The WMF Exploit Fix Is On Its Way For Windows 98 and ME

A well-known Windows expert has promised to do what Microsoft won’t: Protect Microsoft’s Windows 98 and Millennium customers from WMF exploits. Gibson Research chief, Steve Gibson, says:

Microsoft is not fixing Windows 98/ME… so GRC will. Microsoft has now “reclassified” the WMF vulnerability in Windows 95, 98, and ME as non-critical (instead of just fixing it!). This means that it will probably NOT be updated and patched to eliminate the WMF handling vulnerability that those older versions of Windows apparently still have. (This vulnerability still needs to be confirmed.) So, if Microsoft does not produce an update to repair those older versions of Windows, GRC will make one available.

Several testers on Larry Seltzer’s Security Blog report that some configurations of Windows 98 and Millennium are indeed vulnerable. As Microsoft unintentionally pointed out, the elements necessary for an attacker to create a WMF exploit tailored for ME come with the product:

In Microsoft Windows Millennium Edition (Me), you can view multiple file formats (for example, files with .bmp, .dib, .emf, .gif, .jpeg, .png, .tif or .wmf extensions) with Image Preview…

The Image Preview feature is embedded in shimgvw.dll, the attack vector preferred by the current wave of WMF exploits.

So what can you do about it? Block suspicious images with content filters and de-register shimgvw.dll. Beyond that, you can do nothing until Steve Gibson delivers. Luckily, when Gibson makes a promise, he keeps it… most of the time.

Gibson has long specialized in fixing things Microsoft won’t. His SpinRite formatted and fixed hard drives when others couldn’t… Still does. His excellent freeware patches holes in Windows, one-by-one:

• DCOMbobulator allows any Windows user to easily verify the effectiveness of Microsoft’s recent critical DCOM patch. Confirmed reports have demonstrated that the patch is not always effective in eliminating DCOM’s remote exploit vulnerability. But more importantly, since DCOM is a virtually unused and unneeded facility, the DCOMbobulator allows any Windows user to easily disable DCOM for significantly greater security.
• Shoot The Messenger prevents Windows Messenger Service from running by default to prevent desktop pop-up spam and exploitation of port 135.
• UnPlug n’ Pray disables “the dangerous, and almost always unnecessary, Universal Plug and Play service. If you don’t need it, turn it off.”

About those promises Gibson makes… The only one we can recall that he hasn’t kept is his SCSI alternative. We’re still waiting. Patiently.

Email Battles Backgrounder:

• A Description of the Image Preview Feature in Windows Millennium Edition (KB272969); Microsoft; 28 September 2004.
• Major Revision In Vulnerable System List; Larry Seltzer’s Security Blog; eWeek; 3-6 January 2006.
• Microsoft is not fixing Windows 98/ME… so GRC will; Gibson Research.
• Why You Need To Download Microsoft’s New WMF Exploit Patch Right Now!; Email Battles; 5 January 2006.
• Security Fix: Firefox, IE, Opera, Outlook & other Browsers & Email Clients; Email Battles; 4 January 2006.