New Windows Metafile (WMF) 0-day exploit in the wild

[SpywareDr]

http://www.grc.com/sn/notes-020.htm

Microsoft is not fixing Windows 98/ME
. . . so GRC will.

Microsoft has now "reclassified" the WMF vulnerability in Windows 95, 98, and ME as non-critical (instead of just fixing it!). This means that it will probably NOT be updated and patched to eliminate the WMF handling vulnerability that those older versions of Windows apparently still have. (This vulnerability still needs to be confirmed.)

So, if Microsoft does not produce an update to repair those older versions of Windows, GRC will make one available.

[HAN]

In my web travels, I have not seen tests on older versions of Windows that prove beyond any doubt that 98, 98SE and ME are not vunerable like MS seems to be saying. I have to admit that I seriously doubt MS's committment to owners of these older Win versions (even though they said they would stand by us.)

FWIW, there was (and for the moment, is) a patch that will run on older versions of Windows that was put out by eset, makers of NOD32. Apparently, MS contacted eset corporate and asked them to no longer list it. The reason given can be seen here. (FWIW, Mr. Monti is the writer of many of NOD32's standalone cleanup utilities.) http://www.wilderssecurity.com/showt...=114251&page=2

The patch has been looked at by a user here (5th post from the bottom) http://www.dslreports.com/forum/rema...9999~start=740

The download link posted still works at this moment http://www.eset.com/download/wmfpatch11.zip

I have downloaded it and ran it on my 98SE laptop. So far, I have no negative issues at all and my install looks the same as the user I posted about above. I plan to install the patch on all PCs I have contact with that are Win 98 thru ME. Thought some of you may find this useful...

[SpywareDr]

Thanks HAN! I too still deal with Win98 machines on a daily basis.

Find it interesting that Microsoft has decided not to release a WMF patch for 95/98/Me -and- has ask ESET to pull theirs?

Anyway ... for all you/us Windows 95/98/Me users:

http://www.wilderssecurity.com/showt...=114251&page=2

Wilders Security Forums > Official Eset NOD32 Antivirus Forum > NOD32 version 2 Forum
Microsoft Media File Vulnerability

Paolo Monti
Eset Moderator
Join Date: Oct 2002
Location: Rome, Italy
Posts: 278

AFAIK, Microsoft asked Eset to withdraw the patch to avoid any possible issue with the upcoming official patch. Up to now, we didn't get any request from MS, so the patch is still available on our website (I mean, nod32.it).

I want to clarify that I'm the sole author of the patch and that Eset didn't endorse my unofficial patch in any way. I just wrote it for the PCs in my LAN, then when I read that Ilfak released his own unofficial patch I decided to do the same, since Ilfak's patch doesn't work on Win 9x/ME.

Like Ilfak, I also strongly suggest to uninstall the patch as soon as MS will release an official one.

ciao,
Paolo.

--

http://www.nod32.ch/en/download/tools.php

ESET > NOD32 > Free Tools

Paolo Monti (NOD32 Italy) provides convenient stand-alone cleaners for a great number of malware.

WMF Patch by Paolo Monti
Update January 5 2006 [23:10 UTC+1]:

...

Paolo Monti has released a temporary patch for the WMF vulnerability ( see Microsoft Security Bulletin 912840 ). This patch intercepts the Escape GDI32 API in order to filter the SETABORTPROC (function number 9). It uses dynamic API hooks avoiding patching/modifying of the GDI32 code. Advantages of this approach: fully dynamic - no reboot is required.

This patch also works on Windows 9x/ME. Administrator rights are required to install it on WinNT,2000,XP, 2003 systems.

Installation: unzip the file WMFPATCH11.ZIP and run the provided INSTALL.EXE file. Follow the instructions of the installer.

Uninstallation: go into Windows Control Panel, Add/Remove Programs, select "GDI32 - WMF Patch" and remove it.

Download Site 1: WMFPATCH11.ZIP
http://d1.nod32.ch/download/wmfpatch11.zip

Download Site 2: WMFPATCH11.ZIP
http://www.idiosyn.ch/download/wmfpatch11.zip

...

This patch is provided without warranties of any kind. Use it at your own risk. We recommend to uninstall this temporary patch before applying [any] official Microsoft patch ... As an alternative to this patch you can also install the 30 day free trial version of NOD32 antivirus.

[usil]

Eset claim that someone using Nod32 was protected against this flaw in any case through the heurisitic filter called Threatsense. If that is true, it makes me feel whole a lot safer using Nod32. Great product!

[usil]

Here is an interesting short article about which AVs would have detected the latest Windows exploit.

AV-Test, an independent test lab that tracks malware and anti-malware products, has been closely tracking detection of exploits based on the WMF flaw. Below is an update as of the morning of January 4 to the anti-virus detection stats for WMF variants we published earlier in the week. There's both good news and not so good news in it. The original numbers are below the first set on this page.

Read the rest to see which AVs would have kept you safe, as of January 4th.
http://www.pcmag.com/article2/0,1895,1907518,00.asp

[LindaHewitt]

Usil,

Thanks for posting this.

Cheers,

Linda

[usil]

I know you are a big fan of Panda, Linda. Unfortunately, they didn't make the grade. Panda and TrendMicro are the only two that surprise me, especially as Panda usually have daily updates (more than one sometimes).
Whoever is using AVG, please stop using it. They fail so many tests I've lost count. Avast is much more superior in all testing done, and its also free.

[poppy4]

Thanks for the link usil.
I agree about avast.
works well, and free.

[HAN]

Looks like someone was trying to use the WMF for spying...
http://news.zdnet.com/2100-1009_22-6029691.html