lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 29 Dec 2005 12:57:06 -0500
From: "Derick Anderson" <danderson@...us.com>
To: <bugtraq@...urityfocus.com>
Subject: RE: WMF Exploit


 

> -----Original Message-----
> From: Hayes, Bill [mailto:Bill.Hayes@....com] 
> Sent: Wednesday, December 28, 2005 6:02 PM
> To: davidribyrne@...oo.com
> Cc: bugtraq@...urityfocus.com
> Subject: RE: WMF Exploit
> 
> CERT now has posted Vulnerability Note VU#181038, "Microsoft 
> Windows may be vulnerable to buffer overflow via specially 
> crafted WMF file"
> (http://www.kb.cert.org/vuls/id/181038). The note provides 
> additional details about the exploit and its effects. Very 
> few workarounds have been proposed other than blocking at the 
> perimeter and possibly remapping the .wmf extension to some 
> application other than the vulnerable Windows Picture and Fax 
> Viewer (SHIMGVU.DLL).
> 
> Bill...

F-Secure
(http://www.f-secure.com/weblog/archives/archive-122005.html#00000752)
mentioned a Microsoft workaround (which I actually did not see in the MS
TechNet bulliten they linked to):

----

Un-register the Windows Picture and Fax Viewer (Shimgvw.dll)

1. Click Start, click Run, type "regsvr32 -u
%windir%\system32\shimgvw.dll"
(without the quotation marks), and then click OK.

2. A dialog box appears to confirm that the un-registration process has
succeeded.
Click OK to close the dialog box.

Impact of Workaround: The Windows Picture and Fax Viewer will no longer
be started
when users click on a link to an image type that is associated with the
Windows Picture and Fax Viewer.

To undo this change, re-register Shimgvw.dll by following the above
steps.
Replace the text in Step 1 with "regsvr32 %windir%\system32\shimgvw.dll"
(without the quotation marks).

----

It's highly dumbed down but suitable for bulk distribution to the
average user =). Additionally F-Secure mentions sites related to the
attack, blocking them is an interim solution.

Derick Anderson

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ