RE: Microsoft Security Advisory (912840): Vulnerability in Graphics Re

For those who may not have seen this yet, there is a third party fix posted.
Apparently, it works by patching the Escape() function in gdi32.dll -
disabling the SETABORT sequence. Of course, it is "use-at-your-own-risk" but
the site where it can be downloaded indicates that it does have a useful
silent install and can also be removed from Add/Remove Programs.

Computerworld, SANS & F-Secure have written about it - not in that order
<g>. SANS states that they have vetted the code and provides links to it.

http://www.hexblog.com/2005/12/wmf_vuln.html
http://isc.sans.org/
http://www.f-secure.com/weblog/

====
Mike

FYI, in addition Ilfak Guilfanov, who developed the patch referred to has
also written a Vulnerablility Tester, available here:
http://www.hexblog.com/2006/01/wmf_v...y_checker.html

Read carefully! Use of both the patch and the tester (before and after
installing the patch) is Highly Recommended until MS comes out with a
permanent fix.

--
Regards, Jim Byrd, MS-MVP/DTS/AH-VSOP
My Blog, Defending Your Machine, here:
http://DefendingYourMachine.blogspot.com/



"Mike U" <MikeU@discussions.microsoft.com> wrote in message
news:1F6C084C-EE51-4F56-B200-D568B4A9635E@microsoft.com
> For those who may not have seen this yet, there is a third party fix
posted.
> Apparently, it works by patching the Escape() function in gdi32.dll -
> disabling the SETABORT sequence. Of course, it is "use-at-your-own-risk"
but
> the site where it can be downloaded indicates that it does have a useful
> silent install and can also be removed from Add/Remove Programs.
>
> Computerworld, SANS & F-Secure have written about it - not in that order
> <g>. SANS states that they have vetted the code and provides links to it.
>
> http://www.hexblog.com/2005/12/wmf_vuln.html
> http://isc.sans.org/
> http://www.f-secure.com/weblog/
>
> ====
> Mike

It looks like the patch alters the loaded gdi32.dll in memory, rather than
making any permanent changes to the gdi32.dll file on disk.

It installs a small dll "wmfhotfix.dll" in C:\WINDOWS\system32, which does
the work of maintaining the patched version of gdi32.dll in memory, and is
loaded via the registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows\AppInit_DLLs

More details here
http://www.grc.com/groups/securitynow:423


Jon


"Jim Byrd" <jrbyrd@spamlessadelphia.net> wrote in message
news:e3GlqT9DGHA.3064@TK2MSFTNGP14.phx.gbl...
> FYI, in addition Ilfak Guilfanov, who developed the patch referred to has
> also written a Vulnerablility Tester, available here:
> http://www.hexblog.com/2006/01/wmf_v...y_checker.html
>
> Read carefully! Use of both the patch and the tester (before and after
> installing the patch) is Highly Recommended until MS comes out with a
> permanent fix.
>
> --
> Regards, Jim Byrd, MS-MVP/DTS/AH-VSOP
> My Blog, Defending Your Machine, here:
> http://DefendingYourMachine.blogspot.com/
>
>
>
> "Mike U" <MikeU@discussions.microsoft.com> wrote in message
> news:1F6C084C-EE51-4F56-B200-D568B4A9635E@microsoft.com
>> For those who may not have seen this yet, there is a third party fix
> posted.
>> Apparently, it works by patching the Escape() function in gdi32.dll -
>> disabling the SETABORT sequence. Of course, it is "use-at-your-own-risk"
> but
>> the site where it can be downloaded indicates that it does have a useful
>> silent install and can also be removed from Add/Remove Programs.
>>
>> Computerworld, SANS & F-Secure have written about it - not in that order
>> <g>. SANS states that they have vetted the code and provides links to it.
>>
>> http://www.hexblog.com/2005/12/wmf_vuln.html
>> http://isc.sans.org/
>> http://www.f-secure.com/weblog/
>>
>> ====
>> Mike
>
>

Looks like an official patch is on its way

http://www.microsoft.com/technet/sec...ry/912840.mspx

From the updated site......
Microsoft has completed development of the security update for the
vulnerability. The security update is now being localized and tested to
ensure quality and application compatibility. Microsoft’s goal is to release
the update on Tuesday, January 10, 2006, as part of its monthly release of
security bulletins. This release is predicated on successful completion of
quality testing.

The update will be released worldwide simultaneously in 23 languages for all
affected versions of Windows once it passes a series of rigorous testing
procedures. It will be available on Microsoft’s Download Center, as well as
through Microsoft Update and Windows Update. Customers who use Windows’
Automatic Updates feature will be delivered the fix automatically.

Jon

"Jon" <Email_Address@SomewhereOrOther.com> wrote in message
news:eK2CPCEEGHA.2912@tk2msftngp13.phx.gbl...
> It looks like the patch alters the loaded gdi32.dll in memory, rather than
> making any permanent changes to the gdi32.dll file on disk.
>
> It installs a small dll "wmfhotfix.dll" in C:\WINDOWS\system32, which does
> the work of maintaining the patched version of gdi32.dll in memory, and is
> loaded via the registry key
>
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
> NT\CurrentVersion\Windows\AppInit_DLLs
>
> More details here
> http://www.grc.com/groups/securitynow:423
>
>
> Jon
>
>
> "Jim Byrd" <jrbyrd@spamlessadelphia.net> wrote in message
> news:e3GlqT9DGHA.3064@TK2MSFTNGP14.phx.gbl...
>> FYI, in addition Ilfak Guilfanov, who developed the patch referred to has
>> also written a Vulnerablility Tester, available here:
>> http://www.hexblog.com/2006/01/wmf_v...y_checker.html
>>
>> Read carefully! Use of both the patch and the tester (before and after
>> installing the patch) is Highly Recommended until MS comes out with a
>> permanent fix.
>>
>> --
>> Regards, Jim Byrd, MS-MVP/DTS/AH-VSOP
>> My Blog, Defending Your Machine, here:
>> http://DefendingYourMachine.blogspot.com/
>>
>>
>>
>> "Mike U" <MikeU@discussions.microsoft.com> wrote in message
>> news:1F6C084C-EE51-4F56-B200-D568B4A9635E@microsoft.com
>>> For those who may not have seen this yet, there is a third party fix
>> posted.
>>> Apparently, it works by patching the Escape() function in gdi32.dll -
>>> disabling the SETABORT sequence. Of course, it is "use-at-your-own-risk"
>> but
>>> the site where it can be downloaded indicates that it does have a useful
>>> silent install and can also be removed from Add/Remove Programs.
>>>
>>> Computerworld, SANS & F-Secure have written about it - not in that order
>>> <g>. SANS states that they have vetted the code and provides links to
>>> it.
>>>
>>> http://www.hexblog.com/2005/12/wmf_vuln.html
>>> http://isc.sans.org/
>>> http://www.f-secure.com/weblog/
>>>
>>> ====
>>> Mike
>>
>>
>

"Jon" <Email_Address@SomewhereOrOther.com> wrote
> Looks like an official patch is on its way
> http://www.microsoft.com/technet/sec...ry/912840.mspx

MS should hire people who come up with exploits like this to work for
them...

--
Bob
http://www.kanyak.com

"Opinicus" <gezgin@spamcop.net> wrote in message
news:11rljbj16i2asaa@news.supernews.com...
> MS should hire people who come up with exploits like this to work for
> them...

That used to be the "going wisdom" during the 80's and 90's,...then they
discovered that this was how companies end up with a workforce of "shady"
employees that they cannot trust.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

From: "Phillip Windell" <@.>

| "Opinicus" <gezgin@spamcop.net> wrote in message
| news:11rljbj16i2asaa@news.supernews.com...
>> MS should hire people who come up with exploits like this to work for
>> them...
|
| That used to be the "going wisdom" during the 80's and 90's,...then they
| discovered that this was how companies end up with a workforce of "shady"
| employees that they cannot trust.
|

Sounds like the CIA Today ! :-)

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Opinicus wrote:
> "Jon" <Email_Address@SomewhereOrOther.com> wrote
>> Looks like an official patch is on its way
>> http://www.microsoft.com/technet/sec...ry/912840.mspx
>
> MS should hire people who come up with exploits like this to work for
> them...

Actually that's how Bill Gates got his start according to at least one
biography.

http://ei.cs.vt.edu/~history/Gates.Mirick.html

Kerry