RE: WMF Vulnerable Systems

["Larry Seltzer" <larry () larryseltzer com>]

It appears, based on offline communication, that my analysis below is
correct with respect to pre-XP exploitation. There is no default association
for WMF, therefore it's much harder to exploit. The flaw in GDI32 is there
and a vulnerable program like Notes would still be vulnerable, but on a
mass-scale they are not easily exploitable because there is no standard
vector for the flaw.

I'm testing now on Windows 2000 (SP4) and the behavior is identical to
Windows 98! No default association for WMF and Paint can't read the files. 

Am I doing something wrong? Has anyone else gotten other results? Because
where I stand this makes the whole issue far less threatening

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.ziffdavis.com/seltzer
Contributing Editor, PC Magazine
larryseltzer () ziffdavis com 

-----Original Message-----
From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On
Behalf Of Larry Seltzer
Sent: Monday, January 02, 2006 10:41 PM
To: 'Richard M. Smith'; funsec () linuxbox org
Subject: RE: [funsec] WMF Vulnerable Systems

On Win98SE: Nothing

I retested with my own images and with 600pics.com (I'm getting really tired
of looking at it). I got lots of popups with 600pics, but it doesn't look
like I got exploited at all.

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.ziffdavis.com/seltzer
Contributing Editor, PC Magazine
larryseltzer () ziffdavis com 

-----Original Message-----
From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On
Behalf Of Richard M. Smith
Sent: Monday, January 02, 2006 10:07 PM
To: funsec () linuxbox org
Subject: RE: [funsec] WMF Vulnerable Systems

What program is associated with the .WMF file extension on these older
systems?

Richard

-----Original Message-----
From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On
Behalf Of Larry Seltzer
Sent: Monday, January 02, 2006 10:01 PM
To: funsec () linuxbox org
Cc: 'Microsoft PR'
Subject: RE: [funsec] WMF Vulnerable Systems

PS - I also tested the out-of-the-box IE (version 5.0) and it wouldn't load
the images from a test page. And there is no shimgvw.dll (or shim*.dll) on
the system

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.ziffdavis.com/seltzer
Contributing Editor, PC Magazine
larryseltzer () ziffdavis com 

-----Original Message-----
From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On
Behalf Of Larry Seltzer
Sent: Monday, January 02, 2006 9:48 PM
To: funsec () linuxbox org
Subject: [funsec] WMF Vulnerable Systems

This is a little surprising. I had been taking at face value reports from
Microsoft and others that all Windows versions were vulnerable to this flaw,
but I only just now tested a system other than Windows XP.

I just created a fresh Windows 98SE system, no updates. Of course it doesn't
have Picture and Fax Viewer, but I opened a known-malicious WMF file with
Paint and got this message:

        C:\BAD.WMF
        Paint cannot read this file.
        This is not a valid bitmap file, or its format is not currently
supported.

Now this could just mean that Paint in this version of Windows cannot read
WMF files, but that the GDI32 flaw is still there. Perhaps, for example,
Lotus Notes on this OS would be vulnerable. Still, I'd have to conclude that
this platform is significantly less vulnerable than XP.

My next step is to run Windows Update (probably a dozen times) to get 98 as
up to date as it can be and retest.

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.ziffdavis.com/seltzer
Contributing Editor, PC Magazine
larryseltzer () ziffdavis com 


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.