WMF, day 3 - Ilfak to the rescue!

WMF, day 3 Posted by Stefan @ 12:29 GMT - Ilfak to the rescue!

The amount of trojans using the zero-day WMF exploit is increasing rapidly.

Many people have now used the REGSRV32 workaround to stop the immediate threat. Some users have come back to us after we quoted Microsoft on the workaround wondering if the workaround really works. The workaround will stop the exploit for Internet Explorer and Explorer - even though WMF images still show as normal.

Ilfak to the rescue! Posted by Mikko @ 11:12 GMT

ilfakHere's an alternative way to fix the WMF vulnerability.

Ilfak Guilfanov has published a temporary fix which does not remove any functionality from the system (all pictures and thumbnails continue to work normally).

The fix works by injecting itself to all processes loading USER32.DLL. It patches the Escape() function in GDI32.DLL, revoking WMF's SETABORT escape sequence that is the root of the problem.

Now, we wouldn't normally blog about a security patch that is not coming from the original vendor. But Ilfak Guilfanov isn't just anybody. He's the main author of IDA (Interactive Disassembler Pro) and is arguably one of the best low-level Windows experts in the world.

More details from Ilfak's blog: http://www.hexblog.com.

Ilfak recommends you to uninstall this fix and use the official patch from Microsoft as soon as it is available.

F-Secure : News from the Lab - December of 2005


Post a Comment

Links to this post:

Create a Link

<< Home