Next Generation Emulation banner
1 - 19 of 19 Posts

·
Registered
Joined
·
774 Posts
Discussion Starter · #1 ·
Normally I don't post this type of thing, but this is serious. A bug has been discovered in Microsoft's WMF image parser will allow arbitrary code excecution with system level privilages on a fully patched XP computer. The way this exploit works, your computer can be affected by simply opening a web page. Currently both IE and Opera are affected, however the latest version of Firefox is not.

I highly suggest you use Firefox 1.5 or later for your browsing until this is patched. Click here for further information.
 

·
[Insert Ad Here]
Joined
·
334 Posts
**UPDATE**

An unoffical patch has been released that will protect against this latest threat until Microsoft releases the official patch. Micorsoft patch released today (1.05.06).


Info on the exploit can be found here:

Security Now! Show Notes Episode #20
 

·
Psychotic Robot Master
Joined
·
1,588 Posts
ONO! WE'RE ALL GOIGN TO DIEEE!!!!!!! oh wait i'm using firefox too.Thanks for the infos _gdoasjbng :thumb:
 

·
Experenced But New User
Joined
·
866 Posts
Yay for firefox!

On the downside, freekin firefox wont play my google module correctly. Its pissing me off becusae I dont use IE.
 

·
[Insert Ad Here]
Joined
·
334 Posts
Very true, The DEP notified me when the exploit tried running on my system. The DEP killed the explorer.exe process and relaunched it.
 

·
Registered
Joined
·
2,794 Posts
It can't. The only thing this exploit is capable of is embedding a piece of code into the WMF that will run when opened, executing a payload. In other words, it'd be as if you double-clicked an executable yourself.

This "exploit" is actually leftover from a necessary feature called 'SetAbortProc' that was built into the format back when Windows 3.0 was in its prime. The function was needed for certain scenarios, such as if a print job needed to be cancelled during spooling. Interestingly enough, every version of Windows since then (1990) contains this vulnerability, though XP and Server 2003 are the only ones that facilitate a delivery mechanism since they're the only OSes that shipped with default handlers for the WMF file type.
 

·
AKA snkmad
Joined
·
4,063 Posts
How do i know if this DEP is running on my system?
Even more, if my A64 has it?

EDIT: this means im safe?
 

·
[Insert Ad Here]
Joined
·
334 Posts
Microsoft has officially released their WMF patch via Microsoft Update.

Description on the patch on the Microsoft Update page:

Security Update for Windows XP (KB912919)
Typical download size: 196 KB , less than 1 minute
A remote code execution security issue has been identified in the Graphics Rendering Engine that could allow an attacker to remotely compromise your Windows-based system and gain control over it. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer.

If you installed the unofficial hotfix patch you should uninstall it before installing Microsoft's update.

For those who want to manually download and install the patch you can get it here.

If you are using a version other than XP and is Win 2000 or later you can pick your version for the patch via Microsoft Download Center. This link will take you to the page where you can choose your OS version. Click here.
 

·
Transcended
Joined
·
1,421 Posts
Hey, this DEP thing is cool! Wonder why nobody thought of it until recently?
 

·
Registered
Joined
·
2,794 Posts
RZetlin said:
FYI, Windows 9x users are out of luck because there's no patch.
Interestingly enough, every version of Windows since then (1990) contains this vulnerability, though XP and Server 2003 are the only ones that facilitate a delivery mechanism since they're the only OSes that shipped with default handlers for the WMF file type.
:rolleyes:

The only way 9X can get hit is if you open up a WMF in Paint or some other graphics prog that uses the vulnerable DLL to render the image.
 
1 - 19 of 19 Posts
This is an older thread, you may not receive a response, and could be reviving an old thread. Please consider creating a new thread.
Top