Shostack + Friends Blog Archive

 

WMF Vuln fix

Courtesy of IDA Pro developer Ilfak Guilfanov.
Details are available via his web log, the existence of which I learned [link to http://www.sockpuppet.org/tqbf/log/2005/12/ida-pro-has-blog.html no longer works] via the seemingly indefatigable Thomas Ptacek of Matasano [http://matasano.com/].

4 comments on "WMF Vuln fix"

  • mario contestabile says:

    Err, that’s a tad risky, you need to remember to remove the reg entry when either the real fix is made public; or run the risk of having problems when you upgrade your os later.
    Use regsvr32 /u shimgvw.dll meanwhile.

  • Chris Walsh says:

    Well, the sands are shifting fast on this one, Mario.
    Quoting SANS:
    We want to be very clear on this: we have some very strong indications that simply un-registering the shimgvw.dll isn’t always successful. The .dll can be re-registered by other processes, and there may be issues where re-registering the .dll on a running system that has had an exploit attempted against it will cause the exploit to succeed.

  • mario contestabile says:

    There are at least 13 gdi32.dll versions currently, and until that code is run on each one I’d be reluctant to distribute it on a large scale, even if sans says it is “both safe and effective.”.
    And even so, what if a windows auto update installs a newer version…no, were I managing a PC park I’d ensure the AV vendor used on them had the signature available, and turn the switch off meanwhile, or at least use a block list.

  • Chris Walsh says:

    Mario:
    Ilfak’s fix is also available for Win2K, and as an MSI. I’m not saying it is superior for all people in all circumstances. I am saying that folks who run windows boxes (thankfully, I am not one of those people) should be aware of this piece of software as something that may fit as part of their particular solution. Switching AV vendors or turning off machines is not a viable option at an enterprise level.

Comments are closed.