Microsoft Media File Vulnerability

Discussion in 'NOD32 version 2 Forum' started by ronjor, Jan 4, 2006.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,763
    Location:
    Texas
    Eset

    ......
     
  2. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    Excellent work Eset, I suppose we will have to uninstall the patch and install Microsoft's when they get around to releasing their official patch, correct?
     
  3. _Rupert_

    _Rupert_ Registered Member

    Joined:
    Jan 3, 2006
    Posts:
    61
    Location:
    United Kingdom
    Great work Eset. I can easily trust you :)

    However - I assume that there is no need to install the WMF Patch from Eset assuming you're running NOD32?

    Could someone please clarify. Thanks :)
     
  4. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    Incorrect, the release for the patch states it is for Customers and Non-Customers, the root of this problem is a vulnerability in the OS that needs to be corrected, it is not a virus per se but the OS is being exploited into running code that allows the OS to be tricked into granting admin rights to a remote user. All users should install either Eset's patch or one of the other patches that can be found around the internet. Be sure to obtain from a RELIABLE source however as I am sure there will be patches that are not what they pretend to be shortly!!!

    A copy and paste from the press release; With a patch from Microsoft pending for January 10, 2006 at the earliest, ESET has made an interim patch available for both customers and non customers
     
  5. Jaska

    Jaska Registered Member

    Joined:
    May 7, 2004
    Posts:
    98
    Is this the same patch than made by Ilfak Guilfanov at www.hexblog.com?
     
  6. _Rupert_

    _Rupert_ Registered Member

    Joined:
    Jan 3, 2006
    Posts:
    61
    Location:
    United Kingdom
    Thanks :)

    Ilfak Guilfanov's patch is mentioned on the BBC News website, so I'd trust that, as would I trust the Eset patch. I assume they both do exactly the same thing.
     
  7. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    Ilfak's site does have a patch but it is suffering from high bandwidth usage (or possibly a DOS attack from hackers attempting to stop the patch distribution) and reaching it has been spotty at best, he has reduced the graphic content and reposted a text only version for now in an attempt to ease the situation. The full story can be found at the Internet Storm Center here; http://isc.incidents.org/ The article also provides a link to ISC hosting the patch on their site to also help with users downloading his version of the patch.
     
    Last edited: Jan 4, 2006
  8. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,763
    Location:
    Texas
  9. rnfolsom

    rnfolsom Registered Member

    Joined:
    Nov 9, 2005
    Posts:
    247
    Location:
    Monterey, California
    Flyfan: Your quote is accurate, and I get the point of your clearly stated technical argument (which my message here does not quote). But that same press release, in its final paragraph, states that:

    "The advanced detection methods used by ESET's NOD32 anti-virus stops hackers from using this exploit. Customers running NOD32 are protected without having to take any special actions."

    I am a very new user of NOD32, but my understanding is that NOD32 checks not only downloads and web pages, but also every existing file (or every existing possible threat file?) as it is opened on a computer.

    The press release to which I think both of us are referring is at
    http://www.eset.com/about/press.htm#media

    MS bulletin 912840 about this Windows Metafile vulnerability says that "anti-virus companies indicate that attacks based on exploiting the WMF vulnerability are being effectively mitigated through up-to-date signatures."
    The bulletin is at
    http://www.microsoft.com/technet/security/advisory/912840.mspx

    "Mitigate" could imply that the patch is needed even with AV software, or it could be MS quite understandably being conservative when describing the capabilities of other companies' AV software.

    I also don't know if either the Eset patch (or the Ilfak Guilfanov patch) "deregister" the shimgvw.dll file, and also (for WinXPsp2) run DEP (Data Execution Protection) as recommended/suggested by the SAN Internet Storm Center at
    http://handlers.dshield.org/jullrich/wmffaq.html

    So personally, I'm very badly confused about whether or not to bother installing Eset's patch (which, presumably, would have to be uninstalled before installing the MS patch later, presumably available next week at Windows Update).

    I'll send a support request to Eset and if I get a useful response (which I would expect, based on my previous excellent experience with their support), I'll report back here.

    But if someone else has already done that, please report Eset's answer here.

    Roger Folsom
     
  10. Elwood

    Elwood Registered Member

    Joined:
    Sep 12, 2005
    Posts:
    205
    Location:
    Mis'sippi
    Is this for Windows ME (I assume so, but asking to be sure). The other unofficial patch was not for Windows ME is why I ask. This is great news if so.

    I also would like to know if NOD32 users are advised to install the patch even though NOD32 provides excellent protection already.

    Thanks.
     
  11. jayt

    jayt Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    345
    Location:
    PA - USA
    Ilfak's patch can also be found here:

    http://sunbeltblog.blogspot.com/

    There is also info about a leaked MS patch here also.

    Patch can also be found here: http://www.castlecops.com/
     
  12. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Yes, Windows ME & 98 as well. :)
     
  13. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,763
    Location:
    Texas
  14. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    • How good are Anti Virus products to prevent the exploit?
    At this point, we are aware of versions of the exploit that will not be detected by antivirus engines. We hope they will catch up soon. But it will be a hard battle to catch all versions of the exploit. Up to date AV systems are necessary but likely not sufficient.

    That is another quote from the ISC page that you provided, as for NOD detecting it, yes they have a pretty good record so far against this and their heuristics are second to none, I use NOD and HIGHLY recommend it to all those I know for just this type of reason, that being said with this type of dangerous vulnerability it will only take one version of this exploit to slip by and create quite a bit of damage. There are just way too many ways for this type of file to get on your system that is unreasonable to expect any AV company to be able to protect users from something the OS maker needs to resolve. Microsoft's statement if you read between the lines says something to the effect of "yes it's a problem, but hey the AV makers are detecting it so why should we rush out a patch to protect users of our software" what a great philosophy!!!!
     
  15. minceypw

    minceypw Registered Member

    Joined:
    Sep 25, 2005
    Posts:
    22
    Ronjor, Is the Eset patch compatible with Ilfak Guilfanov's patch? Would problems be caused if BOTH patches are installed?
     
  16. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,763
    Location:
    Texas
    minceypw

    You don't need both patches. Ilfak Guilfanov's patch will protect your system.
     
  17. Zhen-Xjell

    Zhen-Xjell Security Expert

    Joined:
    Feb 8, 2002
    Posts:
    1,397
    Location:
    Ohio
  18. Elwood

    Elwood Registered Member

    Joined:
    Sep 12, 2005
    Posts:
    205
    Location:
    Mis'sippi
    I've installed the patch, everything seems to be working fine so far.

    Thanks Paolo Monti and ESET!
     
  19. Robyn

    Robyn Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    1,189
    I haven't been using one of my computers until this was sorted but now we have 2 patches I am unsure which one is best to use o_O hopefully either will be easy to remove when the main one is released.
     
  20. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Just use Paolo Monti's (Eset)

    Cheers :D
     
  21. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    On Eset's homepage all information about Monti's patch disappeared.....

    Downloadlink too.

    Maybe i need new glasseso_O?
     
  22. Robyn

    Robyn Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    1,189
    I have just noticed this
    my NOD machine is safe then without patching? :oops:
     
  23. alien8

    alien8 Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    15
    It *was* there a couple of hours ago... I downloaded the patch. I've looked
    now and it's been removed. Wonder why?
     
  24. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Looks like it's still avalaible from the Italian website - Paolo Monti is Italian.

    regards.

    paul
     
  25. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    Yesterday i downloaded there the patch too.

    For my archive, because i already use Ilfak's patch;)

    Maybe an Eset guy can give here an explanation?:D
     
Thread Status:
Not open for further replies.