WMF files are no issue for XnView?

robc · Post by **robc** » Tue Jan 03, 2006 11:48 am

xyzzy: sure, running a browser (and any application that accesses the net and renders HTML, like a mail client) in a low-privileged context is one of the most important security precautions, and I'm afraid it's not "a lot" of people not doing that, but "most"

I, for one, spending a lot of time running development environments which need administrative rights, use the DropMyRights utility with browsers and mail client.

robc · Post by **robc** » Tue Jan 03, 2006 6:03 pm

If somebody's interested, there are two more links on the subject
http://linuxbox.org/pipermail/funsec/20 ... 02429.html
http://www.eweek.com/article2/0,1895,1907360,00.asp

Post by **XnTriq** » Tue Jan 03, 2006 7:25 pm

GRC.com
- Security Now! — Weekly 20-minute Internet Security Podcast
  - Episode #20: Windows WMF Vulnerability News & Updates (29/Dec/2005)
PC-Welt.de
- WMF-Exploit: Anfällige Programme (03/Jan/2006 16:34)
  AltaVista Babel Fish Translation: de -> en | de -> fr
  - XnView

KRH · Post by **KRH** » Tue Jan 03, 2006 9:23 pm

The only viewer on my Win98 computer capable of opening wmf files is XnView. If I change the extension to .jpg, I get an error message stating that the file type cannot be determined if I try to open it in XnView. Shouldn't that make me feel pretty safe about an infectectuous wmf file disguising itself with a bogus extension? (I'm already somewhat protected from online infection by the fact that my Firefox browser will ask confirmation for opening a wmf file and, even if permission is granted, will try unsuccessfully to open it with Windows Media Player.)

Guest · Post by **Guest** » Wed Jan 04, 2006 2:00 am

Xyzzy wrote:robc:
I think also that a LOT of people miss one point from MS advisory- using restricted user accout to mitigate threat. As exploit is executed in user context, it can't really do much harm on restricted account because of inability to infect whole system- just one account.

I was the previous "be very afraid" 'guest'. I have never missed that point. We run almost all of our over 100 desktops as restricted user but that does not completely prevent potential havoc. A simple scenario: systems don't get permanently infected but run some crap while the user is still logged in. This can range some simple infection attempts by multiple means, to spewing spam for hours, to trying to nuke any files on the network that that user has rights to. Suffice to say all desktops are now patched and unregistered. It just make sense even if no uber exploit appears.

Xyzzy · Post by **Xyzzy** » Wed Jan 04, 2006 8:20 am

One good news- most antivirus software seem to have caught up.

X.

ckv · Post by **ckv** » Thu Jan 05, 2006 9:10 pm

Microsoft is going to release today the update what will fix the WMF vulnerability on XP, 2003 and 2000 (sp4) systems.

Source:
http://www.f-secure.com/weblog/#00000771

Also remember to first uninstall the unofficial patch (if you have installed it) before installing the official patch.

Post by **XnTriq** » Sat Jan 07, 2006 3:20 am

KRH

Steve Gibson ([url=http://www.grc.com/sn/notes-021.htm]Security Now! Notes for Episode #21[/url]) wrote:Microsoft is not fixing Windows 98/ME
. . . so GRC will.

Microsoft has now “reclassified” the WMF vulnerability in Windows 95, 98, and ME as non-critical (instead of just fixing it!). This means that it will probably NOT be updated and patched to eliminate the WMF handling vulnerability that those older versions of Windows apparently still have. (This vulnerability still needs to be confirmed.)

So, if Microsoft does not produce an update to repair those older versions of Windows, GRC will make one available.

KRH · Post by **KRH** » Sat Jan 07, 2006 7:44 am

Yes, thank you, XnTriq, I have seen that. There are already a few other fixes for Win98 posted at other sites (like this one) but I trust Steve Gibson and I'll wait for whatever he recommends. Actually, with all the research I've done, I'm not very concerned about the "vulnerability" in Win98, but it will be nice to just install a fix and be done with it.

ckit · Post by **ckit** » Sat Jan 07, 2006 7:46 am

Now that Microsoft has issued a patch for the WMF issue this thread should be closed.
There are alternatives for Win98 users, just use Google.

KRH · Post by **KRH** » Sun Jan 08, 2006 9:15 pm

ckit wrote:Now that Microsoft has issued a patch for the WMF issue this thread should be closed.
There are alternatives for Win98 users, just use Google.

As my last post indicates, I actually am quite done with the topic; but to be honest and with all due respect, I find your post somewhat disrespectful. The MS patch does nothing for Win9x users. XnView is at least theoretically a potential avenue of infection and any ongoing developments are of concern to users of Win9x and Xnview. In spite of your objections, I would hope that any helpful news regarding the issue would be posted here. "Google it" could have been said about anybody's concerns at any point in this thread.

ckit · Post by **ckit** » Sun Jan 08, 2006 10:26 pm

If there is a problem in XnView with WMF files then Pierre will fix it in due course.
This thread no longer serves any purpose.

KRH · Post by **KRH** » Sun Jan 08, 2006 10:34 pm

ckit wrote:If there is a problem in XnView with WMF files then Pierre will fix it in due course.

Again, that could have been said at any point in this thread. It's not a valid response to current concerns for some people other than yourself. I won't say anything further.