No WMF Exploit - If you have DEP capable CPUs and DEP enabled

[Saucy Lemon]

If you have DEP capable CPUs such as the later offerings by Intel and AMD
and if you have DEP fully enabled in WIndows, according to the reports the
WMF exploit cannot affect you.

To quote SANS:

"With Windows XP SP2, Microsoft introduced DEP. It protects against a wide
range of exploits, by preventing the execution of 'data segements'. However,
to work well, it requires hardware support. Some CPUs, like AMD's 64 Bit
CPUs, will provide full DEP protection and will prevent the exploit."

 

[Richard G. Harper]

Can we possibly stop cross-posting XP fixes in Win98 forums? Either that or
kindly tell me how to activate DEP in Windows 98. ;-)

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

 

[Saucy Lemon]

Can we possibly stop cross-posting XP fixes in Win98 forums? Either
that or kindly tell me how to activate DEP in Windows 98. ;-)

You activate DEP in Windows 98 by upgrading to a modern computer and modern
operating system. While 'tis true good code is forever, it's also true that
Windows 98 [as much loved by some as it is] is not up to modern security
threats .. the WMF exploit is a good example.

A modern CPU with a modern OS properly configured isn't affected by the WMF
exploit.

A lot of people don't like the idea of upgrading, but it's a lot closer to
2008 than 1998. Maybe it is time to start saving the pennies for a new CPU.

 

[Alias]

A modern CPU with a modern OS properly configured isn't affected by the WMF
exploit.

A lot of people don't like the idea of upgrading, but it's a lot closer to
2008 than 1998. Maybe it is time to start saving the pennies for a new CPU.

When you say a "modern" CPU, would an Althon XP 3000+ meet the "modern"
standards? How about an Athlon XP 2200? Can you be more specific?

 

[BC]

Can we possibly stop cross-posting XP fixes in Win98 forums? Either
that or kindly tell me how to activate DEP in Windows 98. ;-)

You activate DEP in Windows 98 by upgrading to a modern computer and modern
operating system. While 'tis true good code is forever, it's also true that
Windows 98 [as much loved by some as it is] is not up to modern security
threats .. the WMF exploit is a good example.

Duh. Windows 98 has *NOT* been shown to be vulnerable to
the WMF exploit despite mucho noise to the contrary. Even
Microsoft has very grudgingly admitted as much.

From:
http://www.microsoft.com/technet/security/bulletin/ms06-001.mspx
(Buried in the FAQ section.)

"Are Windows 98, Windows 98 Second Edition, or Windows
Millennium Edition critically affected by one or more of the
vulnerabilities that are addressed in this security bulletin?
No."

A modern CPU with a modern OS properly configured isn't affected by the WMF
exploit.

Well, actually, most older PC's with an old OS sloppily
configured turned out to far, FAR more resistant to the
WMF exploit than a typical "modern CPU with a modern
OS properly configured." If you have Win98, are using a
modern browser like Firefox or Opera, got decent firewall
and antivirus programs, and don't use Outlook or Outlook
Express for email, you are far more secure than XP ever
was or ever will be.

A lot of people don't like the idea of upgrading, but it's a lot closer to
2008 than 1998. Maybe it is time to start saving the pennies for a new CPU.

And when is Vista coming out? If you haven't found a good
reason to switch to XP yet, there's reason to bother now.

-BC

 

[R. McCarty]

I believe that all PCs that have hardware DEP, have a Toggle setting in
BIOS to enable/disable it. Not sure if there are other ways to determine
if it's present from within Windows.

 

[Saucy Lemon]

When you say a "modern" CPU, would an Althon XP 3000+ meet the
"modern" standards? How about an Athlon XP 2200? Can you be more
specific?

No. Check with the manufacturer. Almost the whole slate of AMD Athlon64,
Operteron and Sempron now have that feature as with Intel P4 and Celeron.
Somewhat older ones might not e.g. Sempron 2200+ doesn't, but then it is not
listed as a current offering by AMD.

 

[Saucy Lemon]

I believe that all PCs that have hardware DEP, have a Toggle setting
in BIOS to enable/disable it. Not sure if there are other ways to
determine if it's present from within Windows.

The System Applet's Data Execution Prevention tab will indicate. If the CPU
doesn't, the software DEP can still be enabled but a note will appear at the
bottom mentioning that your computer's does not support hardware based DEP.
It works best if the hardware supports DEP.

 

[R. McCarty]

Appreciate the follow-up.

The System Applet's Data Execution Prevention tab will indicate. If the
CPU doesn't, the software DEP can still be enabled but a note will appear
at the bottom mentioning that your computer's does not support hardware
based DEP. It works best if the hardware supports DEP.

 

[glee]

The System Applet's Data Execution Prevention tab will indicate. If the CPU
doesn't, the software DEP can still be enabled but a note will appear at the
bottom mentioning that your computer's does not support hardware based DEP.
It works best if the hardware supports DEP.

....and software DEP will not protect against the WMF vulnerability, and probably
others; only hardware DEP will, in XP.
Please stop cross-posting these XP discussions to the 98 groups.

 

[Saucy Lemon]

...and software DEP will not protect against the WMF vulnerability,
and probably others; only hardware DEP will, in XP.
Please stop cross-posting these XP discussions to the 98 groups.

Actually, Windows 98 is affected. The risk is not "critical" as the attack
vector is not the same for Windows 98. Besides, more generally, Windows 98
is vulnerable to buffer overrrun exploits of various sorts, something which
a hardware and software upgrade could preclude and should probably be
considered by Windows 98 users.

When I posted the original post, I did so with the fact in mind that Windows
98 is potentially vulnerable - so I think it is OK to have cross-posted to
the Windows 98 'general' group. And I'm not going to stop cross-posting now
this far into the thread, especially since you saw fit to both comment and
crosspost yourself.

 

[Tom [Pepper] Willett]

You have now relegated yourself to troll status because of your attitude.
Such a helpful person. Go back to your parents' basement.

<plonk>

And I'm not going to stop cross-posting now

 

[Alias]

No.

No, you can't be more specific or no, an Althon XP 2200 and 3000+ aren't
modern enough?
--
Alias

Use the Reply to Sender feature of your news reader program to email me.
Utiliza Responder al Remitente para mandarme un mail.

Check with the manufacturer. Almost the whole slate of AMD Athlon64,

 

[Saucy Lemon]

No, you can't be more specific or no, an Althon XP 2200 and 3000+
aren't modern enough?

Check with the manufacturer. Almost the whole slate of AMD Athlon64,

Sorry, my apologies. The feature is fairly new. I don't have a specific
list. If you visit www.amd.com you will find that almost all the current
selling Athlon64s, Opterons and Semprons listed there include the feature.
But I do not have a list of specific models. You'd really have to check the
model against the feature.

Here we have a bunch of Semprons. The three 2200+ CPUs bought quite a few
months ago do not have the no-execute-bit, but the more recently 2500+
purchased, what, three months ago, does. I think AMD calls the feature
Enhanced Virus Protection (EVP ) and boasts it for even the lowliest
Semprons it currently sells.

If you visit Intel, they clearly indicate which of the current selling
processors do and don't have the feature. Most of them do.

So if you are buy a two year old model, well, it probably does not have it
... but if you buy even the current low end of a current selling line, then
it probably does. Check, of course.

 

[Ivan Bútora]

Why the hostility? I personally think that once a thread was started as a
cross-post, there is little reason to eliminate the crosspost, given the fact
that threads are usually viewed as a conversation group in newsreaders.

Additionally, although the DEP thing does not apply to Windows 98, it is of
interest simply because of comparison. For example I never knew something like
this existed, but now I will probably go find out some more information about
it, i.e. I learned something new.

You have now relegated yourself to troll status because of your attitude.
Such a helpful person. Go back to your parents' basement.

<plonk>

And I'm not going to stop cross-posting now

this far into the thread, especially since you saw fit to both comment and
crosspost yourself.

 

[Brian A.]

Can we possibly stop cross-posting XP fixes in Win98 forums? Either
that or kindly tell me how to activate DEP in Windows 98. ;-)

You activate DEP in Windows 98 by upgrading to a modern computer and
modern operating system. While 'tis true good code is forever, it's also
true that Windows 98 [as much loved by some as it is] is not up to modern
security threats .. the WMF exploit is a good example.

That in no way, shape or form indicates "How to activate DEP in Win98".
The simple answer is you can't, and most users with machines that have XP
and were purchased at the time XP was released won't have that capability
either.

A modern CPU with a modern OS properly configured isn't affected by the
WMF exploit.

A lot of people don't like the idea of upgrading, but it's a lot closer
to 2008 than 1998. Maybe it is time to start saving the pennies for a new
CPU.

What's your stake in the hardware market?


--

Brian A. Sesko { MS MVP_Shell/User }
Conflicts start where information lacks.
http://basconotw.mvps.org/

Suggested posting do's/don'ts: http://www.dts-l.org/goodpost.htm
How to ask a question: http://support.microsoft.com/kb/555375

 

[Saucy Lemon]

Can we possibly stop cross-posting XP fixes in Win98 forums? Either
that or kindly tell me how to activate DEP in Windows 98. ;-)


If you have DEP capable CPUs such as the later offerings by Intel
and AMD and if you have DEP fully enabled in WIndows, according to
the reports the WMF exploit cannot affect you.

You activate DEP in Windows 98 by upgrading to a modern computer and
modern operating system. While 'tis true good code is forever, it's
also true that Windows 98 [as much loved by some as it is] is not up
to modern security threats .. the WMF exploit is a good example.

That in no way, shape or form indicates "How to activate DEP in
Win98". The simple answer is you can't, and most users with machines
that have XP and were purchased at the time XP was released won't
have that capability either.

A modern CPU with a modern OS properly configured isn't affected by
the WMF exploit.

A lot of people don't like the idea of upgrading, but it's a lot
closer to 2008 than 1998. Maybe it is time to start saving the
pennies for a new CPU.

What's your stake in the hardware market?

Maybe it is a good time to buy? It is a simple fact though, the new
technology simply precludes much of one of the major avenues of attack: the
buffer overrun.

How many countless exploits that existed depended largely on the buffer
overrun? Tons. Taking that out of the equation is a major step forward for
the PC.

 

[glee]

Actually, Windows 98 is affected. The risk is not "critical" as the attack
vector is not the same for Windows 98.

Not actually true at the moment, as there is *no* attack vector found for Win9x at
this time. Attempts to make the current attacks work in Win9x have all
failed...they simply rely upon features not available in Win9x. Which is not to say
that someone might not pursue that in the future, but it appears to be more trouble
than it's worth to exploit this in 9x.

Besides, more generally, Windows 98
is vulnerable to buffer overrrun exploits of various sorts, something which
a hardware and software upgrade could preclude and should probably be
considered by Windows 98 users.

Certainly, this will always be true for all operating systems, but to think that
hardware improvements won't soon be matched by new malware and exploit avenues, is
naive. To expect people (and even small businesses) to replace their hardware when
they may have already doen so just a few months ago, is hardly realistic.

When I posted the original post, I did so with the fact in mind that Windows
98 is potentially vulnerable - so I think it is OK to have cross-posted to
the Windows 98 'general' group.

Certainly. Understood. there is still debate going on here as to exactly what the
possibilities of this vulnerability are, for Win9x.....regardless of whether or not
it is Critical under Microsoft's definition.

And I'm not going to stop cross-posting now
this far into the thread, especially since you saw fit to both comment and
crosspost yourself.

That's fine....I was pretty much asking in terms of future threads, and others you
may or may not have started since that may be OT for the group. Certainly, I would
crosspost in my reply to you in this one, as it is already so far along and to not
crosspost would serve no purpose at this point.

Did I say certainly enough, BTW? ;-)

 

[Saucy Lemon]

Inline:

Not actually true at the moment, as there is *no* attack vector found
for Win9x at this time. Attempts to make the current attacks work in
Win9x have all failed...they simply rely upon features not available
in Win9x. Which is not to say that someone might not pursue that in
the future, but it appears to be more trouble than it's worth to
exploit this in 9x.

However, Windows 98 does contain the libraries and doesn't protect against
buffer overrun.

Certainly, this will always be true for all operating systems, but to
think that hardware improvements won't soon be matched by new malware
and exploit avenues, is naive. To expect people (and even small
businesses) to replace their hardware when they may have already doen
so just a few months ago, is hardly realistic.

This is your point I wanted to answer most. The newer the system the easier
it is to upgrade. If the computer is just a few months old, say a relatively
recent Sempron or Celeron, then it's just the price of a new Sempron and
then voila, just pop the old one out and pop the EVP Sempron in. Instance
buffer overflow protection. So a business that just spent on newer machines
has only the cost of the CPUs .. which if it does stem off an attack could
be well worth the price.

It's the older machines that will be pricier because it will mean new CPU
mobo RAM etc. to get EVP and DEP.

Ever look at a list of exploits for Windows ?? One buffer overflow exploit
after another .. buffer overflow buffer overflow buffer overflow time and
time again. Eliminating that danger really delievers a one two punch against
the criminals and terrorists. It makes it much much harder for them to make
any headway against responsible computer operators.

Certainly. Understood. there is still debate going on here as to
exactly what the possibilities of this vulnerability are, for
Win9x.....regardless of whether or not it is Critical under
Microsoft's definition.


That's fine....I was pretty much asking in terms of future threads,
and others you may or may not have started since that may be OT for
the group. Certainly, I would crosspost in my reply to you in this
one, as it is already so far along and to not crosspost would serve
no purpose at this point.

No. Besides, even when there's the odd cross-post, these Microsoft groups
tend to be relatively civil. It's not like I did it to annoy anyone. And ,
yes I really did think it was applicable to Windows 98 at the time.

Did I say certainly enough, BTW? ;-)

You are a good poster. I enjoy the convesations engaged in on newsgroups.
For what it's worth, I will be installing Windows 98 S.E. on a Sempron this
today. I want to discuss the term 'registry crud' with someone.

 

[glee]

glee wrote: (snipped throughout)


This is your point I wanted to answer most. The newer the system the easier
it is to upgrade. If the computer is just a few months old, say a relatively
recent Sempron or Celeron, then it's just the price of a new Sempron and
then voila, just pop the old one out and pop the EVP Sempron in. Instance
buffer overflow protection. So a business that just spent on newer machines
has only the cost of the CPUs .. which if it does stem off an attack could
be well worth the price.

No, in that scenario, it is the cost of new CPU's *plus* installation charges, which
usually will include repair installs of XP SP2, as that is the OS needed to support
DEP. In the case of *small* businesses like the ones I support, this means expenses
they cannot afford or will not approve. Additionally, you don't take into account
the significant number of businesses that cannot install SP2, and so would have no
OS support for DEP.
For home users, the expense of the upgrade is not always something they can afford.
I know I couldn't, if I had a system that supported the needed processor in the
first place. Not everyone with even a reasonably recent system (a couple of years
old) uses a motherboard with the needed socket type.

It's the older machines that will be pricier because it will mean new CPU
mobo RAM etc. to get EVP and DEP.

Basically a new system....and it's cheaper to buy a new computer than to start
replacing all those parts. You apparently have no trouble getting your hands on
large amounts of money.

You are a good poster. I enjoy the convesations engaged in on newsgroups.
For what it's worth, I will be installing Windows 98 S.E. on a Sempron this
today. I want to discuss the term 'registry crud' with someone.

Ah, Registry crud. A favourite topic..... ;-)