WMF Exploit patch

WMF Exploit patch

am 02.01.2006 20:34:10 von John Hyde

Has anyone checked out the "unofficial" WMF exploit patch found on the
NIST website? Does it do anything worth trying?

Linked from their article on :
http://www.nist.org/news.php?extend.50

Closest link I think is:

http://www.nist.org/download.php?list.2%3Cbr%20/%3E

The page says that you still need to unregister shimgwv.dll. Naturally,
what is really needed is the ability to get back to business as usual.
(I've been amazed at how many things apparently use shimgwv for image
rendering.)

Thanks for thoughts

JH

Re: WMF Exploit patch

am 03.01.2006 05:40:06 von comphelp

John Hyde writes:

> Has anyone checked out the "unofficial" WMF exploit patch found on the
> NIST website? Does it do anything worth trying?
>
> Linked from their article on :
> http://www.nist.org/news.php?extend.50
>
> Closest link I think is:
>
> http://www.nist.org/download.php?list.2%3Cbr%20/%3E
>
> The page says that you still need to unregister shimgwv.dll.
> Naturally, what is really needed is the ability to get back to
> business as usual. (I've been amazed at how many things apparently use
> shimgwv for image rendering.)
>
> Thanks for thoughts

I was hesitant and finally deployed the patch on my machines once it
showed up in the SANS handler's diary as having be pored over by one
of their folks.
http://isc.sans.org/diary.php?storyid=993


--
Todd H.
http://www.toddh.net/

Re: WMF Exploit patch

am 03.01.2006 09:49:43 von google

The SANS recommended hotfix intercepts calls to the exploitable program
routines in the vulnerable shimgwv.dll file. It completely mitigates
any threat from this vulnerability. No need to run Microsoft suggested
unregister command but it doesn't hurt to do so (belt and suspenders is
what SANS called it).

My only problem with this fix is its not very enterprise friendly. It
requires installation on every machine through non-automated processes
(yes, you can automate an install yourself) and should be uninstalled
after Microsoft releases their fix.

The latest exploit kits allow creation of WMF files with varying
signatures. This was intended to make detection by IDS/IPS and
antivirus programs much harder or impossible. So this unofficial hotfix
maybe all we have at the moment.

You can read more at http://www.NIST.org
Check back often for updates or subscribe to the NIST.org RSS feed.