Win98 vulnerable to .wmf malware?

Hello!

"Vince" wrote in message ...
I've seen reports of what happens to WinXP when it runs across one of
those malicious .wmf files, but no info about Win98/SE. How
vulnerable is Win98/SE to the malicious .wmf exploits? Is there some
kind of a workaround for Win98/SE, until/if Microsoft issues a
security update?

Nothing for Win9x/ME. There is hotfix DLL for 2000/XP/2003:
http://www.hexblog.com/2005/12/wmf_vuln.html
("Windows WMF Metafile Vulnerability HotFix" by Ilfak Guilfanov)

More info at the following FAQ:
http://isc.sans.org/diary.php?rss&storyid=994
quote:
"Note: If you're still running on Win98/ME, this is a
watershed moment: we believe (untested) that your
system is vulnerable and there will be no patch from
MS. Your mitigation options are very limited. You
really need to upgrade."

But I don't want to upgrade my Windows 98SE machine.
I hope that MS will release patcth for it...

Cheers, Roman

"Vince" wrote..

Near as I can fathom, the real problem is gdi32.dll. The last time
there was a problem with gdi32.dll, Microsoft rated the problem as
less than "critical" and did nothing for Win98.

I'm not buying a new computer just so I can run Microsoft's latest
operating system. I just need usenet, email, browsing, word
processing and spreadsheets. I don't need WinXP to do that.

My watershed moment - Linux! But I really don't want to do that.

I have a fine win98se system and a winMe system. I'm not interested in
upgrading HW "just" so that I can run XP either. If a HW upgrade would be
imminent, then one of the *nix OSes is seriously on the horizon.

I cannot fathom wow you fathom that the problem is with gdi32.dll. Where do you
even find a reference to that file in relation to this vulnerability?
--
Glen Ventura, MS MVP Shell/User, A+
http://dts-l.org/goodpost.htm


"Vince" wrote in message
...
On Sun, 1 Jan 2006 22:51:41 +0100, "roman modic"
wrote:

More info at the following FAQ:
http://isc.sans.org/diary.php?rss&storyid=994
quote:
"Note: If you're still running on Win98/ME, this is a
watershed moment: we believe (untested) that your
system is vulnerable and there will be no patch from
MS. Your mitigation options are very limited. You
really need to upgrade."

But I don't want to upgrade my Windows 98SE machine.
I hope that MS will release patcth for it...

Near as I can fathom, the real problem is gdi32.dll. The last time
there was a problem with gdi32.dll, Microsoft rated the problem as
less than "critical" and did nothing for Win98.

I'm not buying a new computer just so I can run Microsoft's latest
operating system. I just need usenet, email, browsing, word
processing and spreadsheets. I don't need WinXP to do that.

My watershed moment - Linux! But I really don't want to do that.

On Sun, 01 Jan 2006 18:46:41 -0600, Vince wrote:
On Sun, 1 Jan 2006 22:51:41 +0100, "roman modic"

More info at the following FAQ:
http://isc.sans.org/diary.php?rss&storyid=994

Nice link. It highlights another risk; background indexing. IMO, no
underfootware process should grope arbitrary files,and in that sense,
background indexing should be strangled at birth.

"Note: If you're still running on Win98/ME, this is a
watershed moment: we believe (untested) that your
system is vulnerable and there will be no patch from
MS. Your mitigation options are very limited. You
really need to upgrade."

Yup.. Nice, eh - as a consequence of product defects, MS gets to sell
more XP licenses as folks are forced to throw away old PCs.

Near as I can fathom, the real problem is gdi32.dll. The last time
there was a problem with gdi32.dll, Microsoft rated the problem as
less than "critical" and did nothing for Win98.

With no Windows File Protection to worry about, I'd kill off the
defective code and accept I can no longer interpret .WMF files - in
fact, that would be my preferred tactic in any case.

I'm familiar with how to curb Windows File Protection in WinME...

http://cquirke.mvps.org/9x/sr-sfp.htm

....but not XP, so once again, XP remains more vulnerable.

I'm not buying a new computer just so I can run Microsoft's latest
operating system. I just need usenet, email, browsing, word
processing and spreadsheets. I don't need WinXP to do that.

My watershed moment - Linux! But I really don't want to do that.

Yup. See http://cquirke.blogspot.com on another meta-level lesson one
could learn from this, and one that MSFT will prolly miss.



---------- ----- ---- --- -- - - - -
Don't pay malware vendors - boycott Sony
---------- ----- ---- --- -- - - - -

"cquirke (MVP Windows shell/user)" wrote in
message ...


With no Windows File Protection to worry about, I'd kill off the
defective code and accept I can no longer interpret .WMF files - in
fact, that would be my preferred tactic in any case.

I'm familiar with how to curb Windows File Protection in WinME...


Chris - in both Win ME and WinXP it's possible to edit the xml file
controlling SR/SFP so that any file is/not covered

--
Noel Paton (MS-MVP 2002-2006, Windows)

Nil Carborundum Illegitemi
http://www.crashfixpc.com/millsrpch.htm

http://tinyurl.com/6oztj

Please read http://dts-l.org/goodpost.htm on how to post messages to
s - -

On Mon, 2 Jan 2006 11:10:43 -0000, "Noel Paton"
"cquirke (MVP Windows shell/user)" wrote

With no Windows File Protection to worry about, I'd kill off the
defective code and accept I can no longer interpret .WMF files - in
fact, that would be my preferred tactic in any case.

I'm familiar with how to curb Windows File Protection in WinME...

Chris - in both Win ME and WinXP it's possible to edit the xml file
controlling SR/SFP so that any file is/not covered

Cool! This I do routinely in WinME, so I can confidently say it's
possible. Because I haven't done it in XP, I'm less confident and
don't make the same claim.

Even in WinME, there are gotchas. For starters, FILELIST.XML is
itself a protected file, so it isn't effective to edit this file
within Windows (and remember, most WinME installations don't have a
DOS mode retro-fitted). There are at least two ways around this in
WinME; one involves a related binary file that have yet to pick a
fight with, and the other involves editing sfpdb.sfp, which is what I
do. Both sets of edits to be done at the same time, outside Windows;
the other method that I haven't used, may be OK from Windows.

Now in XP, "outside Windows" takes a whole new significance,
especially if the file system is NTFS. SR was totally re-designed in
XP (and vastly improved over WinME), and as SR and SFP (WFP) are so
tightly integrated in WinME, I'd expect the mechanics within XP to
have possibly changed too.

A look at FILELIST.XML in the XP Restore subtree shows few Included
files, and no .XML as an Included extension. These are the excludes:

Exclude
REC%windir%\system.ini/REC
REC%windir%\tasks\desktop.ini/REC
REC%windir%\win.ini/REC
REC*:\AUTOEXEC.BAT/REC
REC*:\CONFIG.MSI/REC
REC*:\CONFIG.SYS/REC
/Exclude

So it appears as if one can add things there. Whether changes will
"take", or whether one will have access rights to do this in NTFS, is
something I haven't tried, now or before.

Do you have a URL on managing SFP (WFP) in XP?

Then again, this is getting off-topic in this Win98 newsgroup - sorry!



---------- ----- ---- --- -- - - - -
Don't pay malware vendors - boycott Sony
---------- ----- ---- --- -- - - - -

It's quite simple, Chris - the first thing you do when making the edit is to
remove the XML file from control!g - then you can change it more or less
at will.
make a copy of the file
edit it to remove the self-protection
once that's done, boot to DOS and swap the two files around
boot to Windows....
et woila!



--
Noel Paton (MS-MVP 2002-2006, Windows)

Nil Carborundum Illegitemi
http://www.crashfixpc.com/millsrpch.htm

http://tinyurl.com/6oztj

Please read http://dts-l.org/goodpost.htm on how to post messages to NG's
"cquirke (MVP Windows shell/user)" wrote in
message ...
On Mon, 2 Jan 2006 11:10:43 -0000, "Noel Paton"
"cquirke (MVP Windows shell/user)" wrote

With no Windows File Protection to worry about, I'd kill off the
defective code and accept I can no longer interpret .WMF files - in
fact, that would be my preferred tactic in any case.

I'm familiar with how to curb Windows File Protection in WinME...

Chris - in both Win ME and WinXP it's possible to edit the xml file
controlling SR/SFP so that any file is/not covered

Cool! This I do routinely in WinME, so I can confidently say it's
possible. Because I haven't done it in XP, I'm less confident and
don't make the same claim.

Even in WinME, there are gotchas. For starters, FILELIST.XML is
itself a protected file, so it isn't effective to edit this file
within Windows (and remember, most WinME installations don't have a
DOS mode retro-fitted). There are at least two ways around this in
WinME; one involves a related binary file that have yet to pick a
fight with, and the other involves editing sfpdb.sfp, which is what I
do. Both sets of edits to be done at the same time, outside Windows;
the other method that I haven't used, may be OK from Windows.

Now in XP, "outside Windows" takes a whole new significance,
especially if the file system is NTFS. SR was totally re-designed in
XP (and vastly improved over WinME), and as SR and SFP (WFP) are so
tightly integrated in WinME, I'd expect the mechanics within XP to
have possibly changed too.

A look at FILELIST.XML in the XP Restore subtree shows few Included
files, and no .XML as an Included extension. These are the excludes:

Exclude
REC%windir%\system.ini/REC
REC%windir%\tasks\desktop.ini/REC
REC%windir%\win.ini/REC
REC*:\AUTOEXEC.BAT/REC
REC*:\CONFIG.MSI/REC
REC*:\CONFIG.SYS/REC
/Exclude

So it appears as if one can add things there. Whether changes will
"take", or whether one will have access rights to do this in NTFS, is
something I haven't tried, now or before.

Do you have a URL on managing SFP (WFP) in XP?

Then again, this is getting off-topic in this Win98 newsgroup - sorry!



---------- ----- ---- --- -- - - - -
Don't pay malware vendors - boycott Sony
---------- ----- ---- --- -- - - - -

OK, thanks Vince and Luke.....I see I was on a different wavelength than you guys.
Yes, the vulnerability is *in* gdi32.dll....ironically, the vulnerability is a
"feature" or function of the file. It is that vulnerability that is being exploited
*by* the ability of a WMF file to contain and execute code.

I was looking more at the idea of eliminating the capability in the WMF file to
exploit the function, but of course that would still leave the vulnerability there
for something else to exploit later. sigh
--
Glen Ventura, MS MVP Shell/User, A+
http://dts-l.org/goodpost.htm


"Luke" wrote in message
...
On Mon, 2 Jan 2006 00:42:10 -0500, "glee"
wrote:

I cannot fathom wow you fathom that the problem is with gdi32.dll. Where do you
even find a reference to that file in relation to this vulnerability?

http://www.kb.cert.org/vuls/id/181038

--
Luke

"BoB" wrote in message
...
On Sun, 01 Jan 2006 18:46:41 -0600, Vince wrote:

On Sun, 1 Jan 2006 22:51:41 +0100, "roman modic"
wrote:

More info at the following FAQ:
http://isc.sans.org/diary.php?rss&storyid=994
quote:
"Note: If you're still running on Win98/ME, this is a
watershed moment: we believe (untested) that your
system is vulnerable and there will be no patch from
MS. Your mitigation options are very limited. You
really need to upgrade."

But I don't want to upgrade my Windows 98SE machine.
I hope that MS will release patcth for it...

Near as I can fathom, the real problem is gdi32.dll. The last time
there was a problem with gdi32.dll, Microsoft rated the problem as
less than "critical" and did nothing for Win98.

I'm not buying a new computer just so I can run Microsoft's latest
operating system. I just need usenet, email, browsing, word
processing and spreadsheets. I don't need WinXP to do that.

My watershed moment - Linux! But I really don't want to do that.

I'm quite happy with Win98SE. I don't want to go Linux either but
I'm hearing good things about free Ubuntu.

IE will run the malware if you visit the bad sites; Firefox and
Opera will prompt the user before downloading.

This site posted a harmless test .wmf at the top of his web page.
http://home.epix.net/~artnpeg
Art is a well known member of alt.comp.freeware NG.

With IE, I see a strange looking drawing and then a small box appears
so I can save or print the file. With Firefox I see only a small box.

Since I browse with Firefox, use a text only news/mail reader, and
always follow Safehex practices, I'm as safe as I can get for now.

My .wmf files were associated with Quick View Plus before I removed
the association. Malware can rename a .wmf to something else and IE
will read it internally and still process it as a .wmf so don't get
too concerned about 'ONLY' .wmf.

BoB

Are you saying that you clicked on http://home.epix.net/~artnpeg and in IE
you saw the drawing and a strange box appeared ?

I use win98se and IE6 and I don't see any strange box appearing.

Galen

Yea, that works! It's Art, I suppose, jumping for joy & clicking his heels! I appear to have an association that will open them in Notepad. BUT, it is gobbledygook in Notepad. R-Clk one, & Quick View appears in the menu. That opens it well. All 251 of them are apparently a silly picture! Nothing more!


--
Thanks or Good Luck,
There may be humor in this post, and,
Naturally, you will not sue,
should things get worse after this,
PCR

"Galen Somerville" wrote in message ...
|
| "BoB" wrote in message
| ...
| On Sun, 01 Jan 2006 18:46:41 -0600, Vince wrote:
|
| On Sun, 1 Jan 2006 22:51:41 +0100, "roman modic"
| wrote:
|
| More info at the following FAQ:
| http://isc.sans.org/diary.php?rss&storyid=994
| quote:
| "Note: If you're still running on Win98/ME, this is a
| watershed moment: we believe (untested) that your
| system is vulnerable and there will be no patch from
| MS. Your mitigation options are very limited. You
| really need to upgrade."
|
| But I don't want to upgrade my Windows 98SE machine.
| I hope that MS will release patcth for it...
|
| Near as I can fathom, the real problem is gdi32.dll. The last time
| there was a problem with gdi32.dll, Microsoft rated the problem as
| less than "critical" and did nothing for Win98.
|
| I'm not buying a new computer just so I can run Microsoft's latest
| operating system. I just need usenet, email, browsing, word
| processing and spreadsheets. I don't need WinXP to do that.
|
| My watershed moment - Linux! But I really don't want to do that.
|
| I'm quite happy with Win98SE. I don't want to go Linux either but
| I'm hearing good things about free Ubuntu.
|
| IE will run the malware if you visit the bad sites; Firefox and
| Opera will prompt the user before downloading.
|
| This site posted a harmless test .wmf at the top of his web page.
| http://home.epix.net/~artnpeg
| Art is a well known member of alt.comp.freeware NG.
|
| With IE, I see a strange looking drawing and then a small box appears
| so I can save or print the file. With Firefox I see only a small box.
|
| Since I browse with Firefox, use a text only news/mail reader, and
| always follow Safehex practices, I'm as safe as I can get for now.
|
| My .wmf files were associated with Quick View Plus before I removed
| the association. Malware can rename a .wmf to something else and IE
| will read it internally and still process it as a .wmf so don't get
| too concerned about 'ONLY' .wmf.
|
| BoB
|
| Are you saying that you clicked on http://home.epix.net/~artnpeg and in IE
| you saw the drawing and a strange box appeared ?
|
| I use win98se and IE6 and I don't see any strange box appearing.
|
| Galen
|
|
|