows 2000 systems running the SMTP service that have ...
    (Bugtraq)
  • Update: MS05-011 EEYE: Windows SMB Client Transaction Response Handling Vulnerability
    ... Windows NT 4.0 was found to be vulnerable to bugs resolved in the ... MS05-011 patch. ... SMB protocol that most attack tools I have seen do not support. ... http://eEye.com/Blink - End-Point Vulnerability Prevention ...
    (Bugtraq)
  • Warning. New Windows vulnerabilty.
    ... In short - wmf files can carry viruses. ... Infection will occur if your email application allows a *preview* of a ... It is carried on Windows Metafile images and automatically ... Going back to the wmf vulnerability itself, ...
    (rec.audio.pro)
  • Patch to fix the latest Windows XP WMG meta file vulnerability.
    ... Windows WMF Vulnerability News & Updates ... Anti-Virus vendors quickly updated and began pushing out their A-V ... Ilfak has produced a WMF Vulnerability Checker? ...
    (misc.survivalism)