If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
Win98 vulnerable to .wmf malware?
Hello!
"Vince" wrote in message ... I've seen reports of what happens to WinXP when it runs across one of those malicious .wmf files, but no info about Win98/SE. How vulnerable is Win98/SE to the malicious .wmf exploits? Is there some kind of a workaround for Win98/SE, until/if Microsoft issues a security update? Nothing for Win9x/ME. There is hotfix DLL for 2000/XP/2003: http://www.hexblog.com/2005/12/wmf_vuln.html ("Windows WMF Metafile Vulnerability HotFix" by Ilfak Guilfanov) More info at the following FAQ: http://isc.sans.org/diary.php?rss&storyid=994 quote: "Note: If you're still running on Win98/ME, this is a watershed moment: we believe (untested) that your system is vulnerable and there will be no patch from MS. Your mitigation options are very limited. You really need to upgrade." But I don't want to upgrade my Windows 98SE machine. I hope that MS will release patcth for it... Cheers, Roman |
#2
|
|||
|
|||
Win98 vulnerable to .wmf malware?
"Vince" wrote..
Near as I can fathom, the real problem is gdi32.dll. The last time there was a problem with gdi32.dll, Microsoft rated the problem as less than "critical" and did nothing for Win98. I'm not buying a new computer just so I can run Microsoft's latest operating system. I just need usenet, email, browsing, word processing and spreadsheets. I don't need WinXP to do that. My watershed moment - Linux! But I really don't want to do that. I have a fine win98se system and a winMe system. I'm not interested in upgrading HW "just" so that I can run XP either. If a HW upgrade would be imminent, then one of the *nix OSes is seriously on the horizon. |
#3
|
|||
|
|||
Win98 vulnerable to .wmf malware?
I cannot fathom wow you fathom that the problem is with gdi32.dll. Where do you
even find a reference to that file in relation to this vulnerability? -- Glen Ventura, MS MVP Shell/User, A+ http://dts-l.org/goodpost.htm "Vince" wrote in message ... On Sun, 1 Jan 2006 22:51:41 +0100, "roman modic" wrote: More info at the following FAQ: http://isc.sans.org/diary.php?rss&storyid=994 quote: "Note: If you're still running on Win98/ME, this is a watershed moment: we believe (untested) that your system is vulnerable and there will be no patch from MS. Your mitigation options are very limited. You really need to upgrade." But I don't want to upgrade my Windows 98SE machine. I hope that MS will release patcth for it... Near as I can fathom, the real problem is gdi32.dll. The last time there was a problem with gdi32.dll, Microsoft rated the problem as less than "critical" and did nothing for Win98. I'm not buying a new computer just so I can run Microsoft's latest operating system. I just need usenet, email, browsing, word processing and spreadsheets. I don't need WinXP to do that. My watershed moment - Linux! But I really don't want to do that. |
#4
|
|||
|
|||
Win98 vulnerable to .wmf malware?
On Sun, 01 Jan 2006 18:46:41 -0600, Vince wrote:
On Sun, 1 Jan 2006 22:51:41 +0100, "roman modic" More info at the following FAQ: http://isc.sans.org/diary.php?rss&storyid=994 Nice link. It highlights another risk; background indexing. IMO, no underfootware process should grope arbitrary files,and in that sense, background indexing should be strangled at birth. "Note: If you're still running on Win98/ME, this is a watershed moment: we believe (untested) that your system is vulnerable and there will be no patch from MS. Your mitigation options are very limited. You really need to upgrade." Yup.. Nice, eh - as a consequence of product defects, MS gets to sell more XP licenses as folks are forced to throw away old PCs. Near as I can fathom, the real problem is gdi32.dll. The last time there was a problem with gdi32.dll, Microsoft rated the problem as less than "critical" and did nothing for Win98. With no Windows File Protection to worry about, I'd kill off the defective code and accept I can no longer interpret .WMF files - in fact, that would be my preferred tactic in any case. I'm familiar with how to curb Windows File Protection in WinME... http://cquirke.mvps.org/9x/sr-sfp.htm ....but not XP, so once again, XP remains more vulnerable. I'm not buying a new computer just so I can run Microsoft's latest operating system. I just need usenet, email, browsing, word processing and spreadsheets. I don't need WinXP to do that. My watershed moment - Linux! But I really don't want to do that. Yup. See http://cquirke.blogspot.com on another meta-level lesson one could learn from this, and one that MSFT will prolly miss. ---------- ----- ---- --- -- - - - - Don't pay malware vendors - boycott Sony ---------- ----- ---- --- -- - - - - |
#5
|
|||
|
|||
Win98 vulnerable to .wmf malware?
"cquirke (MVP Windows shell/user)" wrote in
message ... With no Windows File Protection to worry about, I'd kill off the defective code and accept I can no longer interpret .WMF files - in fact, that would be my preferred tactic in any case. I'm familiar with how to curb Windows File Protection in WinME... Chris - in both Win ME and WinXP it's possible to edit the xml file controlling SR/SFP so that any file is/not covered -- Noel Paton (MS-MVP 2002-2006, Windows) Nil Carborundum Illegitemi http://www.crashfixpc.com/millsrpch.htm http://tinyurl.com/6oztj Please read http://dts-l.org/goodpost.htm on how to post messages to s - - |
#6
|
|||
|
|||
Win98 vulnerable to .wmf malware?
On Mon, 2 Jan 2006 11:10:43 -0000, "Noel Paton"
"cquirke (MVP Windows shell/user)" wrote With no Windows File Protection to worry about, I'd kill off the defective code and accept I can no longer interpret .WMF files - in fact, that would be my preferred tactic in any case. I'm familiar with how to curb Windows File Protection in WinME... Chris - in both Win ME and WinXP it's possible to edit the xml file controlling SR/SFP so that any file is/not covered Cool! This I do routinely in WinME, so I can confidently say it's possible. Because I haven't done it in XP, I'm less confident and don't make the same claim. Even in WinME, there are gotchas. For starters, FILELIST.XML is itself a protected file, so it isn't effective to edit this file within Windows (and remember, most WinME installations don't have a DOS mode retro-fitted). There are at least two ways around this in WinME; one involves a related binary file that have yet to pick a fight with, and the other involves editing sfpdb.sfp, which is what I do. Both sets of edits to be done at the same time, outside Windows; the other method that I haven't used, may be OK from Windows. Now in XP, "outside Windows" takes a whole new significance, especially if the file system is NTFS. SR was totally re-designed in XP (and vastly improved over WinME), and as SR and SFP (WFP) are so tightly integrated in WinME, I'd expect the mechanics within XP to have possibly changed too. A look at FILELIST.XML in the XP Restore subtree shows few Included files, and no .XML as an Included extension. These are the excludes: Exclude REC%windir%\system.ini/REC REC%windir%\tasks\desktop.ini/REC REC%windir%\win.ini/REC REC*:\AUTOEXEC.BAT/REC REC*:\CONFIG.MSI/REC REC*:\CONFIG.SYS/REC /Exclude So it appears as if one can add things there. Whether changes will "take", or whether one will have access rights to do this in NTFS, is something I haven't tried, now or before. Do you have a URL on managing SFP (WFP) in XP? Then again, this is getting off-topic in this Win98 newsgroup - sorry! ---------- ----- ---- --- -- - - - - Don't pay malware vendors - boycott Sony ---------- ----- ---- --- -- - - - - |
#7
|
|||
|
|||
Win98 vulnerable to .wmf malware?
It's quite simple, Chris - the first thing you do when making the edit is to
remove the XML file from control!g - then you can change it more or less at will. make a copy of the file edit it to remove the self-protection once that's done, boot to DOS and swap the two files around boot to Windows.... et woila! -- Noel Paton (MS-MVP 2002-2006, Windows) Nil Carborundum Illegitemi http://www.crashfixpc.com/millsrpch.htm http://tinyurl.com/6oztj Please read http://dts-l.org/goodpost.htm on how to post messages to NG's "cquirke (MVP Windows shell/user)" wrote in message ... On Mon, 2 Jan 2006 11:10:43 -0000, "Noel Paton" "cquirke (MVP Windows shell/user)" wrote With no Windows File Protection to worry about, I'd kill off the defective code and accept I can no longer interpret .WMF files - in fact, that would be my preferred tactic in any case. I'm familiar with how to curb Windows File Protection in WinME... Chris - in both Win ME and WinXP it's possible to edit the xml file controlling SR/SFP so that any file is/not covered Cool! This I do routinely in WinME, so I can confidently say it's possible. Because I haven't done it in XP, I'm less confident and don't make the same claim. Even in WinME, there are gotchas. For starters, FILELIST.XML is itself a protected file, so it isn't effective to edit this file within Windows (and remember, most WinME installations don't have a DOS mode retro-fitted). There are at least two ways around this in WinME; one involves a related binary file that have yet to pick a fight with, and the other involves editing sfpdb.sfp, which is what I do. Both sets of edits to be done at the same time, outside Windows; the other method that I haven't used, may be OK from Windows. Now in XP, "outside Windows" takes a whole new significance, especially if the file system is NTFS. SR was totally re-designed in XP (and vastly improved over WinME), and as SR and SFP (WFP) are so tightly integrated in WinME, I'd expect the mechanics within XP to have possibly changed too. A look at FILELIST.XML in the XP Restore subtree shows few Included files, and no .XML as an Included extension. These are the excludes: Exclude REC%windir%\system.ini/REC REC%windir%\tasks\desktop.ini/REC REC%windir%\win.ini/REC REC*:\AUTOEXEC.BAT/REC REC*:\CONFIG.MSI/REC REC*:\CONFIG.SYS/REC /Exclude So it appears as if one can add things there. Whether changes will "take", or whether one will have access rights to do this in NTFS, is something I haven't tried, now or before. Do you have a URL on managing SFP (WFP) in XP? Then again, this is getting off-topic in this Win98 newsgroup - sorry! ---------- ----- ---- --- -- - - - - Don't pay malware vendors - boycott Sony ---------- ----- ---- --- -- - - - - |
#8
|
|||
|
|||
Win98 vulnerable to .wmf malware?
OK, thanks Vince and Luke.....I see I was on a different wavelength than you guys.
Yes, the vulnerability is *in* gdi32.dll....ironically, the vulnerability is a "feature" or function of the file. It is that vulnerability that is being exploited *by* the ability of a WMF file to contain and execute code. I was looking more at the idea of eliminating the capability in the WMF file to exploit the function, but of course that would still leave the vulnerability there for something else to exploit later. sigh -- Glen Ventura, MS MVP Shell/User, A+ http://dts-l.org/goodpost.htm "Luke" wrote in message ... On Mon, 2 Jan 2006 00:42:10 -0500, "glee" wrote: I cannot fathom wow you fathom that the problem is with gdi32.dll. Where do you even find a reference to that file in relation to this vulnerability? http://www.kb.cert.org/vuls/id/181038 -- Luke |
#9
|
|||
|
|||
Win98 vulnerable to .wmf malware?
"BoB" wrote in message ... On Sun, 01 Jan 2006 18:46:41 -0600, Vince wrote: On Sun, 1 Jan 2006 22:51:41 +0100, "roman modic" wrote: More info at the following FAQ: http://isc.sans.org/diary.php?rss&storyid=994 quote: "Note: If you're still running on Win98/ME, this is a watershed moment: we believe (untested) that your system is vulnerable and there will be no patch from MS. Your mitigation options are very limited. You really need to upgrade." But I don't want to upgrade my Windows 98SE machine. I hope that MS will release patcth for it... Near as I can fathom, the real problem is gdi32.dll. The last time there was a problem with gdi32.dll, Microsoft rated the problem as less than "critical" and did nothing for Win98. I'm not buying a new computer just so I can run Microsoft's latest operating system. I just need usenet, email, browsing, word processing and spreadsheets. I don't need WinXP to do that. My watershed moment - Linux! But I really don't want to do that. I'm quite happy with Win98SE. I don't want to go Linux either but I'm hearing good things about free Ubuntu. IE will run the malware if you visit the bad sites; Firefox and Opera will prompt the user before downloading. This site posted a harmless test .wmf at the top of his web page. http://home.epix.net/~artnpeg Art is a well known member of alt.comp.freeware NG. With IE, I see a strange looking drawing and then a small box appears so I can save or print the file. With Firefox I see only a small box. Since I browse with Firefox, use a text only news/mail reader, and always follow Safehex practices, I'm as safe as I can get for now. My .wmf files were associated with Quick View Plus before I removed the association. Malware can rename a .wmf to something else and IE will read it internally and still process it as a .wmf so don't get too concerned about 'ONLY' .wmf. BoB Are you saying that you clicked on http://home.epix.net/~artnpeg and in IE you saw the drawing and a strange box appeared ? I use win98se and IE6 and I don't see any strange box appearing. Galen |
#10
|
|||
|
|||
Win98 vulnerable to .wmf malware?
Yea, that works! It's Art, I suppose, jumping for joy & clicking his heels! I appear to have an association that will open them in Notepad. BUT, it is gobbledygook in Notepad. R-Clk one, & Quick View appears in the menu. That opens it well. All 251 of them are apparently a silly picture! Nothing more!
-- Thanks or Good Luck, There may be humor in this post, and, Naturally, you will not sue, should things get worse after this, PCR "Galen Somerville" wrote in message ... | | "BoB" wrote in message | ... | On Sun, 01 Jan 2006 18:46:41 -0600, Vince wrote: | | On Sun, 1 Jan 2006 22:51:41 +0100, "roman modic" | wrote: | | More info at the following FAQ: | http://isc.sans.org/diary.php?rss&storyid=994 | quote: | "Note: If you're still running on Win98/ME, this is a | watershed moment: we believe (untested) that your | system is vulnerable and there will be no patch from | MS. Your mitigation options are very limited. You | really need to upgrade." | | But I don't want to upgrade my Windows 98SE machine. | I hope that MS will release patcth for it... | | Near as I can fathom, the real problem is gdi32.dll. The last time | there was a problem with gdi32.dll, Microsoft rated the problem as | less than "critical" and did nothing for Win98. | | I'm not buying a new computer just so I can run Microsoft's latest | operating system. I just need usenet, email, browsing, word | processing and spreadsheets. I don't need WinXP to do that. | | My watershed moment - Linux! But I really don't want to do that. | | I'm quite happy with Win98SE. I don't want to go Linux either but | I'm hearing good things about free Ubuntu. | | IE will run the malware if you visit the bad sites; Firefox and | Opera will prompt the user before downloading. | | This site posted a harmless test .wmf at the top of his web page. | http://home.epix.net/~artnpeg | Art is a well known member of alt.comp.freeware NG. | | With IE, I see a strange looking drawing and then a small box appears | so I can save or print the file. With Firefox I see only a small box. | | Since I browse with Firefox, use a text only news/mail reader, and | always follow Safehex practices, I'm as safe as I can get for now. | | My .wmf files were associated with Quick View Plus before I removed | the association. Malware can rename a .wmf to something else and IE | will read it internally and still process it as a .wmf so don't get | too concerned about 'ONLY' .wmf. | | BoB | | Are you saying that you clicked on http://home.epix.net/~artnpeg and in IE | you saw the drawing and a strange box appeared ? | | I use win98se and IE6 and I don't see any strange box appearing. | | Galen | | | |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Win98 vulnerable to .wmf malware? | glee | General | 18 | January 4th 06 06:05 PM |
Autoexec.bat & Config.sys in Win98 | jane | General | 84 | March 23rd 05 10:17 PM |
What is going on? | BAP | General | 20 | March 11th 05 12:25 PM |
AVG Free; The Buffer Slayer? | rooster | General | 36 | January 7th 05 09:11 AM |
How do I print to TCPIP connected printer from Win98? | Al Dykes | Networking | 0 | June 6th 04 04:13 PM |