There is now an unofficial patch out for the wmf flaw but it is currently unavailable. More details at F-Secure’s blog. SANS has a mirrored link of the patch as the original authors website is unavailable, probably because everyone is hitting his site. However, google’s cache of the page that talks about the flaw is available and worth looking at. I’m posting the details into my extended entry in case the google page gets wiped.
About IDA Pro, decompilation, programming, binary program analysis, information security. By Ilfak Guilfanov.
« The longest arithmetic operation | Main
Windows WMF Metafile Vulnerability HotFix
This week a new vulnerability was found in Windows:
http://www.microsoft.com/technet/security/advisory/912840.mspx
Browsing the web was not safe anymore, regardless of the browser. Microsoft will certainly come up with a thouroughly tested fix for it in the future, but meanwhile I developed a temporary fix – I badly needed it.
The fix does not remove any functionality from the system, all pictures will continue to be visible. You can download it here:
http://www.hexblog.com/security/files/wmffix_hexblog12.exe
It should work for Windows 2000, XP SP2 and XP 64-bit. It might also work for XP SP1 or XP without any service packs applied.
Technical details: this is a DLL which gets injected to all processes loading user32.dll.
It patches the Escape() function in gdi32.dll. The result of the patch is that the SETABORT escape sequence is not accepted anymore.
I can imagine situations when this sequence is useful. My patch completely disables this escape sequence, so please be careful. However, with the fix installed, I can browse files, print them and do other things.
If for some reason the patch does not work for you, please uninstall it. It will be in the list of installed programs as “Windows WMF Metafile Vulnerability HotFix”. I’d like to know what programs are crippled by the fix, please tell me.
I recommend you to uninstall this fix and use the official patch from Microsoft as soon as it is available.
The usual software disclaimer applies…
File: wmffix_hexblog12.exe (the source code is included)
UPD: more error checking
UPD2: Version 1.1 with Win2000 support
UPD3: Version 1.2: if the hotfix has already been applied to the system, inform the user at the second installation attempt.
There is no need to reinstall anything! Old hotfixes are perfectly ok.
Posted by Ilfak Guilfanov on December 31, 2005 06:53 AM | Permalink