[CS-FSLUG] Another Major MS Windows Security Flaw
Stephen J. McCracken
smccracken at hcjb.org.ec
Mon Jan 2 11:07:53 CST 2006
Frank Bax wrote:
> <http://www.viruslist.com/en/weblog?discuss=176892530&return=1>entry
> also goes on to point out that the problem seems to be in gdi32.dll
> and not in shimgvw.dll as previously thought as it is possible to
> exploit a system where shimgvw.dll has been unregistered and deleted.
>
More information and an unofficial patch is available here:
http://isc.sans.org/
The patch information:
> * How does the unofficial patch work?
>
> The wmfhotfix.dll is injected into any process loading user32.dll.
> The DLL then patches (in memory) gdi32.dll's Escape() function so
> that it ignores any call using the SETABORTPROC (ie. 0x09) parameter.
> This should allow Windows programs to display WMF files normally
> while still blocking the exploit. The version of the patch located
> here has been carefully checked against the source code provided as
> well as tested against all known versions of the exploit. It should
> work on WinXP (SP1 and SP2) and Win2K.
More information about the Christiansource
mailing list