Win98 vulnerable to .wmf malware?

"Vince" wrote:

According to Microsoft Security Advisory (912840): Vulnerability in
Graphics Rendering Engine Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/912840.mspx
Win98/SE is vulnerable to the 0 day exploit using crafted .wmf
graphics files.

snip

As we all know now, MS has copped out of addmitting the 9x components
vulnerabilty is still potentially critical since the same vulnerability
exists in principle, but they have no working code to light a rocket under
their collective office chairs.

Maybe it is time to invite those that understand the vulnerability in its
true form to test the 9x components and see if any remote code can be made to
be executed by embedding a crafted wmf file into a webpage or inline into an
email... and, if it proves to be possible, initially share the proof of
concept via responsible disclosure with MS team.

Note there is a 3rd party sledge hammer GDI32.DLL function redirect solution
like the one made for XP in case any exploit of the vulnerability is found in
the wild.

I'd imagine a simple binary comparison of both old and new GDI32.DLLs for XP
and dissasembly of the before and after code and then a disassembly of the
win9x GDI32.DLLs same area would reveal a possibility of applying a patch to
the code to neuter the function that wmf files should never have had access
to.

Bear in mind the recent MS06-02 vulnerability described on web page:
http://www.microsoft.com/technet/sec.../MS06-002.mspx

is clearly listed as Critical for windows98, SE and ME in the Executive
Summary yet no patch for said revisions of the operating systems is currently
as of time of posting forthcomming, MS is clearly doing all it can to avoid
employing programmer man hours on the old win9x source tree... Maybe they
would like to relinquish all responsibility for maintaining it and just
release it to the open source community and let it be openly peer reviewed
and maintained and MS can then focus all it's efforts on fixing all the NT
cores design and implimentation flaws

"mae" wrote:

3 hours before your post:
The following updates have been successfully installed:
Security Update for Windows 98 (KB908519) ms06-002
2006-01-10 15:36:40 21:36:40 Success IUENGINE Local path
d:\WUTemp\com_microsoft.Windows98-KB908519-x86-174228\Windows98-KB908519-ENU
..EXE
--
mae
That is most interesting as even now I am not being offered the update, the
only Critical update it offers is IE6 SP1 and judging by the multitude of
patches that version alone would illicite if I installed it... It is not a
true security update but a nest of vulnerabilities badged as a security
update.

In my understanding of MS06-002 it is listed as an OS vulnerability no
mention of being IE version specific

I'd be interested in a URL so I could obtain the win98 patch manually and
see if it applies to my instalation.
TIA

"mae" wrote:

3 hours before your post:
The following updates have been successfully installed:
Security Update for Windows 98 (KB908519) ms06-002
2006-01-10 15:36:40 21:36:40 Success IUENGINE Local path
d:\WUTemp\com_microsoft.Windows98-KB908519-x86-174228\Windows98-KB908519-ENU
..EXE
--
mae

Thanks mae, just looked in win98 update catalogue and there it is, why oh
why do MS hide these things when it could have been linked to direct from
MS06-002 page like all the rest.

Oh! That's it, then? We DID have that rotten exploitable attack vector? That was the .wmf fix, JUST after I told everyone it doesn't affect us critically? Anyhow, thanks, I took it. And Art is still jumping for joy in his .wmf...
http://home.epix.net/~artnpeg/

The T2EMBED.DLL Properties seems to have fewer tabs now, though!


--
Thanks or Good Luck,
There may be humor in this post, and,
Naturally, you will not sue,
should things get worse after this,
PCR

"mae" wrote in message ...
| Just getting ready to reply but see you have it.
| I just let WU scan and do it's thing.
| The SB does link to WU.
| This was change in the event you want to know first:
| Today:
| [C:\WINDOWS\SYSTEM] T2EMBED.DLL Updated
| 0, 2, 0, 81 08/29/02 5.00.2195.7 11/24/05
| [C:\WINDOWS\OPTIONS\CABS] t2embed.dll Added
| 5.00.2195.7 11/24/05
| Previous:
| T2EMBED.DLL 0, 2, 0, 81 8/29/02 (from IE6sp1)
| T2EMBED.DLL 0, 2, 0, 69 4/23/99 (from IE5?)orig98se install
| --
| mae
|
| "TK1" wrote in message
| ...
| | "mae" wrote:
| |
| | 3 hours before your post:
| | The following updates have been successfully installed:
| | Security Update for Windows 98 (KB908519) ms06-002
| | 2006-01-10 15:36:40 21:36:40 Success IUENGINE Local path
| |
| d:\WUTemp\com_microsoft.Windows98-KB908519-x86-174228\Windows98-KB908519-ENU
| | ..EXE
| | --
| | mae
| |
| | Thanks mae, just looked in win98 update catalogue and there it is, why oh
| | why do MS hide these things when it could have been linked to direct from
| | MS06-002 page like all the rest.
|

It's not the WMF issue they are speaking of above but are referring to
yesterdays release of MS06-002, 908519, Vulnerability in Embedded Web Fonts
http://www.microsoft.com/technet/sec...ate=2006-01-10

Rick


PCR wrote:
Oh! That's it, then? We DID have that rotten exploitable attack vector?
That was the .wmf fix, JUST after I told everyone it doesn't affect us
critically? Anyhow, thanks, I took it. And Art is still jumping for joy
in his .wmf...
http://home.epix.net/~artnpeg/

The T2EMBED.DLL Properties seems to have fewer tabs now, though!


--
Thanks or Good Luck,
There may be humor in this post, and,
Naturally, you will not sue,
should things get worse after this,
PCR

I see. No wonder I couldn't find ".wmf" mentioned at the URL. I was just thinking the .wmf file type might have been a WEB font, which the URL did speak of. OK, thanks.

All the same, I'm officially out of the .wmf issue!


--
Thanks or Good Luck,
There may be humor in this post, and,
Naturally, you will not sue,
should things get worse after this,
PCR

"Rick Chauvin" wrote in message ...
| It's not the WMF issue they are speaking of above but are referring to
| yesterdays release of MS06-002, 908519, Vulnerability in Embedded Web Fonts
| http://www.microsoft.com/technet/sec...ate=2006-01-10
|
| Rick
|
|
| PCR wrote:
| Oh! That's it, then? We DID have that rotten exploitable attack vector?
| That was the .wmf fix, JUST after I told everyone it doesn't affect us
| critically? Anyhow, thanks, I took it. And Art is still jumping for joy
| in his .wmf...
| http://home.epix.net/~artnpeg/
|
| The T2EMBED.DLL Properties seems to have fewer tabs now, though!
|
|
| --
| Thanks or Good Luck,
| There may be humor in this post, and,
| Naturally, you will not sue,
| should things get worse after this,
| PCR
|
|
|