A
Art
To distribute the load, use Steve Gibson's web site:
http://www.grc.com/sn/notes-020.htm
Art
http://home.epix.net/~artnpeg
http://www.grc.com/sn/notes-020.htm
Art
http://home.epix.net/~artnpeg
B
Bill
My assumption was correct. Too many hits on the website. Thankfully we
have Gibson Research to the rescue.
A
Art
Note this from Steve's site as well:
*************************************************
Windows 98/SE/ME users: Microsoft's original advice to "unregister
the shimgvw.dll" (shell image viewer) was never correct or useful on
those platforms. The good news is that all current WMF exploits appear
to be non-functional on the older Win9x vintage platforms . . . so you
will likely be okay until Microsoft has updated your system with the
next security patches. There is no short-term workaround for Windows
9x/SE/ME users.
************************************************
This should help clarify some of the confusion concerning the
vulnerabity of 98/ME. These systems are vulnerable, but not in
the same way or by the same methods, as I understand it. Exploit
code could be written for them at any time (and there have apparently
been earlier WMF exploits for them). But you have a little bit of
"security by obscurity" going on here right at the moment.
Art
http://home.epix.net/~artnpeg
F
Frankster
What about this? Temp fix is bad advice?
http://blogs.zdnet.com/Ou/index.php?p=143&tag=nl.e589
-Frank
http://blogs.zdnet.com/Ou/index.php?p=143&tag=nl.e589
-Frank
A
Art
V
Virus Guy
Art said:
ARG!
You can't say that Win-9x is vulnerable until it's clear that 9x
actually has a component that is responsible for rendering or handling
wmf files.
We know that Macro$loth didn't include shell handling of wmf files
until (apparently) ME.
http://support.microsoft.com/?kbid=272969
A
Art
Aside from the fact that experts claim a inherent vulnerability exists
going back as far as Win 3.X .... I found several descriptions of
earlier WMF exploits where Win 98 is included as one of the OS
susceptable. Here's one example that's over a year old:
http://www.proantivirus.com/en/viruses/virusinfo_detail.php?ID=554
Symantec has several old descriptions along similar lines where Win 98
is included. WMF exploits are not new. It's just that the big hoopla
of the moment is the series of exploits aimed mainly at XP and Server
3000.
Art
http://home.epix.net/~artnpeg
V
Virus Guy
Art said:
And yet these experts do not say how Win 9x systems are vulnerable.
Again I can't see how a 9x system is vulnerable if even MATURE
installations of 9x are not set up to handle wmf file associations -
or - if they do not have any M$ software installed to handle or render
WMF files.
It's not even clear to me that third-party software (like ACDSee) are
vulnerable unless those programmers made the same mistake that M$ did
when writing the code that handles WMF file processing.
And I will say the same thing. 9X systems remain in-vulnerable unless
or until someone can point out how those systems use native M$ code or
components to handle wmf files.
The truth is, for the vast majority of 9X systems out there, that wmf
files are unknown file types and they have no idea how to handle them
- which turns out to be a good thing.
T
Todd H.
Virus Guy said:
Virus Guy, you may have that name for a reason -- you seem to be
deluding yourself into thinking your world is safe when it very well
may not be. In the words of SANS from
http://isc2.sans.org/diary.php?date=2006-01-03 which you might wanna
read:
"...please do make the difference between a vulnerability and
the lack of an exploit.
* One working exploit proves a vulnerability.
* Many non-functional exploits prove nothing towards the
lack of a vulnerability.
also, this:
From the averyjarker.com link near the bottom, there
C0D3R
Posted @ 1/3/2006 11:48 AM
Windows 98 is vulnerable when MS Office 97 or greater is
installed AND IE 4.0 or greater with the Desktop Update
*enabled* (Folder Options | View as Web Page) AND the
folder (right click a folder | properties) is enabled
for Thumbnail View.
What's interesting is how strenuously you deny the possibility that
win98 is vulnerable, when Microsoft themselves says it is.
http://www.microsoft.com/technet/security/advisory/912840.mspx
"Related software
....
Microsoft Windows 98, Microsoft Windows 98 Second Edition
(SE), and Microsoft Windows Millennium Edition (ME)"
Now your configuration may not be vulnerable at the end of the
day... but you seem way too sure that it's not based on what more
informed sources are saying.
Best Regards,
H
Hoosier Daddy
Virus Guy said:
Not true. A vulnerability can exist in the absence of exploit code altogether.
I don't have the dll they suggest unregistering nor the gdi32.dll that gets the
recommended patch. I do have a gdi.exe which may be the Win98 application
that supplies the "feature" - it is described as "Windows Graphics Device
Interface core component" in the file properties. If this application supports the
escape() function they are concerned about, then this may be the vulnerable
program.
M
me
FWIW:
IrfanView running on W95 B (4.00.950 b) opens and displays w/o
problems and or side effect all five .WMF test files from the
German site (cf. Gabriele Neukam's post).
So, that ver. of W95 on that particular PC is not vulnerable.
Vulnerability checker from hexblog.com confirms that (tho it's
not clear if the checker can analyze W9x correctly).
J
A
Art
Setting WMF file association to Irfanview has nothing whasoever
to do with whether or not a OS is vulnerable. BTW, I advise setting
the file association to a hex editor ... ever since I witnessed Irfan
going nuts and practically crashing my system on a real live exploit
I was trying. It's really a good idea to set other pic image file
associations to a hex editor as well.
It's been made very clear that Ilfak's checker (and fix) is only
valid for Win 2K/XP
Art
http://home.epix.net/~artnpeg
F
Frankster
FWIW:
----------------------
vul-ner-a-ble: capable of being wounded : susceptible to wounds 2 : open to
attack 3 : liable to increased penalties in contract bridge -
vul-ner-a-bil-i-ty - vul-ner-a-b-ly
(c)2000 Zane Publishing, Inc. and Merriam-Webster, Incorporated. All rights
reserved.
----------------------
vul-ner-a-ble: capable of being wounded : susceptible to wounds 2 : open to
attack 3 : liable to increased penalties in contract bridge -
vul-ner-a-bil-i-ty - vul-ner-a-b-ly
(c)2000 Zane Publishing, Inc. and Merriam-Webster, Incorporated. All rights
reserved.
V
Virus Guy
Todd H. said:
No. What's interesting is that I already posted an argument about
what Micro$haft wrote on that above-mentioned web page on Saturday.
You apparently didn't read it. I will reproduce it below:
-----------
Yes, let's see:
-----------
General Information
Overview
This advisory discusses the following software.
Related Software
Microsoft Windows 98
Microsoft Windows 98 Second Edition (SE)
and Microsoft Windows Millennium Edition (ME)
------------
The inclusion of Win-98 in the above list is nothing but a lie. If
you expand all the sections of that advisory (FAQ, Suggested actions)
you will ->NOT<- find any reference to Windows 98.
Read what it says. It says "this advisory discusses the following
software". That is extremely vague.
Show me anywhere in that advisory where Macro$haft comes right out in
the open and says that "The following OS's are vulnerable to this
exploit: X, Y, Z, " etc. THEY SAY NO SUCH THING!
They have gone out of their way to craft a set of statements in that
advisory that talk in generalities about ->which<- versions of Windoze
are vulnerable.
So don't tell me that Micro$hit has come right out and stated in no
uncertain terms which OS's are affected or vulnerable to this problem
with WMF file handling.
O
Offbreed
That version, COMBINED WITH THE PRESENTLY INSTALLED PROGRAMS, is not
vulnerable to THIS exploit.
Nobody runs Win95 or Win98 without other programs. What use would it be?
K
kurt wismer
Virus said:
it *is* clear... if you'd stop focusing on the early advice to
unregister a dll that isn't shipped with your OS and look closely at
where the investigation has gone since then you'd realize that...
K
kurt wismer
win95 *has* the vulnerability... the current exploits are simply not
compatible with win95... there's a big difference there...
the vulnerability checker isn't for that version of windows either...
the checker and patch are both only for recent versions of windows...
T
Todd H.
Virus Guy said:
Wake me when yer done.
Conspiracy! It's a conspiracy for them to sell more Vista, I'm
CERTAIN. Thanks for alerting us to this. Whew.
Enjoy your Windows 98. You two deserve each other.
O
Offbreed
Agreed. My observations were about one box in its whatever
space-time continuum.
Sorry. For me, "box" is defined more by the hardware than by the
programs on the disk so I did not catch what you meant.
M
me
Agreed. My observations were about one box in its whatever
space-time continuum.
J