The SANS recommended hotfix (by: Ilfak Guilfanov) intercepts calls to
the exploitable program routines in the vulnerable shimgwv.dll file.
It completely mitigates any threat from this vulnerability. No need to
run Microsoft suggested unregister command but it doesn't hurt to do so
(belt and suspenders is what SANS called it).

My only problem with this fix is that its not very enterprise friendly.
It requires installation on every machine through non-automated
processes (yes, you can automate an install yourself) and should be
uninstalled after Microsoft releases their fix.

The latest exploit kits being circulated allows creation of WMF files
with varying signatures. This was intended to make detection by
IDS/IPS and antivirus programs much harder or impossible. So this
unofficial hotfix maybe all we have at the moment.

You can download the hotfix and read more at http://www.NIST.org
Check back often for updates or subscribe to the NIST.org RSS feed.

NIST.org wrote:
Ilfak's site is up again, http://www.hexblog.com/ or
http://216.227.222.95/ since the server has changed. The latest SANS
logs are here http://isc.sans.org/diary.php?storyid=1013

on 1/4/2006 8:46 AM Todd H. said the following:
Here is an article with more info. Don't skip the reply comments.
(Though it's more discussion than I could wade through all in one sitting.)

http://blog.ziffdavis.com/seltzer/ar.../03/39684.aspx

JH

Peter <"veryhjdf"@kk.zz$> writes:

It's a topic of some debate. Your particular configuration of 98se
may not be vulnerable, but the OS as a whole is suspect. Certain
configs appear to be according to some researchers.

--
Todd H.
http://www.toddh.net/

I've just installed a freeware WMF viewer and set it as the default app in
XP. I don't know for sure if it will avoid the vulnerability but it seems
plausible to me.

On 3 Jan 2006 00:54:19 -0800, "NIST.org" <google@eaglestock.com>
wrote:

Ilfak's hotfix for the WMF vulnerability can be downloaded from any
the following URLs:

http://www.grc.com/miscfiles/wmffix_hexblog14.exe
http://handlers.sans.org/tliston/wmffix_hexblog14.exe
http://castlecops.com/modules.php?na...=getit&lid=496
http://csc.sunbelt-software.com/wmf/..._hexblog14.exe
http://www.antisource.com/download/wmffix_hexblog14.exe
http://hexblog.axmo12.de/wmffix_hexblog14.exe
http://www.dsinet.org/files/wmffix_hexblog14.exe
http://lab.nsl.it/wmffix_hexblog14.exe

The MD5 checksum of the file is 15f0a36ea33f39c1bcf5a98e51d4f4f6.

MSI repackages can be downloaded here:

* http://accentconsulting.com/wmf.shtml by Brian Higgins (MD5:
a5108c0fa866101d79bb8006617641ee)
* http://handlers.sans.org/tliston/WMFHotfix-1.1.14.msi by Evan
Anderson (MD5: 0dd56dac6b932ee7abf2d65ec34c5bec)
* http://hexblog.axmo12.de/WMFHotfix-1.1.14.msi by Evan Anderson
(MD5: 0dd56dac6b932ee7abf2d65ec34c5bec)

The WMF vulnerability checker can be downloaded from the following
URLs:

http://www.grc.com/miscfiles/wmf_checker_hexblog.exe
http://castlecops.com/modules.php?na...=getit&lid=495
http://csc.sunbelt-software.com/wmf/...er_hexblog.exe
http://www.antisource.com/download/w...er_hexblog.exe
http://hexblog.axmo12.de/wmf_checker_hexblog.exe

The MD5 checksum of the file is ba65e1954070074ea634308f2bab0f6a.

Note that the fix is not applicable to Win 9X/ME

Art

http://home.epix.net/~artnpeg

On Wed, 04 Jan 2006 16:51:21 +0000, Peter <"veryhjdf"@kk.zz$> spewed:
What is Win Lite?
How did you prevent the bug without any fix?
I'd like to do it on my 95 system if possible, and later on a 98SE.

I'm with ya on the XP hate!
Unfortunately, M$'s 98 support ends (I think in July) which means no more
security fixes for their garbageware. Dunno if it'll be worth the risk of
lesser threat and no updates for 98 vs huge threat but updates for XP.

--
__________________________________________________ ___
For email response, or CC, please email see.my.sig.4.addr-a@t-bigfoot.com.
Yeah, it's really a real address