|
|||||||
 |
|
|
Thread Tools | Search this Thread | Display Modes |
|
|||||||
|
|
|
Thread Tools | Search this Thread | Display Modes |
|
#1
01-05-2006, 02:26 AM
|
|||
|
|||
RE: Microsoft Security Advisory (912840): Vulnerability in Graphics Re
Has anyone just removed the .wmf file type?
Would this be equal to (or even better than) unregistering the fax/picture viewer DLL? I assume it would result in the user being prompted to specify a program to open the file. Thanks. ==== Mike 
|
|
#2
01-05-2006, 02:26 AM
|
|||
|
|||
|
Re: Microsoft Security Advisory (912840): Vulnerability in Graphics Re
> Has anyone just removed the .wmf file type?
> > Would this be equal to (or even better than) unregistering the fax/picture > viewer DLL? From what I understand this vulnerability can occur with the extension JPGs, JPEGs, PNGs, GIFs, TIFFs so, no, the original suggestion is no good. Good thought. Stephen Howe
|
|
#3
01-05-2006, 02:26 AM
|
|||
|
|||
|
Re: Microsoft Security Advisory (912840): Vulnerability in Graphic
Thanks.
If that's the case, then the recommended action from CERT of blocking access to windows metafiles at the network perimeter is just as useless. CERT: www.kb.cert.org/vuls/id/181038 ==== Mike "Stephen Howe" wrote: > > Has anyone just removed the .wmf file type? > > > > Would this be equal to (or even better than) unregistering the fax/picture > > viewer DLL? > > From what I understand this vulnerability can occur with the extension JPGs, > JPEGs, PNGs, GIFs, TIFFs > so, no, the original suggestion is no good. > > Good thought. > > Stephen Howe >
|
|
#4
01-05-2006, 02:27 AM
|
|||
|
|||
|
Re: Microsoft Security Advisory (912840): Vulnerability in Graphics Re
Mike U wrote:
> Has anyone just removed the .wmf file type? > > Would this be equal to (or even better than) unregistering the > fax/picture viewer DLL? > > I assume it would result in the user being prompted to specify a > program to open the file. Not removing it, but changing it to Notepad, is one of the suggestions made here: http://sunbeltblog.blogspot.com/2005...f-exploit.html -- Ken Blake - Microsoft MVP Windows: Shell/User Please reply to the newsgroup
|
|
#5
01-05-2006, 02:28 AM
|
|||
|
|||
|
Re: Microsoft Security Advisory (912840): Vulnerability in Graphic
That might work in some cases, but if an infected WMF file was renamed as
JPG, the file would go into the graphics renderer and there it would try to open as JPG, fail, then figure out it was a WMF file by the header info in the file, and run the WMF rendering code. Blammo. Bill "Ken Blake, MVP" wrote: > Not removing it, but changing it to Notepad, is one of the suggestions made > here: > http://sunbeltblog.blogspot.com/2005...f-exploit.html
|
|
#6
01-05-2006, 02:28 AM
|
|||
|
|||
|
Re: Microsoft Security Advisory (912840): Vulnerability in Graphic
Bill Gallagher wrote:
> That might work in some cases, but if an infected WMF file was > renamed as JPG, the file would go into the graphics renderer and > there it would try to open as JPG, fail, then figure out it was a WMF > file by the header info in the file, and run the WMF rendering code. > Blammo. Yes, that's pointed ot on the page I cited below. As the page says "it's a pretty weak workaround." -- Ken Blake - Microsoft MVP Windows: Shell/User Please reply to the newsgroup > "Ken Blake, MVP" wrote: >> Not removing it, but changing it to Notepad, is one of the >> suggestions made here: >> http://sunbeltblog.blogspot.com/2005...f-exploit.html
|
|
#7
01-05-2006, 02:31 AM
|
|||
|
|||
|
Re: Microsoft Security Advisory (912840): Vulnerability in Graphic
On Fri, 30 Dec 2005 22:08:02 -0800, "Bill Gallagher"
>That might work in some cases, but if an infected WMF file was renamed as >JPG, the file would go into the graphics renderer and there it would try to >open as JPG, fail, then figure out it was a WMF file by the header info in >the file, and run the WMF rendering code. Blammo. A generic reason to KILL file interpretation based on hidden internal information. The risks go beyond this particular WMF mess. >---------- ----- ---- --- -- - - - - Don't pay malware vendors - boycott Sony >---------- ----- ---- --- -- - - - -
|
|
#8
01-05-2006, 02:32 AM
|
|||
|
|||
|
Re: Microsoft Security Advisory (912840): Vulnerability in Graphic
Does anyone know of a script (in perl, or whatever) to check image files already on a hard drive to see if any of them are actually renamed .wmf files? ~greg "cquirke (MVP Windows shell/user)" <cquirkenews@nospam.mvps.org> wrote in message news:54kgr1hih7vq5t4qplpj9a3lt9i89fl5g2@4ax.com... > On Fri, 30 Dec 2005 22:08:02 -0800, "Bill Gallagher" > >>That might work in some cases, but if an infected WMF file was renamed as >>JPG, the file would go into the graphics renderer and there it would try to >>open as JPG, fail, then figure out it was a WMF file by the header info in >>the file, and run the WMF rendering code. Blammo. > > A generic reason to KILL file interpretation based on hidden internal > information. The risks go beyond this particular WMF mess. > > > >>---------- ----- ---- --- -- - - - - > Don't pay malware vendors - boycott Sony >>---------- ----- ---- --- -- - - - -
|
|
| Thread Tools | Search this Thread |
| Display Modes | |
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Re: Microsoft Security Advisory (912840): Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution | PA Bear | Outlook Express | 4 | 01-05-2006 04:57 PM |
| One-way connection: networked XP/2000 PC's | Cheryl | Windows XP Network Web | 22 | 01-05-2006 04:11 AM |
| Can't Ping My Own IP Address - Part 2 | Don | Windows XP Network Web | 3 | 01-05-2006 04:10 AM |
| Re: Microsoft Security Advisory (912840): Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution | PA Bear | Windows XP General | 9 | 01-05-2006 02:28 AM |
| USB Mass Storage Device - This device cannot start. (Code 10) | lobo201 | Windows XP Hardware | 11 | 01-05-2006 02:15 AM |
Linear Mode
