zero-day WMF exploit does PG protect?

Discussion in 'ProcessGuard' started by Mele20, Dec 28, 2005.

Thread Status:
Not open for further replies.
  1. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    Will PG alert on zero-day WMF exploit files if one visits any of these sites on IE? Fx protects by mistakenly trying to open them in WMP. I know the current recommended work around until MS issues a fix is to unregister SHIMGVW.DLL. However, that totally disables MS Picture and Fax Viewer which means no preview in Explorer on right click. Ugh. I use that frequently. Can't do without preview. Thus my question will PG alert on this?
     
  2. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    PG will protect you from automatically executing the dropper (but of course you shouldn't decide "yes") and thereby executing all the associated junk, but it won't protect you from the exploit. The dropper or the trojan will be downloaded on your PC even if you have Process Guard.
     
  3. NoHolyGrail

    NoHolyGrail Registered Member

    Joined:
    Nov 14, 2005
    Posts:
    46
    This raises a very interesting point.

    Would it be possible for a file to be downloaded to your computer like this via an exploit, and still cause damage without being run (not even meant to be run)? If so, what can PG do to afford some sort of protection in this scenario?
     
  4. Disciple

    Disciple Registered Member

    Joined:
    Nov 14, 2002
    Posts:
    292
    Location:
    Ellijay, Georgia - USA
    Mele20, you need to re-think that fix. It has been proven that it does not work! :eek:
    Take a look at Steve Gibson's (GRC.com) page about this exploit, http://www.grc.com/sn/notes-020.htm. At the top of the page there is now a notice that MS is issuing a patch NEXT Tuesday (January 10). Also on that page is a link to a patch that does work as well as a link to a WMF Vulnerability Checker by the same author as the above mentioned patch.
     
  5. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    Thanks, but I know all that. I've been glued to my computer for the last several days. Just note all my posts on this subject over at dslr. :D

    I installed the unofficial patch 1.1 and it broke Windows on my host machine that has XP Pro SP1. I could not boot normally and had to boot to Safe Mode where I was unable to uninstall the patch. I had to use System Restore.

    My VMWare machine with the same OS installed the patch with no problems.

    Testing indicates though that the VMWare machine is just, if not more, vulnerable than the unpatched host.

    So, I am just using the guest virtual machine until next Tuesday. I should have my new, replacement computer by then anyhow and it will have XP Pro SP2 and that takes this unofficial patch much better....by the time I get it all set up and everything moved from my current computer, MS will have put out the official patch probably.
     
  6. Brinn

    Brinn Registered Member

    Joined:
    Aug 5, 2004
    Posts:
    181
    Location:
    Canada
    I guess I'm lucky that the patch only resulted in a .dll failing to register error on my comp.
     
  7. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Please note I visited an exploit site with IE set to PROMPT for all scripts etc, and was PROMPTED to download an EXE file :) so I did.. thanks website :)
     
Thread Status:
Not open for further replies.