IMPORTANT: WMF Vulnerability Exploited

I am correct in reading that Vista will not support any more old 16Bit, legacy code?

Heeter
 
You are correct. 32/64 only.
 
it's a very telling stat cheif, and I thought becuase open source has such a small market there weren't as many exploits, so thanx for pointing out that actual data

but j79's point is that in open source the expoits are delt with almost immediately.
 
Last edited:
kcnychief said:
Oh good lord :eek:



http://www.informationweek.com/news/showArticle.jhtml;jsessionid=MSDWFVRRRGX5AQSNDBOCKH0CJUMEKJVN?articleID=175801215

Put that in your pipe and smoke it :p
Click to expand...

Sigh, more FUD. If you actually care there are a couple of flaws with this tally. 1) MacOS is based [loosley] around FreeBSD, FreeBSD uses some [many] Gnu/Linux userland tools, Solaris, and we have linux, which has quite a few popular disto's along with numerous others, so a vulnerability is generally common to all, results in numerous reports of the same vulnerabilities. 2) The list counts updates as new vulnerabilites, thus counting them multiple times.

I never ever once said that there are no vulnerabilities in linux or OSS, rather that they actually get fixed. THERE ARE NO OPEN VULNERABILITES IN ANY MAJOR LINUX DISTRIBUTION OR FREEBSD. There are TWENTY-NINE in XP. Put that in your proverbial pipe and smoke it.

@Perris, there are vulnerabilities, lets not confuse that with actively exploited vulnerabilities. There is absolutely no possible way to write 100% secure software, but you can respond to issues as they arise, and most importantly in a timely manner. Window's give you the patches on the second Tuesday of the month, take a look at the continuing updates for FreeBSD http://www.freshports.org/commits.php and Gentoo for example http://www.gentoo-portage.com/

Which brings me to my next point. Linux/BSD vulnerabilities usually include ALL software written for it. As an example, this includes Apache webserver, which is not counted against Windows, it includes GAIM instant messenger, MSN messenger is not included in the Windows vulnerabilities, it includes all third party software. Could imagine the list if that was included with Windows? Take a look at the Redhat secunia page, look at what most of the vulnerabilities are for,
http://secunia.com/product/4670/

udev is a system
file, that is "legit" but gpdf is a PDF viewer, that is not part of the system, kdegraphics is part of the KDE desktop, I don't use KDE, alot of users don't, it isn't installed by default, lynx, is a text based browser, I don't have that installed, nor is it by default, php, I dpn't run a webserver on this PC, so that is not installed, etc.

Also failed to mention in that article is the severity of the exploits. Opera currently has a vulnerability listed, this "vulnerability" is the title of a popup image window, not really something as bad as say I don't know, maybe viewing any image and it has the ability to run arbitrary code without user intervention, that might be a little worse.

I could keep going, but that seems to sum it up nicely. I just wish that people would actually take what the Microsoft PR pumps out daily and examine it, it is all fizz and no gin. I have yet to fix a PC that was not Windows due to spyware or viruses. I guess its just not that easy to get those Linux users to download a malicious script, add execute permissions to the script, then change to the super user and run it. It would be so much easier if we just all ran as root, and they wrote the image handling libraries to execute data files. Its all about user experience I guess.
 
Rather interesting, went to windowsupdate just now, and received a notification of an available update...

Security Update for Windows XP (KB912919)
Date last published: 1/5/2006
Typical download size: 196 KB
A remote code execution security issue has been identified in the Graphics Rendering Engine that could allow an attacker to remotely compromise your Windows-based system and gain control over it. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer.System Requirements
Recommended CPU: Not specified.
Recommended memory: Not specified.
Recommended hard disk space: Not specified.How to Uninstall
This software update can be removed via Add or Remove Programs in Control Panel.
Click to expand...

The KB Article doesn't yet exist, I'm off to install and see if it modifies the affected .DLL's

EDIT: gdi32.dll is the file that gets updated, will have to wait to see the KB for more information, as I believe shimgvw.dll is the file in question.

Here is the log from the update:

Code: 
[KB912919.log]
4.006: ================================================================================
4.006: 2006/01/05 15:29:12.569 (local)
4.006: C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\7fb9a1dcd00c55662f93dcfc1b3ae0e6\update\update.exe (version 6.2.29.0)
4.016: Hotfix started with following command line: /si /ParentInfo:56dd21db725e8d4ea6282a8aaa46cbb5 
7.911: DoInstallation: CleanPFR failed: 0x2 
7.981: SetProductTypes: InfProductBuildType=BuildType.Sel
8.011: SetAltOsLoaderPath: No section uses DirId 65701; done.
8.222: CreateUninstall = 1,Directory = C:\WINDOWS\$NtUninstallKB912919$ 
8.222: LoadFileQueues: UpdSpGetSourceFileLocation for halacpi.dll failed: 0xe0000102
8.262: ref tag c:\windows\system32\sp4.cab does not exist
8.262: ref tag c:\windows\system32\sp3.cab does not exist
8.272: ref tag c:\windows\system32\sp2.cab does not exist
8.272: ref tag c:\windows\system32\sp1.cab does not exist
8.272: ref tag c:\windows\system32\driver.cab does not exist
8.272: ref tag c:\windows\system32\fp40ext.cab does not exist
8.272: ref tag c:\windows\system32\fp40ext1.cab does not exist
8.272: ref tag c:\windows\system32\wms4.cab does not exist
8.272: ref tag c:\windows\system32\wms41.cab does not exist
8.272: ref tag c:\windows\system32\ims.cab does not exist
8.272: ref tag c:\windows\system32\ims1.cab does not exist
8.272: ref tag c:\windows\system32\ins.cab does not exist
8.272: ref tag c:\windows\system32\ins1.cab does not exist
8.282: Starting AnalyzeComponents
8.282: AnalyzePhaseZero used 0 ticks
8.282: No c:\windows\INF\updtblk.inf file.
8.282: OEM file scan used 0 ticks
8.392: AnalyzePhaseOne: used 110 ticks
8.392: AnalyzeComponents: Hotpatch analysis disabled; skipping.
8.392: AnalyzeComponents: Hotpatching is disabled.
8.392: FindFirstFile c:\windows\$hf_mig$\*.*
9.964: AnalyzeForBranching used 40 ticks.
9.974: AnalyzePhaseTwo used 10 ticks
9.974: AnalyzePhaseThree used 0 ticks
10.475: AnalyzePhaseFive used 501 ticks
10.475: AnalyzePhaseSix used 0 ticks
10.475: AnalyzeComponents used 2193 ticks
10.475: Downloading 2 files
10.475: bPatchMode = TRUE
10.475: Inventory complete: ReturnStatus=0, 2253 ticks
10.475: Num Ticks for invent : 2253
10.475: [dumpDownloadTask] Update.exe posting request file to download a total of 267950 bytes (0 bytes in patches and 267950 bytes in fallbacks)
10.475: dumpDownloadTask returned 0xf200 (more files to download)
10.655: KB912919 installation did not complete.
10.655: Update.exe extended error code = 0xf200
1.462: ================================================================================
1.462: 2006/01/05 15:29:29.420 (local)
1.462: C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\7fb9a1dcd00c55662f93dcfc1b3ae0e6\update\update.exe (version 6.2.29.0)
1.462: Hotfix started with following command line: /si /ParentInfo:1bb5a620cf35bc49ab0d68aea79c6966 
2.073: DoInstallation: CleanPFR failed: 0x2 
2.283: SetProductTypes: InfProductBuildType=BuildType.Sel
2.293: SetAltOsLoaderPath: No section uses DirId 65701; done.
2.323: Express: 267,950 bytes were downloaded.
2.383: [PatchFilesFromResponseBlob] returning STATUS_READY_TO_INSTALL
2.503: KB912919 installation did not complete.
2.503: Update.exe extended error code = 0xf201
1.412: ================================================================================
1.412: 2006/01/05 15:29:35.107 (local)
1.412: C:\WINDOWS\SoftwareDistribution\Download\7e9c3219e54b43a6d50fc3202fbc3a2b\update\update.exe (version 6.2.29.0)
1.412: Failed To Enable SE_SHUTDOWN_PRIVILEGE
1.412: Hotfix started with following command line: -q /Z -ER /ParentInfo:ff05a4b689b97e48a24d3e672c64209e 
1.803: In Function TestVolatileFlag, line 11873, RegOpenKeyEx failed with error 0x2
1.803: In Function TestVolatileFlag, line 11905, RegOpenKeyEx failed with error 0x2
1.803: DoInstallation: CleanPFR failed: 0x2 
1.803: SetProductTypes: InfProductBuildType=BuildType.Sel
1.803: SetAltOsLoaderPath: No section uses DirId 65701; done.
1.833: CreateUninstall = 1,Directory = C:\WINDOWS\$NtUninstallKB912919$ 
1.873: LoadFileQueues: UpdSpGetSourceFileLocation for halacpi.dll failed: 0xe0000102
1.883: ref tag c:\windows\system32\sp4.cab does not exist
1.883: ref tag c:\windows\system32\sp3.cab does not exist
1.883: ref tag c:\windows\system32\sp2.cab does not exist
1.883: ref tag c:\windows\system32\sp1.cab does not exist
1.883: ref tag c:\windows\system32\driver.cab does not exist
1.893: ref tag c:\windows\system32\fp40ext.cab does not exist
1.893: ref tag c:\windows\system32\fp40ext1.cab does not exist
1.893: ref tag c:\windows\system32\wms4.cab does not exist
1.893: ref tag c:\windows\system32\wms41.cab does not exist
1.893: ref tag c:\windows\system32\ims.cab does not exist
1.893: ref tag c:\windows\system32\ims1.cab does not exist
1.893: ref tag c:\windows\system32\ins.cab does not exist
1.893: ref tag c:\windows\system32\ins1.cab does not exist
1.893: Starting AnalyzeComponents
1.893: AnalyzePhaseZero used 0 ticks
1.893: No c:\windows\INF\updtblk.inf file.
1.893: OEM file scan used 0 ticks
1.903: AnalyzePhaseOne: used 10 ticks
1.903: AnalyzeComponents: Hotpatch analysis disabled; skipping.
1.903: AnalyzeComponents: Hotpatching is disabled.
1.903: FindFirstFile c:\windows\$hf_mig$\*.*
1.953: AnalyzeForBranching used 0 ticks.
1.963: AnalyzePhaseTwo used 10 ticks
1.963: AnalyzePhaseThree used 0 ticks
1.963: AnalyzePhaseFive used 0 ticks
1.963: AnalyzePhaseSix used 0 ticks
1.963: AnalyzeComponents used 70 ticks
1.963: Downloading 0 files
1.963: bPatchMode = TRUE
1.963: Inventory complete: ReturnStatus=0, 130 ticks
1.963: Num Ticks for invent : 130
1.963: VerifyTargetFileSize: Unable to verify size as Source = NULL for file c:\windows\inf\HFX8B.tmp
1.973: Copied file:  c:\windows\inf\branches.inf
3.024: Allocation size of drive C: is 4096 bytes, free space = 31412137984 bytes
3.044: AnalyzeDiskUsage:  Skipping EstimateDiskUsageForUninstall.
3.044: Drive C: free 29956MB req: 11MB w/uninstall: NOT CALCULATED.
3.044: CabinetBuild complete
3.044: Num Ticks for Cabinet build : 1081
3.044: DynamicStrings section not defined or empty.
3.075: FileInUse:: Detection disabled.
4.076: LoadFileQueues: UpdSpGetSourceFileLocation for halacpi.dll failed: 0xe0000102
4.326: Num Ticks for Backup : 1282
4.837: Num Ticks for creating uninst inf : 511
4.837: Registering Uninstall Program for -> KB912919, KB912919 , 0x0
4.837: LoadFileQueues: UpdSpGetSourceFileLocation for halacpi.dll failed: 0xe0000102
4.957: Copied file:  C:\WINDOWS\system32\spmsg.dll
4.987: PFE2: Not avoiding Per File Exceptions.
5.047: GetCatVersion:  Failed to retrieve version information from C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB912919.cat with error 0x57
5.638: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied c:\windows\softwaredistribution\download\7e9c3219e54b43a6d50fc3202fbc3a2b\update\update_SP2QFE.inf -> c:\windows\$hf_mig$\KB912919\update\update_SP2QFE.inf.
5.648: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied c:\windows\softwaredistribution\download\7e9c3219e54b43a6d50fc3202fbc3a2b\spuninst.exe -> c:\windows\$hf_mig$\KB912919\spuninst.exe.
5.648: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied c:\windows\softwaredistribution\download\7e9c3219e54b43a6d50fc3202fbc3a2b\spmsg.dll -> c:\windows\$hf_mig$\KB912919\spmsg.dll.
5.708: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied c:\windows\softwaredistribution\download\7e9c3219e54b43a6d50fc3202fbc3a2b\update\spcustom.dll -> c:\windows\$hf_mig$\KB912919\update\spcustom.dll.
5.708: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied c:\windows\softwaredistribution\download\7e9c3219e54b43a6d50fc3202fbc3a2b\update\KB912919.CAT -> c:\windows\$hf_mig$\KB912919\update\KB912919.CAT.
5.718: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied c:\windows\softwaredistribution\download\7e9c3219e54b43a6d50fc3202fbc3a2b\update\update.exe -> c:\windows\$hf_mig$\KB912919\update\update.exe.
5.718: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied c:\windows\softwaredistribution\download\7e9c3219e54b43a6d50fc3202fbc3a2b\update\updspapi.dll -> c:\windows\$hf_mig$\KB912919\update\updspapi.dll.
5.728: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied c:\windows\softwaredistribution\download\7e9c3219e54b43a6d50fc3202fbc3a2b\update\update.ver -> c:\windows\$hf_mig$\KB912919\update\update.ver.
5.728: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied c:\windows\softwaredistribution\download\7e9c3219e54b43a6d50fc3202fbc3a2b\update\updatebr.inf -> c:\windows\$hf_mig$\KB912919\update\updatebr.inf.
5.758: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied c:\windows\softwaredistribution\download\7e9c3219e54b43a6d50fc3202fbc3a2b\update\eula.txt -> c:\windows\$hf_mig$\KB912919\update\eula.txt.
5.758: ProcessSetupContentSection: PROCESS_SETUP_CONTENT_OP_INSTALL: Copied c:\windows\softwaredistribution\download\7e9c3219e54b43a6d50fc3202fbc3a2b\update\branches.inf -> c:\windows\$hf_mig$\KB912919\update\branches.inf.
5.979: Copied file:  C:\WINDOWS\system32\gdi32.dll
6.730: Copied file (delayed):  C:\WINDOWS\system32\SET8C.tmp
6.730: Copied file:  c:\windows\$hf_mig$\KB912919\SP2QFE\gdi32.dll
7.561: DoInstallation: Installing assemblies with source root path: c:\windows\softwaredistribution\download\7e9c3219e54b43a6d50fc3202fbc3a2b\
7.561: Num Ticks for Copying files : 2724
7.571: Num Ticks for Reg update and deleting 0 size files : 10 
7.581: ---- Old Information In The Registry ------
7.631: Source:C:\WINDOWS\system32\SET8C.tmp (5.1.2600.2818)
7.631: Destination:C:\WINDOWS\system32\gdi32.dll (5.1.2600.2770)
7.631: ---- New Information In The Registry ------
7.631: Source:C:\WINDOWS\system32\SET8C.tmp (5.1.2600.2818)
7.631: Destination:C:\WINDOWS\system32\gdi32.dll (5.1.2600.2770)
18.967: UpdateSpUpdSvcInf: Source [ProcessesToRunAfterReboot] section is empty; nothing to do.
18.967: IsRebootRequiredForFileQueue: At least one file operation was delayed; reboot is required.
                              If none are listed below, check above for delayed deletes.
18.967: IsRebootRequiredForFileQueue: c:\windows\system32\gdi32.dll was delayed; reboot is required.
18.967: DoInstallation: A reboot is required to complete the installation of one or more files.
18.967: In Function SetVolatileFlag, line 11789, RegOpenKeyEx failed with error 0x2
18.967: In Function SetVolatileFlag, line 11806, RegOpenKeyEx failed with error 0x2
18.967: UpdateSpUpdSvcInf: Source [ProcessesToRunAfterReboot.RebootNotRequired] section is empty; nothing to do.
19.027: RebootNecessary = 1,WizardInput = 1 , DontReboot = 1, ForceRestart = 0

EDIT 2: PATCH IS OUT!

http://news.com.com/Microsoft+pushes+out+WMF+patch+ahead+of+time/2100-1002_3-6020070.html
 
Last edited:
Funny, even with those 29 vulnerabilities my PC is still running great, and has not been compromised in 3 years. In fact it's never been compromised. Could it be they've been closed? Geez, if Windows only has 1/3 of the exploits open source does....

I think I may switch my Linux server over to 2003. :eek: I hear it's more secure anyways.

Cool thanks for update KC, will patch when home.
 
Just got back to Cali this morning, turned on my x64 desktop and saw the automatic update notification. Nice! :)
 
NetRyder said:
Just got back to Cali this morning, turned on my x64 desktop and saw the automatic update notification. Nice! :)
Click to expand...
with that, welcome back to Cali :cool:
 
Go take a nap - but before you do - check your PM :)
 
You look like crap too.
 
thanks guys for keeping us all informed.
 
kcnychief said:
EDIT: gdi32.dll is the file that gets updated, will have to wait to see the KB for more information, as I believe shimgvw.dll is the file in question.
[/URL]
Click to expand...


No no no, wrong. shimgvw.dll was NEVER involved in any of this, the vulnerability was in gdi32.dll, try unloading it however. It is your graphical layer in Windows, it can't be unloaded. shimgvw.dll is what picture viewer, and fax stuff uses to show images, that is why it was told to be turned off.
 
kcnychief said:
Oh good lord :eek:



http://www.informationweek.com/news/showArticle.jhtml;jsessionid=MSDWFVRRRGX5AQSNDBOCKH0CJUMEKJVN?articleID=175801215

Put that in your pipe and smoke it :p
Click to expand...

And I personally thought you would be smarter than reading into Fear Uncertainty and Doubt without doing some fact checking.

A problem in gzip is listed 10 times under Linux/Unix, however, it is only from one source, it is listed 10 times because of the fact it was included standard in 10 or more distributions of Linux.

Pfft, it is useless to go on, it is reasons like this that I hate the fact that US-CERT just dumps all those vulnerabilities into two groups really:

Open Source VS Microsoft (Only, not even third party).

The end-of-year vulnerability score should be taken with a grain of salt, however, since US-CERT doesn't filter out updates (so one actual vulnerability can be counted numerous times) nor does it break out individual vulnerabilities from warnings that cover multiple bugs (as in the many Mac OS X vulnerability listings).
Click to expand...

That is wrong, and causes bad journalism like that page.

Now, more information:

http://it.slashdot.org/article.pl?sid=06/01/05/0027219&tid=172&tid=218

http://www.groklaw.net/article.php?story=20051231142317870

http://it.slashdot.org/comments.pl?sid=173016&cid=14397270
http://it.slashdot.org/comments.pl?sid=173016&cid=14397409
http://it.slashdot.org/comments.pl?sid=173016&cid=14398027

Now take that needle out of your arm, get sober, and maybe you will start seeing things better again.
 
Last edited:
perris said:
it's a very telling stat cheif, and I thought becuase open source has such a small market there weren't as many exploits, so thanx for pointing out that actual data

but j79's point is that in open source the expoits are delt with almost immediately.
Click to expand...

I do hope you are serious and next time, after reading j79zlr's posts, and mine, that you do some fact checking, or in this case, a whole lot of fact checking. There are enough articles on the web at the moment that are debunking the numbers put out by the US-CERT.

Thank you for your consideration and stopping FUD.

Cheers.
 
You must log in or register to reply here.

Members online

No members online now.
Total: 519 (members: 0, guests: 519)

Affiliates

lunarsoft.net techzonez.com

- Contact us to trade links -

OSNN OSNN NTFS XP-erience

Latest profile posts

Steevo
Steevo
Also Hi EP and people. I found this place again while looking through a oooollllllldddd backup. I have filled over 10TB and was looking at my collection of antiques. Any bids on the 500Mhz Win 95 fix?
•••
Steevo
Steevo
Any of the SP crew still out there?
•••
Xie
Xie wrote on Electronic Punk's profile.
Impressed you have kept this alive this long EP! So many sites have come and gone. :(

Just did some crude math and I apparently joined almost 18yrs ago, how is that possible???
•••
N
Nismo83
hello peeps... is been some time since i last came here.
•••
Electronic Punk
Electronic Punk wrote on Sazar's profile.
Rest in peace my friend, been trying to find you and finally did in the worst way imaginable.
•••

Forum statistics

Threads
62,015
Messages
673,494
Members
5,623
Latest member
AndersonLo
Back