Download Ilfak's patch from Gibson's site

A

Art

My assumption was correct. Too many hits on the website. Thankfully we
have Gibson Research to the rescue.

Note this from Steve's site as well:
*************************************************
Windows 98/SE/ME users: Microsoft's original advice to "unregister
the shimgvw.dll" (shell image viewer) was never correct or useful on
those platforms. The good news is that all current WMF exploits appear
to be non-functional on the older Win9x vintage platforms . . . so you
will likely be okay until Microsoft has updated your system with the
next security patches. There is no short-term workaround for Windows
9x/SE/ME users.
************************************************
This should help clarify some of the confusion concerning the
vulnerabity of 98/ME. These systems are vulnerable, but not in
the same way or by the same methods, as I understand it. Exploit
code could be written for them at any time (and there have apparently
been earlier WMF exploits for them). But you have a little bit of
"security by obscurity" going on here right at the moment.

Art

http://home.epix.net/~artnpeg
 
V

Virus Guy

Art said:
Note this from Steve's site as well:

This should help clarify some of the confusion concerning the
vulnerabity of 98/ME. These systems are vulnerable,

ARG!

You can't say that Win-9x is vulnerable until it's clear that 9x
actually has a component that is responsible for rendering or handling
wmf files.

We know that Macro$loth didn't include shell handling of wmf files
until (apparently) ME.

http://support.microsoft.com/?kbid=272969
 
A

Art

ARG!

You can't say that Win-9x is vulnerable until it's clear that 9x
actually has a component that is responsible for rendering or handling
wmf files.

We know that Macro$loth didn't include shell handling of wmf files
until (apparently) ME.

http://support.microsoft.com/?kbid=272969

Aside from the fact that experts claim a inherent vulnerability exists
going back as far as Win 3.X .... I found several descriptions of
earlier WMF exploits where Win 98 is included as one of the OS
susceptable. Here's one example that's over a year old:

http://www.proantivirus.com/en/viruses/virusinfo_detail.php?ID=554

Symantec has several old descriptions along similar lines where Win 98
is included. WMF exploits are not new. It's just that the big hoopla
of the moment is the series of exploits aimed mainly at XP and Server
3000.

Art

http://home.epix.net/~artnpeg
 
V

Virus Guy

Art said:
Aside from the fact that experts claim a inherent vulnerability
exists going back as far as Win 3.X

And yet these experts do not say how Win 9x systems are vulnerable.
.... I found several descriptions of earlier WMF exploits
where Win 98 is included as one of the OS susceptable. Here's
one example that's over a year old:

http://www.proantivirus.com/en/viruses/virusinfo_detail.php?ID=554

Again I can't see how a 9x system is vulnerable if even MATURE
installations of 9x are not set up to handle wmf file associations -
or - if they do not have any M$ software installed to handle or render
WMF files.

It's not even clear to me that third-party software (like ACDSee) are
vulnerable unless those programmers made the same mistake that M$ did
when writing the code that handles WMF file processing.
Symantec has several old descriptions along similar lines where
Win 98 is included.

And I will say the same thing. 9X systems remain in-vulnerable unless
or until someone can point out how those systems use native M$ code or
components to handle wmf files.

The truth is, for the vast majority of 9X systems out there, that wmf
files are unknown file types and they have no idea how to handle them
- which turns out to be a good thing.
 
T

Todd H.

Virus Guy said:
And I will say the same thing. 9X systems remain in-vulnerable unless
or until someone can point out how those systems use native M$ code or
components to handle wmf files.

The truth is, for the vast majority of 9X systems out there, that wmf
files are unknown file types and they have no idea how to handle them
- which turns out to be a good thing.

Virus Guy, you may have that name for a reason -- you seem to be
deluding yourself into thinking your world is safe when it very well
may not be. In the words of SANS from
http://isc2.sans.org/diary.php?date=2006-01-03 which you might wanna
read:

"...please do make the difference between a vulnerability and
the lack of an exploit.

* One working exploit proves a vulnerability.
* Many non-functional exploits prove nothing towards the
lack of a vulnerability.


also, this:


From the averyjarker.com link near the bottom, there
C0D3R
Posted @ 1/3/2006 11:48 AM
Windows 98 is vulnerable when MS Office 97 or greater is
installed AND IE 4.0 or greater with the Desktop Update
*enabled* (Folder Options | View as Web Page) AND the
folder (right click a folder | properties) is enabled
for Thumbnail View.


What's interesting is how strenuously you deny the possibility that
win98 is vulnerable, when Microsoft themselves says it is.
http://www.microsoft.com/technet/security/advisory/912840.mspx

"Related software
....
Microsoft Windows 98, Microsoft Windows 98 Second Edition
(SE), and Microsoft Windows Millennium Edition (ME)"

Now your configuration may not be vulnerable at the end of the
day... but you seem way too sure that it's not based on what more
informed sources are saying.

Best Regards,
 
H

Hoosier Daddy

Virus Guy said:
ARG!

You can't say that Win-9x is vulnerable until it's clear that 9x
actually has a component that is responsible for rendering or handling
wmf files.

Not true. A vulnerability can exist in the absence of exploit code altogether.

I don't have the dll they suggest unregistering nor the gdi32.dll that gets the
recommended patch. I do have a gdi.exe which may be the Win98 application
that supplies the "feature" - it is described as "Windows Graphics Device
Interface core component" in the file properties. If this application supports the
escape() function they are concerned about, then this may be the vulnerable
program.
 
M

me

ARG!

You can't say that Win-9x is vulnerable until it's clear
that 9x actually has a component that is responsible for
rendering or handling wmf files.

We know that Macro$loth didn't include shell handling of
wmf files until (apparently) ME.

http://support.microsoft.com/?kbid=272969

FWIW:
IrfanView running on W95 B (4.00.950 b) opens and displays w/o
problems and or side effect all five .WMF test files from the
German site (cf. Gabriele Neukam's post).

So, that ver. of W95 on that particular PC is not vulnerable.
Vulnerability checker from hexblog.com confirms that (tho it's
not clear if the checker can analyze W9x correctly).

J
 
A

Art

FWIW:
IrfanView running on W95 B (4.00.950 b) opens and displays w/o
problems and or side effect all five .WMF test files from the
German site (cf. Gabriele Neukam's post).

So, that ver. of W95 on that particular PC is not vulnerable.

Setting WMF file association to Irfanview has nothing whasoever
to do with whether or not a OS is vulnerable. BTW, I advise setting
the file association to a hex editor ... ever since I witnessed Irfan
going nuts and practically crashing my system on a real live exploit
I was trying. It's really a good idea to set other pic image file
associations to a hex editor as well.
Vulnerability checker from hexblog.com confirms that (tho it's
not clear if the checker can analyze W9x correctly).

It's been made very clear that Ilfak's checker (and fix) is only
valid for Win 2K/XP

Art

http://home.epix.net/~artnpeg
 
F

Frankster

FWIW:
IrfanView running on W95 B (4.00.950 b) opens and displays w/o
problems and or side effect all five .WMF test files from the
German site (cf. Gabriele Neukam's post).

So, that ver. of W95 on that particular PC is not vulnerable.

----------------------
vul-ner-a-ble: capable of being wounded : susceptible to wounds 2 : open to
attack 3 : liable to increased penalties in contract bridge -
vul-ner-a-bil-i-ty - vul-ner-a-b-ly

(c)2000 Zane Publishing, Inc. and Merriam-Webster, Incorporated. All rights
reserved.
 
V

Virus Guy

Todd H. said:
What's interesting is how strenuously you deny the possibility
that win98 is vulnerable, when Microsoft themselves says it is.

http://www.microsoft.com/technet/security/advisory/912840.mspx

No. What's interesting is that I already posted an argument about
what Micro$haft wrote on that above-mentioned web page on Saturday.
You apparently didn't read it. I will reproduce it below:

-----------
According to:
http://www.microsoft.com/technet/security/advisory/912840.mspx

Win 98 and 98 SE are referenced. Expand the "overview" section
and you'll see.

Yes, let's see:

-----------
General Information
Overview

This advisory discusses the following software.
Related Software
Microsoft Windows 98
Microsoft Windows 98 Second Edition (SE)
and Microsoft Windows Millennium Edition (ME)
------------

The inclusion of Win-98 in the above list is nothing but a lie. If
you expand all the sections of that advisory (FAQ, Suggested actions)
you will ->NOT<- find any reference to Windows 98.

Read what it says. It says "this advisory discusses the following
software". That is extremely vague.

Show me anywhere in that advisory where Macro$haft comes right out in
the open and says that "The following OS's are vulnerable to this
exploit: X, Y, Z, " etc. THEY SAY NO SUCH THING!

They have gone out of their way to craft a set of statements in that
advisory that talk in generalities about ->which<- versions of Windoze
are vulnerable.

So don't tell me that Micro$hit has come right out and stated in no
uncertain terms which OS's are affected or vulnerable to this problem
with WMF file handling.
 
O

Offbreed

FWIW:
IrfanView running on W95 B (4.00.950 b) opens and displays w/o
problems and or side effect all five .WMF test files from the
German site (cf. Gabriele Neukam's post).

So, that ver. of W95 on that particular PC is not vulnerable.

That version, COMBINED WITH THE PRESENTLY INSTALLED PROGRAMS, is not
vulnerable to THIS exploit.

Nobody runs Win95 or Win98 without other programs. What use would it be?
 
K

kurt wismer

Virus said:
ARG!

You can't say that Win-9x is vulnerable until it's clear that 9x
actually has a component that is responsible for rendering or handling
wmf files.

it *is* clear... if you'd stop focusing on the early advice to
unregister a dll that isn't shipped with your OS and look closely at
where the investigation has gone since then you'd realize that...
 
K

kurt wismer

FWIW:
IrfanView running on W95 B (4.00.950 b) opens and displays w/o
problems and or side effect all five .WMF test files from the
German site (cf. Gabriele Neukam's post).

win95 *has* the vulnerability... the current exploits are simply not
compatible with win95... there's a big difference there...
So, that ver. of W95 on that particular PC is not vulnerable.
Vulnerability checker from hexblog.com confirms that (tho it's
not clear if the checker can analyze W9x correctly).

the vulnerability checker isn't for that version of windows either...
the checker and patch are both only for recent versions of windows...
 
T

Todd H.

Virus Guy said:
No. What's interesting is that I already posted an argument about
what Micro$haft wrote on that above-mentioned web page on Saturday.
You apparently didn't read it. I will reproduce it below:

Wake me when yer done.
The inclusion of Win-98 in the above list is nothing but a lie.

Conspiracy! It's a conspiracy for them to sell more Vista, I'm
CERTAIN. Thanks for alerting us to this. Whew.

Enjoy your Windows 98. You two deserve each other. :)
 
O

Offbreed

Agreed. My observations were about one box in its whatever
space-time continuum. ;)

Sorry. For me, "box" is defined more by the hardware than by the
programs on the disk so I did not catch what you meant.
 
M

me

That version, COMBINED WITH THE PRESENTLY INSTALLED
PROGRAMS, is not vulnerable to THIS exploit.

Nobody runs Win95 or Win98 without other programs. What use
would it be?
Agreed. My observations were about one box in its whatever
space-time continuum. ;)

J
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads


Top