Re: Microsoft Security Advisory (912840): Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution

X-post to Security, Security.Homeusers, IE6 & WinXP General newsgroups.
Followup-to set for microsoft.public.security.

The FAQ section of
http://www.microsoft.com/technet/sec...ry/912840.mspx has been
updated.

Fully expand Suggest Actions > Workarounds subsection to see steps you can
take to "help block known attack vectors".

Additional Resources:

Protect Your PC
http://www.microsoft.com/athome/security/protect/

Microsoft Security Home Page
http://www.microsoft.com/security/default.mspx
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE, Shell/User, Security), Aumha.org VSOP, DTS-L.org


PA Bear wrote:
> Microsoft Security Advisory (912840): Vulnerability in Graphics
> Rendering Engine Could Allow Remote Code Execution
> http://www.microsoft.com/technet/sec...ry/912840.mspx
> Welcome to the Microsoft Security Response Center Blog!
> New Security Advisory for Possible Windows Vulnerability
> http://blogs.technet.com/msrc/archiv...29/416569.aspx

> The FAQ section of
> http://www.microsoft.com/technet/sec...ry/912840.mspx has been
> updated.
>
> Fully expand Suggest Actions > Workarounds subsection to see steps you can
> take to "help block known attack vectors".

What about Windows 2000 Professional SP4?
Running that at work and that has

07/12/1999 12:00 52,496 shimgvw.dll

Is the workaround useless for Windows 2000?

According to here
http://www.updatexp.com/wmf-exploit.html
ME & 2000 are vulnerable

Cheers

Stephen Howe

Stephen Howe wrote:
> > The FAQ section of
> > http://www.microsoft.com/technet/sec...ry/912840.mspx has been
> > updated.
> >
> > Fully expand Suggest Actions > Workarounds subsection to see steps you
> > can take to "help block known attack vectors".
>
> What about Windows 2000 Professional SP4?
> Running that at work and that has
>
> 07/12/1999 12:00 52,496 shimgvw.dll
>
> Is the workaround useless for Windows 2000?
>
> According to here
> http://www.updatexp.com/wmf-exploit.html
> ME & 2000 are vulnerable

<QP>
This advisory discusses the following software.

Related Software
Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP Service Pack 1
Microsoft Windows XP Service Pack 2
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and
Microsoft Windows Millennium Edition (ME)
</QP>
Source: http://www.microsoft.com/technet/sec...ry/912840.mspx
--
~PA Bear

In microsoft.public.windows.inetexplorer.ie6.browser Stephen Howe <stephenPOINThoweATtns-globalPOINTcom> wrote:
> > The FAQ section of
> > http://www.microsoft.com/technet/sec...ry/912840.mspx has been
> > updated.
> >
> > Fully expand Suggest Actions > Workarounds subsection to see steps you can
> > take to "help block known attack vectors".

> What about Windows 2000 Professional SP4?
> Running that at work and that has

> 07/12/1999 12:00 52,496 shimgvw.dll

> Is the workaround useless for Windows 2000?

So it would appear, since the article specifically states, "Un-register
the Windows Picture and Fax Viewer (Shimgvw.dll) on Windows XP Service
Pack 1; Windows XP Service Pack 2; Windows Server 2003 and Windows Server
2003 Service Pack 1." No mention of Windows 2000 or ME.


> According to here
> http://www.updatexp.com/wmf-exploit.html
> ME & 2000 are vulnerable

--
Gary L. Smith
Columbus, Ohio

In some older versions of Windows (Windows 2000 and Windows ME) there was a
little-known program called "Imaging" that was really a third-party program
from Kodak that allowed you to view image files such as .BMP, .JPG, .TIF,
and .PCX. This program could be installed from the Control Panel, Add
Windows Components under Accessories, and was very handy for viewing scanned
FAX documents.

In Windows XP, this program has been replaced by "Windows Picture and Fax
Viewer."


"Gary Smith" <bitbucket@example.com> wrote in message
news:%23yEBcjZDGHA.2040@TK2MSFTNGP14.phx.gbl...
| In microsoft.public.windows.inetexplorer.ie6.browser Stephen Howe
<stephenPOINThoweATtns-globalPOINTcom> wrote:
| > > The FAQ section of
| > > http://www.microsoft.com/technet/sec...ry/912840.mspx has
been
| > > updated.
| > >
| > > Fully expand Suggest Actions > Workarounds subsection to see steps you
can
| > > take to "help block known attack vectors".
|
| > What about Windows 2000 Professional SP4?
| > Running that at work and that has
|
| > 07/12/1999 12:00 52,496 shimgvw.dll
|
| > Is the workaround useless for Windows 2000?
|
| So it would appear, since the article specifically states, "Un-register
| the Windows Picture and Fax Viewer (Shimgvw.dll) on Windows XP Service
| Pack 1; Windows XP Service Pack 2; Windows Server 2003 and Windows Server
| 2003 Service Pack 1." No mention of Windows 2000 or ME.
|
|
| > According to here
| > http://www.updatexp.com/wmf-exploit.html
| > ME & 2000 are vulnerable
|
| --
| Gary L. Smith
| Columbus, Ohio

From: "Tom [Pepper] Willett" <tompepper@mvps.invalid>

| In some older versions of Windows (Windows 2000 and Windows ME) there was a
| little-known program called "Imaging" that was really a third-party program
| from Kodak that allowed you to view image files such as .BMP, .JPG, .TIF,
| and .PCX. This program could be installed from the Control Panel, Add
| Windows Components under Accessories, and was very handy for viewing scanned
| FAX documents.
|
| In Windows XP, this program has been replaced by "Windows Picture and Fax
| Viewer."


shimgvw.dll was found on both my Win2K SP4 PC and my WinME PC :-)

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Yes, it was.

Tom
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:eIU1pvZDGHA.2148@TK2MSFTNGP10.phx.gbl...
| From: "Tom [Pepper] Willett" <tompepper@mvps.invalid>
|
|| In some older versions of Windows (Windows 2000 and Windows ME) there was
a
|| little-known program called "Imaging" that was really a third-party
program
|| from Kodak that allowed you to view image files such as .BMP, .JPG, .TIF,
|| and .PCX. This program could be installed from the Control Panel, Add
|| Windows Components under Accessories, and was very handy for viewing
scanned
|| FAX documents.
||
|| In Windows XP, this program has been replaced by "Windows Picture and Fax
|| Viewer."
|
|
| shimgvw.dll was found on both my Win2K SP4 PC and my WinME PC :-)
|
| --
| Dave
| http://www.claymania.com/removal-trojan-adware.html
| http://www.ik-cs.com/got-a-virus.htm
|
|

So are you saying that it's a different module with the same name, or the
same module with different functions, or what? Your posts are related to
the topic but don't appear to address it in any obvious way.


In microsoft.public.windows.inetexplorer.ie6.browser Tom [Pepper] Willett <tompepper@mvps.invalid> wrote:
> Yes, it was.

> Tom
> "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
> news:eIU1pvZDGHA.2148@TK2MSFTNGP10.phx.gbl...
> | From: "Tom [Pepper] Willett" <tompepper@mvps.invalid>
> |
> || In some older versions of Windows (Windows 2000 and Windows ME) there was
> a
> || little-known program called "Imaging" that was really a third-party
> program
> || from Kodak that allowed you to view image files such as .BMP, .JPG, .TIF,
> || and .PCX. This program could be installed from the Control Panel, Add
> || Windows Components under Accessories, and was very handy for viewing
> scanned
> || FAX documents.
> ||
> || In Windows XP, this program has been replaced by "Windows Picture and Fax
> || Viewer."
> |
> |
> | shimgvw.dll was found on both my Win2K SP4 PC and my WinME PC :-)
> |
> | --
> | Dave
> | http://www.claymania.com/removal-trojan-adware.html
> | http://www.ik-cs.com/got-a-virus.htm
> |
> |

--
Gary L. Smith
Columbus, Ohio

From: "Gary Smith" <bitbucket@example.com>

| So are you saying that it's a different module with the same name, or the
| same module with different functions, or what? Your posts are related to
| the topic but don't appear to address it in any obvious way.
|

If your PC has shimgvw.dll registerd with the MS GDI graphic renderer then your PC is
vulnerable.

That's it.

Therefore if your PC has shimgvw.dll installed then it is likely you are vulnerable.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

In microsoft.public.windows.inetexplorer.ie6.browser David H. Lipman <DLipman~nospam~@verizon.net> wrote:
> From: "Gary Smith" <bitbucket@example.com>

> | So are you saying that it's a different module with the same name, or the
> | same module with different functions, or what? Your posts are related to
> | the topic but don't appear to address it in any obvious way.
> |

> If your PC has shimgvw.dll registerd with the MS GDI graphic renderer then your PC is
> vulnerable.

> That's it.

> Therefore if your PC has shimgvw.dll installed then it is likely you are vulnerable.

Okay, I un-registered it. I don't have any real way of knowing whether
that makes me more secure, but I suspect that I'm not using it anyway.

--
Gary L. Smith
Columbus, Ohio