CastleCops® - Hot off the press: WMF Vulnerability Checker

Need help? Click here to register for free! Absolutely zero advertisements on this site!

**$9736.22 of $21422.68**

Help CastleCops serve the community on new servers, Donate Here to reach our goal.

	Donation/Premium

	Donations. Become Premium Today!

	Security Central

	· Home · PIRT/Fried Phish · MIRT · SIRT · Deutsch · Wiki · Newsletter · O16/ActiveX · CLSID List · Contest2007 · Downloads · Feedback (send) · Forums · HijackThis · Hijacktrend · LSPs · My Downloads · O18 · O20 · O21 · O22 · O23 · O9 · Premium · Private Messages · Proxomitron · Reviews · Search · StartupList · Stories Archive · Submit News · WsIRT · Your Account · Acceptable Use Policy

Survey

Downloads: Hot off the press: WMF Vulnerability Checker

As you've read in the security alert concerning the WMF exploit there are very limited tools to patch or catch an exploitable computer system. Ilfak Guilfanov, the author of the Windows WMF Hotfix, has written a WMF Vulnerability Checker. Please read Ilfak's instructions on using the WMF vulnerability checker. Although a word of caution is offered:

Do not use this check as a definite answer to the WMF vulnerability question. But if your system was vulnerable, it should be invulnerable after installing the hotfix and display the second dialog box. In other words you can use this checker as a means to verify that the hotfix is doing its job. One more word of caution: do not forget to reboot your computer after the installation. If you do not reboot it, the checker will tell you that the system is invulnerable while some systme processes will still be.

Download - View Details

Posted on Sunday, 01 January 2006 @ 23:58:30 UTC by Paul (13669 reads)
[ Trackback ]

"Downloads: Hot off the press: WMF Vulnerability Checker" | Login/Create an Account | 11 comments | Search

The comments are owned by the poster. We aren't responsible for their content.

No Comments Allowed for Anonymous, please register

Re: Hot off the press: WMF Vulnerability Checker (Score: 1)
by waiownsyou on Monday, 02 January 2006 @ 00:32:09 UTC
(User Info | Send a Message) http://www.geocities.com/waiownsyou

Well, not only does this check your vulnerability, it is a live sample! My antivirus stopped me from fully extracting when it found it. Weird.

Re: Hot off the press: WMF Vulnerability Checker (Score: 1)
by Paul on Monday, 02 January 2006 @ 00:37:02 UTC
(User Info | Send a Message) http://www.laudanski.com

The checker is not a virus itself, but yes it may get flagged as such.

]

Re: Hot off the press: WMF Vulnerability Checker (Score: 1)
by echo75 on Tuesday, 03 January 2006 @ 13:50:36 UTC
(User Info | Send a Message)

what antivirus are you using that intecepted the WMF checker?

]

Re: Hot off the press: WMF Vulnerability Checker (Score: 1)
by NormD on Monday, 02 January 2006 @ 10:29:06 UTC
(User Info | Send a Message)

I downloaded the fix file, installed it, rebooted, made the regsvr32 change, rebooted and then ran the check program. It still reported the machine vulnurable to the problem. My AV program (CA eTrust) and MS AntiSpyware did not complain when I downloaded.

Re: Hot off the press: WMF Vulnerability Checker (Score: 1)
by NormD on Monday, 02 January 2006 @ 10:49:10 UTC
(User Info | Send a Message)

Following up on my comment, there is inconsistency in numbering this program. On this site it says version 1.3. During installation both 1.2 and 1.3 are mentioned. When looked at with Add/Remove programs after installation is says 1.2. Just letting peoplpe know so they won't ba as confused as I was over the version(s).

]

Re: Hot off the press: WMF Vulnerability Checker (Score: 1)
by Paul on Monday, 02 January 2006 @ 11:55:27 UTC
(User Info | Send a Message) http://www.laudanski.com

Hi NormD, yes Ilfak released version 1.3 but didn't remember to up the value in the program. 1.3 is made to work for 2k SP4.

]

Re: Hot off the press: WMF Vulnerability Checker (Score: 1)
by Rickster100 on Monday, 02 January 2006 @ 15:09:29 UTC
(User Info | Send a Message) http://www.ni-bmw.co.uk

Well ive downloaded the patch, checked my system and everything is fine. What I would recommend users to do is read the web page Steve Gibsons site at: http://www.grc.com/sn/notes-020.htm before downloading the fix as he explains EXACTLY and CLEARLY what people should do. No problems on my system running XP Pro SP2.

Richie

]

Re: Hot off the press: WMF Vulnerability Checker (Score: 1)
by dougkendig on Monday, 02 January 2006 @ 11:21:26 UTC
(User Info | Send a Message)

Have downloaded and installed the hotfix, removed the registry entry and all went well as far as I can tell... visited MS updates and nothing yet on this.. also, I noticed when installing the hotfix that AdWatch detected the registry change (replacing Interceptor.dll with the hotfix) ...now, I have been watching SpyCatcher Express's operation on my system and, they are denying that they Use the Interceptor.dll, which is a lie and when i confronted them about it,,they haven't responded since... McAfee detects Interceptor.dll as a Trojan.... and File.Net lists Interceptor.dll being from Tenebril Inc. ... So, if the hotfix is necessary to repair an exploit, and replacing the Interceptor.dll IS the only way to fix it... are we in effect saying that SpyCatcher Express is useless at this point? or maybe even the problem? ( Any replies are welcome..., or e-mail if you would at : KenRemCon@SBCGlobal.Net ) Thanks guys!

Re: Hot off the press: WMF Vulnerability Checker (Score: 1)
by Rickster100 on Monday, 02 January 2006 @ 14:59:39 UTC
(User Info | Send a Message) http://www.ni-bmw.co.uk

Re: Hot off the press: WMF Vulnerability Checker (Score: 1)
by ccualumni on Tuesday, 03 January 2006 @ 19:39:50 UTC
(User Info | Send a Message)

I used the program and it said I was vulnerable.

I went to the recommended site, HexblogDOTcom and it has been suspended.

I do not know if it is for too much traffic or if he was shut down.

Can we go elsewhere?

Can anyone confirm why he was shut down?

Re: Hot off the press: WMF Vulnerability Checker (Score: 1)
by Paul on Tuesday, 03 January 2006 @ 21:51:19 UTC
(User Info | Send a Message) http://www.laudanski.com

See here:

http://castlecops.com/t143213-Hexblog_WMF_FAQ.html [castlecops.com]

]

	Login

	Nickname Password Security Code: Type Security Code: Usage signifies AUP acceptance · New User? · Click here to create a registered account.

	Related Links

	· del.icio.us! · digg it! · reddit! · TrackBack (0) · PHP HomePage · Microsoft · HotScripts · W3 Consortium · More about Networks · News by Paul Most read story about Networks: Network Troubleshooting 101 � Part 1

	Article Rating

	Average Score: 5 Votes: 1 Please take a second and vote for this article:

	Options

	Printer Friendly Page


	2002-2008 � Computer Cops LLC dba CastleCops®. All rights reserved. Acceptable Use Policy. Use signifies your agreement. 74ppm 3.413s (0.266s) Making cybercriminals unhappy since 2002*