Microsoft Media File Vulnerability

Excellent work Eset, I suppose we will have to uninstall the patch and install Microsoft's when they get around to releasing their official patch, correct?

 

Great work Eset. I can easily trust you

However - I assume that there is no need to install the WMF Patch from Eset assuming you're running NOD32?

Could someone please clarify. Thanks

 

Incorrect, the release for the patch states it is for Customers and Non-Customers, the root of this problem is a vulnerability in the OS that needs to be corrected, it is not a virus per se but the OS is being exploited into running code that allows the OS to be tricked into granting admin rights to a remote user. All users should install either Eset's patch or one of the other patches that can be found around the internet. Be sure to obtain from a RELIABLE source however as I am sure there will be patches that are not what they pretend to be shortly!!!

A copy and paste from the press release; With a patch from Microsoft pending for January 10, 2006 at the earliest, ESET has made an interim patch available for both customers and non customers

 

Is this the same patch than made by Ilfak Guilfanov at www.hexblog.com?

 

Thanks

Ilfak Guilfanov's patch is mentioned on the BBC News website, so I'd trust that, as would I trust the Eset patch. I assume they both do exactly the same thing.

 

Ilfak's site does have a patch but it is suffering from high bandwidth usage (or possibly a DOS attack from hackers attempting to stop the patch distribution) and reaching it has been spotty at best, he has reduced the graphic content and reposted a text only version for now in an attempt to ease the situation. The full story can be found at the Internet Storm Center here; http://isc.incidents.org/ The article also provides a link to ISC hosting the patch on their site to also help with users downloading his version of the patch.

 

Flyfan: Your quote is accurate, and I get the point of your clearly stated technical argument (which my message here does not quote). But that same press release, in its final paragraph, states that:

"The advanced detection methods used by ESET's NOD32 anti-virus stops hackers from using this exploit. Customers running NOD32 are protected without having to take any special actions."

I am a very new user of NOD32, but my understanding is that NOD32 checks not only downloads and web pages, but also every existing file (or every existing possible threat file?) as it is opened on a computer.

The press release to which I think both of us are referring is at
http://www.eset.com/about/press.htm#media

MS bulletin 912840 about this Windows Metafile vulnerability says that "anti-virus companies indicate that attacks based on exploiting the WMF vulnerability are being effectively mitigated through up-to-date signatures."
The bulletin is at
http://www.microsoft.com/technet/security/advisory/912840.mspx

"Mitigate" could imply that the patch is needed even with AV software, or it could be MS quite understandably being conservative when describing the capabilities of other companies' AV software.

I also don't know if either the Eset patch (or the Ilfak Guilfanov patch) "deregister" the shimgvw.dll file, and also (for WinXPsp2) run DEP (Data Execution Protection) as recommended/suggested by the SAN Internet Storm Center at
http://handlers.dshield.org/jullrich/wmffaq.html

So personally, I'm very badly confused about whether or not to bother installing Eset's patch (which, presumably, would have to be uninstalled before installing the MS patch later, presumably available next week at Windows Update).

I'll send a support request to Eset and if I get a useful response (which I would expect, based on my previous excellent experience with their support), I'll report back here.

But if someone else has already done that, please report Eset's answer here.

Roger Folsom

 

Is this for Windows ME (I assume so, but asking to be sure). The other unofficial patch was not for Windows ME is why I ask. This is great news if so.

I also would like to know if NOD32 users are advised to install the patch even though NOD32 provides excellent protection already.

Thanks.

 

Ilfak's patch can also be found here:

http://sunbeltblog.blogspot.com/

There is also info about a leaked MS patch here also.

Patch can also be found here: http://www.castlecops.com/

 

Yes, Windows ME & 98 as well.

 

• How good are Anti Virus products to prevent the exploit?

At this point, we are aware of versions of the exploit that will not be detected by antivirus engines. We hope they will catch up soon. But it will be a hard battle to catch all versions of the exploit. Up to date AV systems are necessary but likely not sufficient.

That is another quote from the ISC page that you provided, as for NOD detecting it, yes they have a pretty good record so far against this and their heuristics are second to none, I use NOD and HIGHLY recommend it to all those I know for just this type of reason, that being said with this type of dangerous vulnerability it will only take one version of this exploit to slip by and create quite a bit of damage. There are just way too many ways for this type of file to get on your system that is unreasonable to expect any AV company to be able to protect users from something the OS maker needs to resolve. Microsoft's statement if you read between the lines says something to the effect of "yes it's a problem, but hey the AV makers are detecting it so why should we rush out a patch to protect users of our software" what a great philosophy!!!!

 

Ronjor, Is the Eset patch compatible with Ilfak Guilfanov's patch? Would problems be caused if BOTH patches are installed?

 

Here is a full FAQ on it: http://castlecops.com/a6445-WMF_Exploit_FAQ.html

 

I've installed the patch, everything seems to be working fine so far.

Thanks Paolo Monti and ESET!

 

I haven't been using one of my computers until this was sorted but now we have 2 patches I am unsure which one is best to use hopefully either will be easy to remove when the main one is released.

 

Just use Paolo Monti's (Eset)

Cheers

 

On Eset's homepage all information about Monti's patch disappeared.....

Downloadlink too.

Maybe i need new glasses?

 

I have just noticed this

my NOD machine is safe then without patching?

 

It *was* there a couple of hours ago... I downloaded the patch. I've looked
now and it's been removed. Wonder why?

 

Yesterday i downloaded there the patch too.

For my archive, because i already use Ilfak's patch

Maybe an Eset guy can give here an explanation?