hex blog: windows wmf metafile vulnerability hotfix

hex blog: windows wmf metafile vulnerability hotfix « the longest arithmetic operation | main | wmf vulnerability checker » windows wmf metafile vulnerability hotfix this week a new vulnerability was found in windows: http://www.microsoft.com/technet/security/advisory/912840.mspx browsing the web was not safe anymore, regardless of the browser. microsoft will certainly come up with a thouroughly tested fix for it in the future, but meanwhile i developed a temporary fix - i badly needed it. the fix does not remove any functionality from the system, all pictures will continue to be visible. you can download it here: http://www.hexblog.com/security/files/wmffix_hexblog14.exe it should work for windows 2000, xp 32-bit, xp 64-bit, and windows server 2003. technical details: this is a dll which gets injected to all processes loading user32.dll. it patches the escape() function in gdi32.dll. the result of the patch is that the setabort escape sequence is not accepted anymore. i can imagine situations when this sequence is useful. my patch completely disables this escape sequence, so please be careful. however, with the fix installed, i can browse files, print them and do other things. if for some reason the patch does not work for you, please uninstall it. it will be in the list of installed programs as "windows wmf metafile vulnerability hotfix". i'd like to know what programs are crippled by the fix, please tell me. i recommend you to uninstall this fix and use the official patch from microsoft as soon as it is available. the fix can be applied in the automatic mode using the following command line: wmffix_hexblog14.exe /verysilent /suppressmsgboxes these switches do not suppress dialog boxes about installation errors. the /log="file" switch can be added to the command line to create a log file. the usual software disclaimer applies... file: wmffix_hexblog14.exe (the source code is included) upd: more error checking upd: version 1.1 with win2000 support upd: version 1.2: if the hotfix has already been applied to the system, inform the user at the second installation attempt. upd: version 1.3: added support for windows 2000 sp4 upd: added information about silent mode upd: comments are turned off. a discussion forum is available here upd: version 1.4: completely silent mode, suitable for use in the scripts (see this entry for more details) there is no need to reinstall anything! old hotfixes are perfectly ok. posted by ilfak guilfanov on december 31, 2005 06:53 am | permalink trackback listed below are links to weblogs that reference windows wmf metafile vulnerability hotfix: » achtung: wmf-exploit unter windows! (update) from hexagon business weblog seit einigen tagen gibt es unter windows eine lücke die einen fehler in der library shimgvw.dll ausnutzt um über wmf-bilder schadcode ins system zu injizieren. dem anschein nach nutzen diesen exploit nun schon tausende websites aus und es ist wirkli... [read more] tracked on december 31, 2005 01:13 pm » indexing and the wmf exploit (plus some extra information) from the pc doctor it seems that indexing programs (that is, programs that index your hard drives to make searching faster, such as google desktop) can, if they come across an infected wmf file, run the file and trigger the exploit.  as such, sans  and f-secur... [read more] tracked on december 31, 2005 01:48 pm » mas sobre el ie wmf 0-day exploit: ataques via popups - primer gusano via msn - parche no oficial from marcelo.ar es oportuno hacer notar -una vez m�s- que la explotaci�n exitosa de esta grave vulnerabilidad en el procesamiento de archivos de imagen wmf, depender� en gran medida del navegador utilizado por el usuario atacado: basta con acceder a un sit [read more] tracked on december 31, 2005 11:21 pm » microsoft's wmf screen door still open but small patch available from zero day security earlier this week microsoft announced a zero-day buffer overflow vulnerability in its windows metafile (wmf) graphics format affecting all version of windows. here it is days later and there's still no resolution. unfortunately, f-secure is reporting t... [read more] tracked on december 31, 2005 11:35 pm » ilfak's hotfix for the windows xmf vulnerability from diy directory there is currently no patch from microsoft to fix the wmf vulnerability problem, but ilfak guilfanov made and published a hotfix on his blog. [...] [read more] tracked on december 31, 2005 11:39 pm » wmf exploit firsthand from extemporaneous mumblings [read more] tracked on january 1, 2006 12:04 am » wmf exploit firsthand from extemporaneous mumblings [read more] tracked on january 1, 2006 12:04 am » windows wmf metafile vulnerability hotfix from secnews source: hex blog - by ilfak guilfanovthis week a new vulnerability was found in windows:http://www.microsoft.com/technet/security/advisory/912840.mspxbrowsing the web was ... [read more] tracked on january 1, 2006 02:20 am » imortant: windows wmf metafile vulnerability hotfix from ask jack from ilfak guilfanov's hexblog: "browsing the web was not safe anymore, regardless of the browser. microsoft will certainly come up with a thouroughly tested fix for it in the future, but meanwhile i developed a temporary fix - -i badly... [read more] tracked on january 1, 2006 01:00 pm » important: major security hole in windows wmf from guardian unlimited: technology your windows pc can now be infected with the nastiest malware imaginable just by viewing an image, or just by (say) google desktop or lotus notes or some other software accessing the image without you even seeing it. using a... [read more] tracked on january 1, 2006 01:32 pm » windows metafile vulnerability: update 1 from just a bump in the beltway there have been a few developments since i published the first advisory post about this vulnerability, on december 28, 2005: 0-day windows metafile image file vulnerability currently being exploited in the wild. some of these are good. most of them... [read more] tracked on january 1, 2006 02:17 pm » newest wmf exploit patch saves the day from castlecops interim wmf exploit savior we've all been following the dramatic story of the whole wmf exploit and how it is easily spoofed into other image types. the last day of 2005 the wmf exploit exploded into other various venues such as instant messages, ema... [read more] tracked on january 1, 2006 05:43 pm » well it was only a matter of time. from blog.ncircle.com the wmf worm has arrived. we heard about it here first on dec 27th. the title of this article just about sums it up "wmf 0-day: exploit spreads, defenses few" talk about an equal opportunity vulnerability. you are screwed using... [read more] tracked on january 1, 2006 09:17 pm » parche no oficial para vulnerabilidad wmf recomendado por el sans isc y f-secure from marcelo despu�s de haber revisado cuidadosamente el parche no oficial creado por ilfak guilfanov (que indiqu� al final de este post del d�a de ayer), el sans internet storm center recomienda la instalaci�n del mismo, ya que el parche hace lo que promete%2 [read more] tracked on january 1, 2006 11:46 pm » wmf exploit fix. from jim gall's blog if you’re running windows 2000/xp/2003/x64, i really recommend installing the following patch, and use it until microsoft releases an official fix (if ever). click here for details/download ... [read more] tracked on january 2, 2006 02:09 am » windows wmf metafile vulnerabilityfix from reverse engineer from cubicgarden.com... meta-technorati-tags=worm, microsoft, malicious, exploits, patch well is this is a good way to start 2006 microsoft. a very serious exploit was found in windows during last week, and this time its a 0day exploit which means there's no patch availabl... [read more] tracked on january 2, 2006 03:33 am » unofficial wfm vulnerabilitpatch has been released from lawrence abrams an unofficial patch for the wmf vulnerability patch has been released. this program will patch in memory the escape() routine of gdi32.dll so that it will not accept the setabort escape sequence that is being used to exploit this vulnerability. ... [read more] tracked on january 2, 2006 05:00 am » sacándole las castañas del fuego a microsoft from un lugar en el mundo... ...detectar los sistemas vulnerables (casi todos los windows, como ya he dicho) y un parche no oficial que soluciona la vulnerabilidad de forma efectiva y para el cual incluye el código fu... [read more] tracked on january 2, 2006 08:48 am » download and install this if you don't want to get rooted by the wmf exploits from aaron tiensivu's blog http://www.hexblog.com/2005/12/wmf_vuln.html i've seen and heard about too many infections that this can not wait until the january patch tuesday. [read more] tracked on january 2, 2006 09:13 am » changes between the current version and version 1 are highlighted. from grinの勝手気ままに戯言メモ アンオフィシャルではありますが sunsよりwmfの脆弱性に対するパッチがリリー... [read more] tracked on january 2, 2006 10:07 pm » wmf-tilapäispaikan suosittelijoiden määrä kasvaa from networksecurity.fi weblog - juha-matti laurio ilfak guilfanovin laatiman tilapäiskorjauksen suosittelijoihin windows metafile -haavoittuvuudelle on liittynyt myös kotimainen cert-fi.ensimmäisenä koodin saatavuudesta tiedotti ja linkitti f-securen verkkoblogi lauantaina päivällä. internet st... [read more] tracked on january 2, 2006 11:19 pm » oh the stupidity of cya from ydns' blog wow, look, no one using linux is affected by this...huh... [read more] tracked on january 3, 2006 12:24 am » new windows exploit... patch at your own risk from technicalities i should have posted on this earlier today, i've been pretty lazy about it though. it seems (let's have a huge surprised look on our faces now) that there is yet another windows exploit making the rounds. unfortunately, this is... [read more] tracked on january 3, 2006 01:04 am » hex blog: windows wmf metafile vulnerability hotfix from groovy links http://dev.upian.com/hotlinks/archives/2006/01/02/#item49602 [read more] tracked on january 3, 2006 01:47 am » wmf patch from geek matters i mentioned the wmf vulnerability in windows recently. microsoft has not yet released a fix, which leaves you all out to dry. this guy has put together a temporary fix that actually works like a rootkit (while a hacking tool and part of sony’s d... [read more] tracked on january 3, 2006 04:29 am » public service announcement from classical values there's a new computer virus threat described as "huge": ....the potential for damaging attacks increased dramatically at the weekend after a group of computer hackers published the source code they used to exploit it. unlike most attacks, which requir... [read more] tracked on january 3, 2006 05:55 am » 【ウイルス出現】windows脆弱性に関する追加情報【もうだめぽ】 from 2ちゃんねる旅行記 itpro windowsの脆弱性を突く新しい画像ファイルが出現,メールで送られてくる場合も メールの件名は「happy new year」で,添付されているファイルの名前は「happynewyear.jpg」。 このファイル [read more] tracked on january 3, 2006 06:13 am » wmf vulnerability from dominic white's .the product i have been desperately trying to avoid blogging, but this is just hectic. a vulnerability (a feature not a bug) in wmf files allows code to be embedded and executed upon viewing the file. the libraries for handling wmf files are pretty universal across [read more] tracked on january 3, 2006 08:57 am » wmf problem in windows from strelitzia.net | developments millions of lines of code and yet another bug has been found. and exploited. and temporarily fixed. this time it is a nasty one, where wmf-images are executing code, which was introduced a long time ago and still exists in current windows versions. i... [read more] tracked on january 3, 2006 10:43 am » une nouvelle faille critique pour les systmes microsoft - polmique sur la publication d'un correctif from greyhats - blog sur la scurit et l'informatique en gnral il apparat, d'aprs f-secure que le problme n'est pas un bug mais une fonctionnalit dans le format de microsoft, qui a t conu au dbut des annes 80. il est en effet possible d'inclure du code directement dans des images, ce qui pouvait sembler... [read more] tracked on january 3, 2006 11:08 am » oh the stupidity of cya (wow, look, no one using linux is affected by this...huh from ydns' blog [read more] tracked on january 22, 2006 06:43 pm » wmf-sårbarheten i windows from fruitbox - inte bara en fruktskål ett allvarligt säkerhetsproblem har upptäckts och det har ägnats en del åt att lösa problemet. dock har inte micrsoft gjort detta, och det kan ta länge. de har gjort något de kallar en lösning, men detta är ingen total lösning alls. ilfak g... [read more] tracked on january 25, 2006 01:07 pm » 友情提示:春节假期小心wmf木马 from daishuo 春节已经到眼前了,大家假期上网要小心wmf木马哦。这类木马已经有开始蔓延的趋势了。wmf木马相关资料,请参考下面文章: ms06-001提前发布 修补wmf 0day漏洞 exploit.wmf.setabortproc wmf 0-day漏洞�... [read more] tracked on january 26, 2006 02:53 am comments thank you for this, though a ready-made msi package would be nice for us who would like to spread this through group policies or clear documentation what exactly this installs so i could make one myself. posted by: vs | december 31, 2005 01:09 pm ok, i'll see how to prepare an msi package (never tried before). as about the installer, it does the following: - extracts and tries to use wmfhotfix.dll on the target system - if it fails, it informs the user and quits - otherwise it copies wmfhotfix.dll to the system directory and creates/updates this registry key: hklm\software\microsoft\windows nt\currentversion\windows \appinit_dlls - the installer also creates the windowsmetafilefix directory in the "program files" and copies there the source code of the dll. these files are not required for the dll to work. the most difficult thing is to update the registry key because we can not simply overwrite it but have to preserve its contents. i had to program it manually since innosetup does not support this type of update (or did i miss it? it is a great setup, i like it a lot!) posted by: ilfak | december 31, 2005 01:31 pm does this hotfix also work on windows 2003 server? posted by: mol | december 31, 2005 01:32 pm i could not try it (i don't have windows2003 here) but most likely it will work. please try it - if a compabitility issue arises, it will quit without modifying anything in the system. posted by: ilfak | december 31, 2005 01:36 pm i just made an msi file that does the things listed above. it installed and uninstalled cleanly on my test machine xp pro sp2. i'm still just wondering about some metadata on the package before putting it for download (publisher, product url etc). posted by: vs | december 31, 2005 02:16 pm you are fast! i just read microsoft's article how to create msi packages and was wondering about a clean machine... you can put my name and hexblog.com in package + plus your name to reflect the fact that you repackaged it. one more thing: i updated the wmfhotfix.dll. the previous version could silently fail at virtualprotect() - well, in theory. posted by: ilfak | december 31, 2005 02:24 pm the msi repackaging can be downloaded at your own risk at: http://users.utu.fi/vpjsuu/wmfhotfix/ posted by: vs | december 31, 2005 03:10 pm will this work on xp pro sp1? this is the os that it is really needed for as i have read of several good workarounds for xp sp2. plus, how about a fix for all of us who have other older computers running 98se? posted by: mele | december 31, 2005 03:22 pm i haven't tried it on xp sp1, please try. as about 98se, sorry, it is out of my reach... posted by: ilfak | december 31, 2005 05:31 pm vs: thanks for the msi package! posted by: ilfak | december 31, 2005 05:44 pm hi wfmfix tells me that the fix is not compatible with my system. im running winxp prof any idea? posted by: fg | december 31, 2005 05:58 pm oh, i have xp sp1 only, looks iyt doesnt like the fix :( posted by: fg | december 31, 2005 06:00 pm patch appears to work on win2003 server. posted by: jeff | december 31, 2005 06:28 pm nice, but what exactly is happening, are you simply patching gdi32.dll ? if so what about hexediting gdi32.dll and changing the callname setabort to something else? i'd like to see some tech stuff such as hex data since this one is only 4 xp, hexediting is possible on any system. posted by: wpw | december 31, 2005 07:00 pm thank you, one and all, for sharing your knowledge and efforts on this issue. i got hit by a wmf-borne desktop hijacker and had to wade through my registry with a machete and half-a-dozen virus cleaners (including f-secure) in order to dig it all out and get back in shape. (i was using rage and frustration as weapons where you guys were using skills and education. =:-o the following day, i read about this wmf thing, and then you guys came up with the antidote almost as soon as i had digested the information. thank you tons. the dark side cannot win while there are people like you working for the powers of good. you guys are the force! thanks again. posted by: timt | december 31, 2005 07:32 pm seems to be working fine on the five xp sp2 pc's i've installed it on. spent 5 hours trying to remove the adware/spyware garbage loaded on the one i didn't get to before it got infected. misery... thanks for the patch/workaround! posted by: todd in los angeles | december 31, 2005 08:01 pm can someone post a patched dll that will work on xp without the sp ? thanks. posted by: alex | december 31, 2005 08:22 pm it would be great to have this also working on windows 2000. is there anything i can do to help widen the patch's application range? posted by: steve gibson | december 31, 2005 09:02 pm vs and ilfak, you guys have been a tremendous help in this. i want to thank you profusely for your quick response to these issues. i'm a network admin who was previously facing the daunting task of rolling out this or the unregister dll "fix" on a couple hundred pcs, so this really saved my skin. do either or both of you have a paypal account so i can throw a coupla bucks your way? thanks again. posted by: dudemicro | december 31, 2005 09:03 pm mele wrote: will this work on xp pro sp1? this is the os that it is really needed for as i have read of several good workarounds for xp sp2. what workarounds have you heard of for sp2? all i have seen is the very familiar shimgvw.dll disable. this has been shown to be fair at best. what else is there that is so good? posted by: mo | december 31, 2005 09:52 pm wmffix.exe fails on my machine with a the following error: "sorry, this fix is not compatible with your system" however, ilfak's msi re-package of same installs w/o complaint. i have no idea why this is so. i have ms windows xp pro, version 2002, service pack 2, v.2055 posted by: rfightmaster | december 31, 2005 11:07 pm same here; xp without sp and re-packed msi installs, and aparently is working. posted by: i | december 31, 2005 11:48 pm we are currently working on the version for w2k. it is quite possible that the w2k version will work on other systems too. for the moment, if the wmffix.exe installer says that the fix can not be applied to your system, please do not try msi. p.s. do not try to install the hotfix twice, it will fail. posted by: ilfak | december 31, 2005 11:48 pm update: windows2000 version is available. most likely it will handle vanilla xp and xp sp1 too. if not, please tell! posted by: ilfak | january 1, 2006 12:18 am tried the updated hotfix on my win 2k pro + sp4 but it refused to install, claiming my system isn't compatible. art posted by: art kopp | january 1, 2006 02:05 am just an fyi, you have probably seen this already but here it is: yahoo antispyware detects the patch as follows (and gives a pop up window on reboot that says the file must be uninstalled from the command prompt): 12/31/2005-17:55:18,29756979,1553861216,detected,cws,ppclean pest,453075759,key "hkey_local_machine \software\microsoft\windows nt\currentversion\windows" value "appinit_dlls" data "c:\windows\system32\wmfhotfix.dll",-1 12/31/2005-17:55:19,29756979,1559331216,quarantined,cws,ppclean pest,453075759,key "hkey_local_machine \software\microsoft\windows nt\currentversion\windows" value "appinit_dlls",-1 12/31/2005-17:55:19,29756979,1559331216,permanently deleted,cws,ppclean pest,453075759,not applicable,-1 12/31/2005-17:55:19,29756979,1559331216,detected,cws,ppclean pest,453075759,file "c:\windows\system32\wmfhotfix.dll",-1 12/31/2005-17:55:19,29756979,1560271216,quarantined,cws,ppclean pest,453075759,file "c:\windows\system32\wmfhotfix.dll",-1 12/31/2005-17:55:19,29756979,1562301216,detected,cws,ppclean pest,453075759,file "c:\windows\system32\drivers\etc\hosts",-1 12/31/2005-17:55:19,29756979,1563081216,quarantined,cws,ppclean pest,453075759,file "c:\windows\system32\drivers\etc\hosts",-1 posted by: michael gibson | january 1, 2006 02:13 am art, what version info do you have for win2k's gdi32.dll file in your \winnt\system32 directory? i've successfully applied ilfak's current v1.1 release both on a very old sp4, gdi32.dll dated 6/19/2003 with a version of [5.0.2195.6660] and also a much more recent edition dated 10/6/2005 with a version of [5.0.2195.7069]. what do you have? posted by: steve gibson | january 1, 2006 02:26 am xp home sp2 updated. file installed. haven't tested it. however i've lost recognition of my cd drive with default xp burning app. files are not burnable and rws are not erasable. drive has disappeared from right click "send to" menu, and message says drive is unavailable. files are still burnable however with nero 6.6 and cd burner xppro 3.0 posted by: payton | january 1, 2006 03:39 am that's *really* bizarre. i've studied ilfak's code, and there's just no way to explain that sort of interaction. could you try removing the patch (and rebooting) and see whether it restores things? ilfak's code is not modifying anything permanently, all of its patching is in ram only, so there's no way it could "persist" after being removed. posted by: steve gibson | january 1, 2006 03:45 am won't work for my win2k sp4 eigher... gdi32.dll is dated april 2005 posted by: elhh | january 1, 2006 03:48 am ... and you had not previously installed the msi or any other version of ilfak's patch? posted by: steve gibson | january 1, 2006 04:01 am hi, wat are the limitations of this fix? can i still see the photos using my picture viewer? pls help tnx posted by: ravi | january 1, 2006 05:37 am someone commented at dslreports that this tool is not reliable anymore, is it true? [quote]test it, try it, you will see that the best protection currently is to use the os to un-register it, because the current tools created by i might add, by very respected people, are being pulled apart as we speak. secondly, since we know microsoft is not sony, do you think that if microsoft thought that hooking setabort would truly be a workable temp fix, that they would not have released it? remember please, that these tools that are being created as temp fixes are using hooks to provide that, and hooks can be just as easily removed as they can be created, which is what is being done now. however, it is much more complicated to re-register a .dll than it is to remove a hook since the now non-existent .dll is not around to even allow the code to execute in the first place.[/quote] posted by: wmfsucks | january 1, 2006 06:11 am i describe the way ilfak's patch works here: http://www.grc.com/groups/securitynow:423 there are no limitations to this solution, other than it kills a "probably never needed" error-handling function of windows metafile processing. since it is subtly patching the core windows' gdi32.dll on the fly, whenever it's loaded into a process space, you should remember to remove this after microsoft has updated windows to repair the gdi32.dll. but until then it simply and cleanly cures the problem without any known side effects. posted by: steve gibson | january 1, 2006 06:16 am thank you steve. the explanation is very technical, i hardly understand any of it. posted by: wmfsucks | january 1, 2006 06:26 am sorry about that. essentially it means that ilfak's "patch" is automatically loaded into a program's memory space whenever a program like windows explorer or internet explorer is loaded by the operating system and starts to run. at the moment that ilfak's patch is loaded, it immediately seeks out and locates the specific function that we now know is "broken" in the current windows gdi32.dll program library file. when it finds it, it "patches" the defective code in memory so that it does nothing if any malicious image file attempts to abuse the file's defect. in that way we are all protected from the danger in this defective windows file until microsoft fixes if "officially". it's a very nice, elegant and clever solution to tide us over until microsoft fixes it permanently. posted by: steve gibson | january 1, 2006 07:35 am hi steve. based on my layman reading of your explanation, am i correct in interpreting you as stating that ilfak's patch works by: (1) searching for specific gdi32.dll code in windows versions 2000 and above, (2) and when it does find the code in that file, it patches that portion of the file, whereby the fix is some sort of "intervention mechanism" against the escape function? (3) does this mean that it is the escape function that is specifically being exploited by the wmf malware? as for the portion of the quoted comment: "however, it is much more complicated to re-register a .dll than it is to remove a hook since the now non-existent .dll is not around to even allow the code to execute in the first place." my understanding is that the .dll, even if it is being unregistered, is not being wiped from the hard disk, so what's to prevent a malware from re-registering it just as easily as removing a patch of gdi32.dll? posted by: tkteo | january 1, 2006 07:44 am oops. i took too long to type my questions. thanks for your responses (emphasis on the plural), steve. posted by: tkteo | january 1, 2006 07:46 am steve, picking up on wmfsucks' earlier comment about countermeasures for ilfak's patch, this poster claims to have already seen exploit code variants which defeat it:- http://www.dslreports.com/speak/print/default;15142923 http://www.dslreports.com/speak/print/default;15143094 http://www.dslreports.com/speak/print/default;15143172 http://www.dslreports.com/speak/print/default;15142958 http://www.dslreports.com/speak/print/default;15143054 if true, then should your current advice (at http://www.grc.com/sn/notes-020.htm ) not to bother with unregistering the dll be changed to do both (i.e. to unregister and rename the dll, and apply ilfak's patch)? posted by: milly | january 1, 2006 08:24 am it seems that my msi repackaging does less checking about the target system. this might mean that if ilfak's package won't install and the msi package will, the msi might not work either and may create a false sense of security. posted by: vs | january 1, 2006 08:43 am regarding that posting on dslreports: you can safely ignore it. i'm sure that the poster had good intentions, but his logic is flawed. it presumes that something has already penetrated the user's system in order to remove ilfak's patching hook. but if something has penetrated the user's system well enough to do that, then the penetration has already occured. ilfak's temporary patch simply prevents the wmf exploits from being able to gain a foothold in the first place. posted by: steve gibson | january 1, 2006 09:55 am any way to run the patch silently? thanks! posted by: katom | january 1, 2006 11:39 am installed it on win x64 without problems. not going to try and find injected wmf's though ;-) thanks! posted by: jud hendrix | january 1, 2006 12:15 pm ravi: yes, you will still be able to see all image files using the picture viewer. even if you try to open a malicious wmf file, the picture viewer will clearly inform you that the file can not be rendered. you will not be infected by the worms exploiting this vulnerability. posted by: ilfak | january 1, 2006 01:15 pm in response to steve gibson's inquiry about the date and version of my gdi32.dll file on win 2k pro sp4 in the \system32 folder: 4/8/2005 version 5.0.2195.7011 posted by: art kopp | january 1, 2006 01:40 pm katom, to run the setup in the silent mode, try this: wmffix_hexblog12.exe /verysilent /suppressmsgboxes posted by: ilfak | january 1, 2006 01:53 pm is there a good way to know if a system has already been hit by the wmf exploit? (other than the obvious adware/spyware pop-ups or other strange behavior.) like checking a file version or something that would have been modified by the wmf exploit? after the wmffix is installed, would it still be prudent to unregister the shimgvw.dll to be 100% safe? also, is there an easy way to deploy this wmffix via windows login script? if so, could someone please give some details, thanks. posted by: baze68 | january 1, 2006 02:57 pm sorry for the quick 2nd posting, but i was wondering if there is a way to 'test' that the wmffix is actually working as intended? is there some non-malicious wmf file that you could post to allow people to check if the wmffix is installed and working? posted by: baze68 | january 1, 2006 03:05 pm baze68, it is rather difficult to detect if the system was hit by a wmf exploit. the problem is that the exploit code could do anything including hiding itself, installing a rootkit, or any other software on the system. there will be no trace of the exploit itself in the system logs but the system will be compromised. the fix renders your system invulnerable against wmf worms. i did not unregister the shigvw.dll on my system (well, i did it for the research stage but after reenabled it) but if you want to be on the safe side, unregister it - in theory this will make your system less vulnerable but also less useable at the same time. i like your idea of having a method to check if your system is vulnerable against wmf exploit! posted by: ilfak | january 1, 2006 03:17 pm i found that there are many graphic viewer use gdi32 library to play windows metafiles so it is not good just to unregister shigvw.dll posted by: 路人 | january 1, 2006 03:41 pm ilfak, thanks so much for this. can you please post the md5 sum for the current version of the patch? posted by: btree | january 1, 2006 04:47 pm is it possible for you to create a patch for win9x (me)? we with no money for new os would appreciate! posted by: guy_with_no_money | january 1, 2006 05:33 pm does this patch install correctly if the user is not an administrator on the local system, i.e. user/power user? posted by: baze68 | january 1, 2006 05:35 pm with this installer, what is the command-line to uninstall once the ms fix is out? i am going to run the install process in an ad script (runs as admin rights as users don't have install rights)and then would like to later remove it. posted by: shane | january 1, 2006 06:18 pm ilfak: first of all, great job on getting this fix out. you're saving a lot of us a many hours of unpaid overtime over the coming days and weeks. i am working on a new msi file to deploy this now. is it possible that you could provide me the source to the innosetup installer you made? i'm sure i can translate that into something that can be compiled into an msi with the wix toolkit. i will publish the wix source to my installer once i've gotten it done, along with instructions on how to re-compile it with wix (so that nobody has to download an untrusted msi file from me and people can rebuild it from scratch if the wmffix patch is updated). posted by: evan anderson | january 1, 2006 06:27 pm per the request above for a simple logon script: if exist c:\wmf_fixed.log goto done \\yourserver\softlocation\wmffix_hexblog13.exe /verysilent /suppressmsgboxes copy \\yourserver\softlocation\wmf_fixed.log c:\wmf_fixed.log :done posted by: shane | january 1, 2006 06:28 pm after i posted about losing the cd burning app, my whole system crashed. because of that it has taken me awhile to get back here. as far as i can tell, the fix wasn't the cause of the problem but rather the issue was unrelated. i've since loaded the file onto a fresh install, and the system is running fine. posted by: payton | january 1, 2006 06:48 pm does the wmffix install have an option to create a log file to verify/confirm that a 'silent' install, i.e. login script, completed successfully? posted by: baze68 | january 1, 2006 07:02 pm kudos to ilfak for the patch!!! i too, found like to verify the errorlevel upon install (perhaps sending it to a server log file for review) so that we don't have a false sense of security. we could institute a software restriction policy for the dll on 2003 ad or could unregister the dll via a startup and logon script (to ensure it is not re-enabled), but would like to avoid this do to the loss of functionality. posted by: shane | january 1, 2006 07:16 pm hi, what about windows 9x? no patch possible?? posted by: charles | january 1, 2006 07:20 pm hi, what about windows 9x? no patch possible?? thanks in advance, a lot of people has still a computer running win 98/me. posted by: charles | january 1, 2006 07:21 pm is xp64 vulnerable? if so, does the patch work? posted by: eric | january 1, 2006 07:51 pm can anyone try this: locate gdi32.dll, open it with a hexeditor, find 'setabortproc', change it into something else (same length), write back the changed file to gdi32mod.dll, backup your gdi32.dll and replace your gdi32.dll with the mod one in dllcache and system32. (mikko if you read this pse test this one) posted by: wpw | january 1, 2006 07:58 pm why don't you post the source code so people don't have to reverse engineer this to check it does what you say it does? posted by: mike hearn | january 1, 2006 08:04 pm hey ilfak, just installed the 1.3 fix and seems to work great. i had a couple of ideas. the main gui windows still says 1.2, which is very minor. also, i think a command-line uninstall switch would be a cool thing to have. if there is already one, i missed it. thanks for the patch -todd posted by: todd towles | january 1, 2006 08:04 pm hi, happy new year.... not... anyone been testing this on windows 2000/2003 terminal servers ? please share info if anyone has tested... posted by: jone simonsen | january 1, 2006 08:20 pm any windows server administrators in this audience...have you, or are you going to apply this wmffix to your windows 2000/2003 servers? just curious how many windows administrators have or are planning on actually deploying this patch to their production desktops and/or servers? thanks for this patch ilfak...has microsoft called yet to ask if they can use your patch code?!? (are those guys in redmond asleep at the wheel or what?!?) posted by: baze68 | january 1, 2006 08:27 pm i'm a contracted windows server admin working with several customers who have a mix of nt 4.0 and ad domains, and client computers running windows 2000 and windows xp professional. i've got about 1,200 client pc's and 20 servers in my largest client site w/ an ad domain that i need to deploy this patch onto. i'm trying to get an msi package built using the wix tools now, because i really would prefer not to deploy this with a script (e.g. i don't want to uninstall it with a script later-- i want to back it off w/ msi). v. suuronen (poster above) gave me his msi, and it compares to what i'm doing. i've got more details on my blog, but essentially i've got the skeleton msi built now, but i'm going to have to write some custom actions to finish it up. i'll post updates to what i've gotten done to my blog. posted by: evan anderson | january 1, 2006 08:47 pm let's assume that microsoft patches this thing ;) if ilfak's fix is installed, and 'auto update' is enabled, is it likely that machines will break after the microsoft patch gets put on automatically (without first removing this fix)? i realize it depends on what microsoft does to patch this, but just a little worried about the systems that have auto update enabled. posted by: hp550c | january 1, 2006 08:47 pm hi ilfak, just a quick note a sincere appreciation for your dedication, expertise and availability for so rapidly producing a fix for this exploit (on a new year's eve no less) while the 60,000+ ms workforce could only come up with a very partial workaround so far. and the same goes for all those who participated in fine tuning the code for this fix (steve gibson comes to mind...). a great and highly commendable job. posted by: martin paquet | january 1, 2006 08:49 pm does the fix require the restart to actually be effective or is it live as soon as it's installed? i would install it on a few servers but they can not be restarted untill "patch tuesday..." also, saw the new v1.3 added support for "win2k sp4" but i installed v1.1 on a "win2k sp4" machine and it went ok... v1.3 says it does not need to be installed twice on that machine now... posted by: per hansson | january 1, 2006 09:15 pm hi per, i'll answer for ilfak since i'm very familiar with the operation of his code. first, machines do not need to be restarted for the patch to start taking effect. however, any already running programs that might attempt to render an image would not be protected. so the rule is, once ilfak's "patcher" is installed, any processes that are subsequently started will have their own instances of gdi32.dll patched, but previously running instances would not be patched. therefore, the restart is just a clean way of assuring that all possible instances of gdi32.dll running will have been dynamically patched. also, if the v1.1 patch installed on your system, then it found a version of gdi32.dll that it understood and you should be okay. what ilfak has been doing since v1.0 is (mostly) adding additional recognition signatures for the function entrypoints which vary a bit from one gdi32.dll version to another. posted by: steve gibson | january 1, 2006 09:33 pm hello all, kaspersky has provided a patch for that trouble. do you think it is useful to use ilfak's patch after kav's ? does anybody knows the difference between the two. thank you all and happy new year :) lim. posted by: limerick kepler | january 1, 2006 09:54 pm limerick, which 'patch' from kaspersky are you referring to? if it is just a virus def update then yes, you should still use iifak's patch. the reason is because the antivirus software companies need to come out with new updates for each variation to this wmf exploit. as of the last check i think there were over 70 different variations. this patch prevents any of these from being run. posted by: hp550c | january 1, 2006 10:08 pm i was just trying to create a program that hooks the escape function in windows 98. now i'm not exactly sure what to do with it. how can i get it tested and see if it works? posted by: benjy | january 1, 2006 10:11 pm is there a way i can automatically install this patch? i would like to put it in the logon script, have it silently install and force the machine reboot afterwards. of course, the second time the patch runs, and if it's installed, it would silently exit. frank frank posted by: frank bulk | january 1, 2006 10:11 pm this is odd, well i did an odd thing. for some reason i only located the dll in win32.... so i unloaded it, ran the installer, restarted and realised here that there are 2 more. i unloaded the other 2 dlls. uninstalled the hexblog. restarted and now when i try to run hexblog i get "sorry this fix is not compatible with your computer" :? posted by: martinj | january 1, 2006 10:12 pm lim ... kaspersky's update is for detection of wmf exploits of the vulnerability, but it does nothing to actually eliminate the vulnerability. ilfak's dynamic patching solution actively "suppresses" the vulnerability, thus also prevent new exploits that kaspersky's scanning might not catch. so, yes, doing both makes lots of sense. posted by: steve gibson | january 1, 2006 10:12 pm hp550c : here is kav's patch : http://www.kaspersky.com/technews?id=176836515 thank you steve for your advice. i'll do so. but do you know exactly what kav's patch is supposed to do ? lim. posted by: limerick kepler | january 1, 2006 10:20 pm thank you for the patch, very impressive how fast this came about. i had friends and family downloading the ubuntu live cd to use to until ms came out with a patch. i only had 2 people decide to ditch their windows completely because of this but now i can let them know that if they want to go back to using their windows computer, that they can feel a little more secure using this fix. thank you a bunch. posted by: will | january 1, 2006 10:33 pm was macht dieser patch eigentlich genau ?? posted by: harry hirsch | january 1, 2006 10:37 pm would the following steps reduce the probability of downloading an infected file or having an infected file be triggered by automatic indexing? even if they work, they are just band-aids, but might reduce the attack surface: 1. turn off images in internet explorer [tools > internet options > advanced > multimedia > show pictures (uncheck) 2. disable indexing by windows [drive by drive right click > properties > allow indexing service to index this disk (uncheck)] or alternatively disable the indexing service via services menu posted by: les | january 1, 2006 10:46 pm would the following steps reduce the probability of downloading an infected file or having an infected file be triggered by automatic indexing? even if they work, they are just band-aids, but might reduce the attack surface: 1. turn off images in internet explorer [tools > internet options > advanced > multimedia > show pictures (uncheck) 2. disable indexing by windows [drive by drive right click > properties > allow indexing service to index this disk (uncheck)] or alternatively disable the indexing service via services menu posted by: les | january 1, 2006 10:46 pm lim, to me it sounds like that kaspersky patch is just making it so that the software actively scans .wmf files in real time, rather than during a scheduled scan. the problem with that is that the wmf exploit can actually be disguised as other file types (most commonly .jpg files). as steve mentioned, your best bet is to update kaspersky and use this patch. posted by: hp550c | january 1, 2006 11:10 pm i have been experiencing problens installing the wmf hotfix. i ran v.1.2, but it did not install (no icon under programs). i removed 1.2 and then ran v. 1.3. when it boot up, it showed v. 1.2 (again) and was still not shown in programs. any suggestions would be appreciated. jack jhrobbins@hotmail.com posted by: jack robbins | january 1, 2006 11:31 pm there is no icon in the programs - this is perfectly normal, the fix does not require any user intervention after the installation. as about the version number mess - sorry, this is by mistake, i forgot to change it. posted by: ilfak | january 1, 2006 11:40 pm i'm having problems with this patch.. i installed v1.3 ealier today and then tried to uninstall again (for checking). now after rebooting i was trying to install it again. everything seems ok, but after another reboot the changes seem to be undone because your wmf exploit checker says i'm vulnerable again?! don't know how to secure my system now... patch is still installed but it says it's vulnerable... seems like your program unregisters the patch after every reboot?! ... what can i do now? tried uninstall/install a few times now... thanks for any help! alex posted by: chaos | january 2, 2006 01:09 am thanks for the fix. it seems to disable westerndigital retrospect backup software. posted by: greg | january 2, 2006 01:21 am thanks for telling! we will try to gather more information about these cases and hopefully will find a solution. meanwhile please uninstall the fix. posted by: ilfak | january 2, 2006 01:24 am hey ilfak, do you have a paypal account? i would like to send you a small token of appreciation for what you did. warmest, daniel posted by: daniel kost | january 2, 2006 01:26 am ilfak... the trouble with western digital's retrospect software being disabled might be some side-effect in appinit registry handling. (just a thought.) posted by: steve gibson | january 2, 2006 01:27 am daniel, thank you! i created this fix to help others like me, who were left exposed to the wildest malware by the breach in the system secirty. no need to send any money, i'll be happy if my fix helped you! posted by: ilfak | january 2, 2006 01:36 am steve, just installed/uninstalled/installed the fix to recheck how it behaves with appinit - seems to be ok. the key contents are never erased. btw, greg, what exactly happened to restrospect? does it fail to start, fail to backup or something else? posted by: ilfak | january 2, 2006 01:49 am i decided i wanted to see if the patch would uninstall correctly for when microsoft realeses a patch. i rebooted after the uninstall. then tried to reinstall it and it says it is already installed. the uninstall entry does not show up in add/remove my only worry is that it thinks its installed but not working. posted by: binaryreality | january 2, 2006 02:04 am i would love to have some info how to uninstall this patch manually... maybe this could solve my problem i described above. even did a windows system recovery in the meantime and tried to install the patch again. same problem... after a reboot, there's no protection anymore... could this be a language specific problem, maybe due to some other paths? (e.g. "c:\programme" instead of "c:\programs"?) alex posted by: chaos | january 2, 2006 02:32 am to manually uninstall the patch: - remove any mention of wmfhotfix.dll from hklm\software\microsoft\windows nt\currentversion\windows\appinit_dlls - reboot - if you want, you can delete %system%wmfhotfix.dll from the disk. this is 'the meat' of the fix, the only file that patches the system in the memory. it should be freely deletable after the reboot there are some text files in %programfiles%windowsmetafilefix, if you want, you can delete them too. posted by: ilfak | january 2, 2006 02:40 am thanks for this workaround ilfak, i have it running on my windows 2003 server/workstation and i cannot prove or disprove if your fix is the cause of this either way i feel a great deal more comfortable having it. what i am seeing on this system is when i try to open a new application. notepad, outlook or pretty much any application i am having a 1-2 second delay before the application opens up. is this due to the fact each application is calling gdi32.dll or user32.dll on execution and the delay is from your 'fix' sitting in the middle acting as 'policeman'. cheers posted by: stephen | january 2, 2006 03:03 am ok, just checked if the fix got uninstalled correctly.. it did.. just installed the fix again, rebooted... and now i realized this: the value of "appinit_dlls" is set to "" after restart... why could this happen? :\ alex posted by: chaos | january 2, 2006 03:09 am thanks for the uninstall instrctions. posted by: binaryreality | january 2, 2006 03:18 am alex, please check for 'antispyware' or similar programs. try regmon from sysinternals - it might help you to find who is cleaning it. posted by: ilfak | january 2, 2006 03:28 am stephen, i hardly can imagine any delays caused by the hotfix. it does its job at the lightning speed. posted by: ilfak | january 2, 2006 03:29 am i found that with wmffix_hexblog13.exe, the value of "appinit_dlls" is set to "" after restart. for this reg entry to work, you have to turn off the automatic blocking in lavasoft's ad-watch. == windows registry editor version 5.00 [hkey_local_machine\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"="c:\\windows\\system32\\wmfhotfix.dll" == otherwise, ad-watch just stomps it. posted by: jfc | january 2, 2006 03:45 am just found this entry in appinit_dlls: sockspy.dll google says it's a dll from bitdefender. shit :( posted by: chaos | january 2, 2006 03:49 am thanks for the patch. i just hope ms will release the official patch soon. posted by: lloyd | january 2, 2006 03:53 am thanks! you have my trust, and i will be mirroring this for my friends to ease the traffic on your site! posted by: sunny yeung | january 2, 2006 04:26 am it was ad-watch that caused the uninstall issue for me. thanks for the patch. posted by: binaryreality | january 2, 2006 04:35 am thanks for your excellent work to keep our computers safe posted by: jay | january 2, 2006 06:51 am any idea how an official patch might react with the unofficial patch if the unofficial one is not uninstalled prior to installing the ms one? i.e. automatic update goes ahead and installs ms one when it is available before i have a chance to uninstall the unofficial one? i've got it on several 2k/xpsp1/xpsp2 boxes with so far no ill effects, but some are set to autoupdate when ms comes out with critical updates.. thanks! posted by: pete | january 2, 2006 07:01 am as a slashdot comment points out "there is no [official] patch for windows me, 98, or 95 and there will never be as these oses are unsupported. these systems will always have this vulnerability." do you have any advice for us users of those oses? can we do anything to assist you in expanding your patch? or do it ourselves manually somehow? much thanks. posted by: nick | january 2, 2006 07:04 am in re 98 and me, critical support is through june 30, 2006: http://support.microsoft.com/gp/lifean1 one hopes that includes a fix for the wmf vulnerability by then. after june, though, anything else and 98/me users may be on their own. posted by: luke | january 2, 2006 08:00 am hi. thanks for providing useful info and a patch. why i wanted to make a comment is because i did run all the tests at http://multitudious.com/test.html and had no problem at all, saw no pictures (just red x where they should have been) and no system reboot neither. i probably should mention that i have winxp pro sp2 fully updated, avg free, za free, spybot s&d, wormguard and spywareblaster as real time protection. the shimgvw.dll is unregistered here since the first day i heard about the .wmf issue. just for your info in case you want to know. thanks! gunilla. posted by: gunilla bjorkegren | january 2, 2006 08:54 am ok guys. i ran a test on the link provided above on two different computers. both had kav's patch and only one had ilkak's one. the result is the same : no exploit image displayed but several alerts from kav about the riskware. lim. posted by: limerick kepler | january 2, 2006 09:29 am hi, would there be possibility to get version of the wmffix that can be installed unattended in large networks? i would need that functionality urgently in my network. lauri posted by: lauri autio | january 2, 2006 09:55 am so, should i install this patch first and then unregister shimgvw.ddl or the other way around? posted by: lord fairfax | january 2, 2006 10:04 am doesn't packaging the source code in an exe sort of defeat the purpose of publishing the source code? why not put it up in plain-text or zip form, so we can see what it does without running it first? anyone? posted by: ihoc | january 2, 2006 10:35 am i just unregistered the dll's and installed the patch, now i cannot view thumbnails of images in my picture folders etc and windows picture viewer doesnt work, is this normal because if it is i think i might have to go back as it is hard to run windows like this. posted by: brendan bolen | january 2, 2006 11:07 am brenden, have a look at :- http://www.grc.com/sn/notes-020.htm from that, you may re-register the dll safely (i think). posted by: jlow | january 2, 2006 11:44 am this fix seems to break acdsee (latest version) for displaying all files (not just wmf) - just fyi, not a criticism! posted by: itf | january 2, 2006 12:14 pm just tried the acdsee version 8 demo and had no problem whatsoever. posted by: pierre | january 2, 2006 12:33 pm apologies - turned out to be unrelated. had to add acdsee to my dep exclusion list to get it to work. posted by: itf | january 2, 2006 12:36 pm i installed 1.1 on xp pro sp1 and it broke windows. i could not boot into windows normally and had to boot to safe mode and use system restore. does 1.3 work properly on sp1? i had a better experience with 1.1 on xp pro sp1 on my vmware guest machine where it installed with no problems. posted by: mele20 | january 2, 2006 12:50 pm i renamed shimgvw.dll. will that eliminate the vulnerability (yes, i realize there is loss of functionality) until m$ comes up with a fix? thanks. posted by: steve | january 2, 2006 01:26 pm help! is there way to suppress reboot??? i am puting it in login script. it's annoying. posted by: artur | january 2, 2006 03:39 pm hi, just a small note: if you install 1.3 the uninstall info says 1.2... posted by: aleks | january 2, 2006 03:44 pm what about windows 98?? are you going to expand the patch?? there are a lot of us still using the old windows!! posted by: dennis foote | january 2, 2006 04:08 pm the wmffix installer was apparently built using inno setup (www.innosetup.com). the commandline options seem to be well-documented on this page: http://www.appdeploy.com/tips/detail.asp?id=113 which also includes a commmand to suppress reboots. i have yet to test that. the /log option also seems to create a new file and error out if it already exists, rather than append or overwrite. this is a problem if you wanted to log to a singe file on a network store, unless you a) script things in such a way that after installation you append the output to another file and delete the original for the next login. b) name the log file after the username/machine. kind regards, frank posted by: frank bulk | january 2, 2006 04:13 pm i had pest patrol i.d. version 11 of the patch as a pest and offer to remove it. it would have removed the patch on reboot if i hadn't stopped it on a laptop running win xp home. doesn't happen w/ other pest detectors and other windows combos as far as i can see. posted by: joyce | january 2, 2006 04:15 pm the wmffix installer was apparently built using inno setup (www.innosetup.com). the commandline options seem to be well-documented on this page: http://www.appdeploy.com/tips/detail.asp?id=113 which also includes a commmand to suppress reboots. i have yet to test that. the /log option also seems to create a new file and error out if it already exists, rather than append or overwrite. this is a problem if you wanted to log to a singe file on a network store, unless you a) script things in such a way that after installation you append the output to another file and delete the original for the next login. b) name the log file after the username/machine. kind regards, frank posted by: frank bulk | january 2, 2006 04:18 pm i have made a patch that seems to work in windows 98 and xp (probably win 2000) as well. the wmf vulnerability checker says the systems are protected. send me an email at mail1%benjing@gmx.de if you want to try it. posted by: benjy | january 2, 2006 04:18 pm i just downloaded the fix via castlecops, installed it and ran the regsvr32 command, then the check program (after rebooting). the checker still tells me the pc is vulnurable. posted by: norm dotti | january 2, 2006 04:32 pm after installing wmffix_hexblog13.exe the mappings from the login-script didn't work anymore. this is what my login-screen shows: login-lgnwnt32.dll-923: an unexpected error has occurred: 15 (8819). login-lgnwnt32.dll-923: an unexpected error has occurred: 9 (8801). drives a,c,d,e map to a local disk. ----- search drives ----- s1: = c:\windows\system32 s2: = c:\windows s3: = c:\program files\compaq\insight manager s4: = c:\windows\system32\wbem s5: = c:\windows\system32\nls s6: = c:\windows\system32\nls\english s7: = c:\program files\novell\zenworks\ login-lgnwnt32.dll-923: an unexpected error has occurred: 15 (8801). i'm using novell client 4.90 sp2, version 4.90.2.20040617 windows xp professional sp1 mcafee enterprise 8.0i novell netware 6.0 sp5 after uninstalling the fix and restarting the computer the novell-drives could be mapped again. kind regards, r. evers posted by: r. evers | january 2, 2006 04:44 pm thanks posted by: mazard | january 2, 2006 05:00 pm hi, i applied the patch, re-boot the pc and ran the "wmf vulnerabilty checker", and came up with the "error: your system is vulnerable...etc" so, i proceeded to un-install the patch. i am running: windows 2000pro ver. 5.00.2195 sp4 intel motherboard d845gvsr pentium4 2.26 ghz ram 1g residents: av: bitdefender 9-defs up to date(it did not detected the vulnerability checker as other av´s do) counterspy 1.5.82-defs.up to date. zonealarm 4.5.594 (stealth mode) winpatrolplus 9.8.1.0 (latest) router w/firewall (stealth mode) posted by: diazruanova | january 2, 2006 05:08 pm works fine and everything went as described on this page. nod32 virus protection remained silent during the whole procedure. tested on xp sp2 (32bit). posted by: christian | january 2, 2006 05:16 pm i strung up a 98: win 98 se y2k indicates not vulnerable. there is no shimgvw.dll file so if escape->setabort is in the wmf files it is using a different route. posted by: jay nickson | january 2, 2006 05:34 pm diazruanova, same problem here. bitdefender 9 changes "appinit_dlls" under hkey_local_machine\software\microsoft\windows nt\currentversion\windows on every reboot!! this is why this patch does not work with bitdefender 9! don't know any workaround for this, sorry... alex posted by: chaos | january 2, 2006 05:43 pm the patch creates a problem for the windows ce emulator, used by developers of software on windows ce. often an emulator is used to test the software. this emulator is reachable through a driver which is installed in windows and with the patch it wasn't loadable anymore. just a fyi. posted by: frans bouma | january 2, 2006 06:39 pm yep, `tis a concern all right - mostly i've noticed the loss of function in image preview msie folder customization(s) after -u'ing the shimgvw.dll (some error mssg's show up afterwards pointing to the relevant imgview.htt), not that big of a "loss" as thumbnails still display & other apps can do the slideshow & preview/rotate/* chores if desired. tnx for the patch & hope it works on my dinosaur winme - y, `tis a poor alt os, but ;] posted by: _fu | january 2, 2006 06:49 pm is there anything that we nt4 sp6a users could do? checker program says that we need run hotfix. there is not hot fix and i couldnt find that dll file from system either? thanks. posted by: mika | january 2, 2006 07:11 pm spambays also doesn't work anymore. i'm unstalling now and will unregister the darn dll. don't browse photo's anyway.. posted by: frans bouma | january 2, 2006 07:18 pm it seems as if the patch has broken the software for transferring photos from my canon digicam. not a big deal, but i thought you might be interested. posted by: chuchundra | january 2, 2006 07:21 pm chuchundra, i hope that the broken software will be functional after the uninstallation. if it is, please tell us know. thanks! posted by: ilfak | january 2, 2006 07:33 pm it there anything that we nt4 sp6a users could/should do? posted by: mika | january 2, 2006 07:53 pm is there anything that we nt4 sp6a users could do? checker program says that we need run hotfix. there is not hot fix and i couldnt find that dll file from system either? thanks. posted by: mika | january 2, 2006 07:57 pm ilfak, i'm working on creating an msi that will do the correct checking on the dll so it can be reposted. windows installer supports custom actions that can call an arbitrary dll function and check the error code. unfortunately, it treats 0 as success and anything non-zero as a failure. since the patched_gdi32 function is pretty simple, i think just swapping the 0 and the 1 in the return call will work. any chance of making this change on the official version? i'm downloading the platform sdk now to recompile the dll. will let you know. feel free to e-mail me if you have questions. -- dave posted by: david archer | january 2, 2006 07:59 pm i sent the wmffix_hexblog13.exe to a friend via email, and when he executes it on his system he gets this error: microsoft visual c++ runtime library buffer overrun detected! program: ..s\content.ie5\0v5vyijt\wmffix_hexblog_13[1].exe a buffer overrun has been detected which has corrupted the program's internal state. the program cannot safely continue execution and must now be terminated. is this an xp sp2 dep problem? no details on what he's running yet (os, patchlevel, etc) posted by: brian hall | january 2, 2006 08:13 pm dave, thank you for creating the msi package. i will gladly change the interface to the patched_gdi32() function! posted by: ilfak | january 2, 2006 08:16 pm ilfak, thanks for great job. it seems that you did someone else's work perfectly... just one question. can we expect any problems when ms comes out with official patch, automatic updates is turned on and wmffix_hexblog13.exe is installed? posted by: denial | january 2, 2006 08:26 pm denial, no, i do not expect any problems with the hot when you install the official patch from microsoft. just do not forget to uninstall the hotfix because you will need it anymore. ilfak. posted by: anonymous | january 2, 2006 08:38 pm you do not have to uninstall the hotfix where a specific application that does not handle wmf's, so cannot be vulnerable, fails when the system is patched. appinit_dlls is a dynamic registry entry that is read on every application launch, you can temp rename it, then fire up the incompatible application, then restore original registry entry. you could save an enabled and disabled .reg script and enable/disable as and when erquired. when a system wide dll hook is written for win9x gdi32.dll that will be different as will be a system wide patch, not per-application launch. hth a more sophisticated hotfix would only hook gdi32.dll when spawned by known problem executables or dlls posted by: tk1 | january 2, 2006 08:39 pm brian hall, please give your friend direct link to this site. ther file might got corrupted during the email transfer. posted by: anonymous | january 2, 2006 08:39 pm got error message: "delete file failed. code 5." any ideas of the cause? running xp pro, sp2. posted by: jack robbins | january 2, 2006 08:40 pm setup failed: "sorry, could not update the appinit_dlls registry key. the fix will not work." any ideas? xp home sp-2 posted by: kaye | january 2, 2006 09:28 pm after spending 1 week trying to fix this on my own, i came across your patch. thank you sooooo much!!! posted by: donna | january 2, 2006 09:32 pm ok scratch the windows ce error, that was because of me switching on dep in the boot.ini again earlier on today. posted by: frans bouma | january 2, 2006 09:38 pm ifaik: i have a question, what do you mean by the comment? // 77 is a wildcard and matches any byte const byte wild = 0x77; also doesn't this vuln affect even 9x versions? don't we need to patch those as well? posted by: manav | january 2, 2006 09:59 pm i would first thanks for your hotfix. i installed it at work on all of our computers and it works fine for win xp sp1. but there are some computers running win me that i can't patch, and i can't upgrade them because of old softwares running on it just to know (without begging): will you try to extend your hotfix for those systems ? posted by: yves | january 2, 2006 10:08 pm latest news: hex-rays decompiler has been released!

Acceuil

suivante

hex blog: windows wmf metafile vulnerability hotfix  Paroles Fix You - Coldplay - Musique Ados.fr  Paul Fix Quotes - The Quotations Page  edgeblog Daylight Saving Time - Windows Mobile Fix  Fix Slow Computer: spyware, trojan horse, virus removals  Advanced Registry Fix Registry Repair  Toilet Repair: Leaks, Tanks and Bowls Toilet Repair Fix a ...  Angry-Fly.com: Fix for MySQL on Leopard  The library fix Salon.com  Harley-Davidson Maintenance - Do It Yourself DVDs  Proposal to fix Pacific with 'urea' dump - Telegraph  Outlook-QuoteFix - Home  Prototype JavaScript framework: Prototype 1.5.1.1 bug fix release  fix - Synonyms from Thesaurus.com  script-fix -- Screenplay Database  fix. The American Heritage Dictionary of the English Language ...  VBS.LoveLetter Fix - Symantec.com  If It Works, Don't Fix It! Vasectomy Information Home Page  Abena Frantex Abri Fix - Incontinence urinaire  Nukefix, To Fix the Nuclear Weapons Problem  Congress Pushes 'Band-Aid Fix' to Gas Price Woes, Analyst Says ...   propos de votre fix Le Blogue dIronica  Finding a Fix  The new urgency to fix online privacy Perspectives CNET News.com  FIX dfinition FIX  Eye Fix Photos: Photo Restoration and Retouching  A race to fix a 30-year-old 'solution' csmonitor.com  We Can Fix That with Data  [Profil de Fix] OverBlog - Le blog des blogs  Simple "ntldr is missing" fix with boot floppy, CD-R, or USB flash  Fix290  Amazon.com: FLIP: How to Find, Fix, and Sell Houses for Profit ...   MG LSP-Fix 1.1  Researcher releases unofficial IE fix for URI bug The Register  Ides fix(e)s - Skitour  [Groupe fr-comp-reseaux-ip] : Dans quel connexion mettre mon IP ...  Tourism-Site-Fix  Vril's Transparent PNG Fix for WordPress  The Joy of Flex Blog Archive More on fix to Leopard file ...  zieh fix  フィックスレコード公式サイト  fix: Definition, Synonyms and Much More from Answers.com  Microsoft Watch - Server - Microsoft's Fix for the Middle Child ...  The Knicks Fix  Quick Fix Meals with Robin Miller - Show List A to Z - TV - Food ...  Business Objects Customer Assurance - Merge Modules  Fix for Borland Pascal "Runtime Error 200" bug on fast PCs  The Fix Bikes - Downhill, Freeride, Dirt Jump, All Mountain ...  How To Fix An Underexposed Photo PhotoshopSupport.com  High-performance .NET, C++ and Java FIX Engine Onix Solutions  Blackhawk Software :: Registry Fix, Error Fixer, Online Privacy ...  The Draw System  Ablse fix: Bewkes folgt Parson als Time-Warner-Chef  George Fix  Sommier LATTOFLEX LT25 Fix 2 pers. 140x190 Ferme / La Compagnie du ...  fix  Achat et location Fix Saint Geneys  Daily Herald Officials promise quick fix to state's finance woes  HYJEK AND FIX, INC.  Konrad Hornschuch AG - d-c-fix, dcfix, skai Klebefolien ...  How To Fix Overexposed Images PhotoshopSupport.com