| View previous topic :: View next topic |
| Author |
Message |
vclimber
Guest
IP: 71.83.*.*
|
 Posted: Tue Jan 03, 2006 4:29 pm Post subject: Still vulnerable after install |
|
|
I installed the version 1.4 fix and rebooted my machine. After reboot I ran the wfm_checker and it said that my system was still vulnerable. What could be the problem?
I am running Win XP Pro.
|
|
| Back to top |
|
 |
ilfak
Hexblog Host
Joined: Jan 03, 2006
Posts: 21
Location: Belgium
|
| Posted: Tue Jan 03, 2006 4:46 pm Post subject: |
|
|
Please check question #5:
http://www.hexblog.com/security/wmffix_faq.html
How to check that the hotfix is working on my computer?
Use the checker to verify that the hotfix works. If should report that your system is invulnerable. In it reports that your system is still vulnerable, check the HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs registry key. It should contain a reference to c:\windows\system32\wmfhotfix.dll. There are some programs known to clean up this registry key. The fix will not work in this case. You should find and disable the program which cleans the registry key or uninstall the hotfix.
|
|
| Back to top |
|
|
Corrine
Site Moderator
Joined: Aug 22, 2004
Posts: 2465
|
|
| Back to top |
|
|
Diazruanova
Lieutenant
Joined: Sep 22, 2004
Posts: 162
Location: Mexico
|
| Posted: Wed Jan 04, 2006 1:51 pm Post subject: |
|
|
Hi,
First of all, many thanks Ilfak for all your efforts !!
Now, for my problem, I installed the patch on my W2K SP4 with all the latest updates. I have residents:
BitDefender Standard9
WinPatrol Plus (latest ver.)
ZoneAlam 4.5.594
CounterSpy 1.5.82
I installed your 1.4 fix, (no warnings from any of the residensts) and proceeded to check after a PC re-boot:
Still vulnerable.
BTW in all of this process, I NEVER received a single warning from any of the aforemntioned programs when they were active.
Uninstalled the fix, disabled all residents and prevented them to start with windows, re-boot and re-installed the fix, re-boot again and checked and I was still Vulnerable-
I checked for c:\windows\system32\wmfhotfix.dll and it is there !
Any clues?
Thanks again
Diazruanova
|
|
| Back to top |
|
|
Paul
CastleCops Founder
Joined: Feb 22, 2002
Posts: 27351
|
|
| Back to top |
|
|
Diazruanova
Lieutenant
Joined: Sep 22, 2004
Posts: 162
Location: Mexico
|
| Posted: Wed Jan 04, 2006 4:24 pm Post subject: |
|
|
| Paul wrote: | | Hi'ya Diazruanova, iDEFENSE is claiming Win2k is not susceptible. |
Thanks Paul, now I am more confused than ever with all the contradicting information.
Do you have a link to iDEFENSE article about this issue?
|
|
| Back to top |
|
|
Paul
CastleCops Founder
Joined: Feb 22, 2002
Posts: 27351
|
|
| Back to top |
|
|
Diazruanova
Lieutenant
Joined: Sep 22, 2004
Posts: 162
Location: Mexico
|
| Posted: Wed Jan 04, 2006 5:42 pm Post subject: |
|
|
| Paul wrote: | | Hi'ya Diazruanova, iDEFENSE is claiming Win2k is not susceptible. |
Thanks Paul, now I am more confused than ever with all the contradicting information.
Do you have a link to iDEFENSE article about this issue?
|
|
| Back to top |
|
|
Paul
CastleCops Founder
Joined: Feb 22, 2002
Posts: 27351
|
|
| Back to top |
|
|
Cybermage
Guest
IP: 80.126.*.*
|
| Posted: Wed Jan 04, 2006 9:04 pm Post subject: |
|
|
| Paul wrote: | | Hi'ya Diazruanova, iDEFENSE is claiming Win2k is not susceptible. |
I have checked on my work some w2k machines (dutch version) but they are without patching al susceptible.
So my advise use the patch.
|
|
| Back to top |
|
|
Paul
CastleCops Founder
Joined: Feb 22, 2002
Posts: 27351
|
|
| Back to top |
|
|
vclimber
Guest
IP: 71.83.*.*
|
| Posted: Thu Jan 05, 2006 8:20 am Post subject: |
|
|
| Diazruanova wrote: | Hi,
First of all, many thanks Ilfak for all your efforts !!
Now, for my problem, I installed the patch on my W2K SP4 with all the latest updates. I have residents:
BitDefender Standard9
WinPatrol Plus (latest ver.)
ZoneAlam 4.5.594
CounterSpy 1.5.82
I installed your 1.4 fix, (no warnings from any of the residensts) and proceeded to check after a PC re-boot:
Still vulnerable.
BTW in all of this process, I NEVER received a single warning from any of the aforemntioned programs when they were active.
Uninstalled the fix, disabled all residents and prevented them to start with windows, re-boot and re-installed the fix, re-boot again and checked and I was still Vulnerable-
I checked for c:\windows\system32\wmfhotfix.dll and it is there !
Any clues?
Thanks again
Diazruanova |
I had a chat with Tech Support about BD 9 and they said that BD uses the same registry key as the WMF Hotfix. So when you reboot BD will re-write the registry entry and as a result the test program will say that you are still vunerable.
To verify I uninstalled BD 9 and tried the Hotfix again. Everything worked fine.
So basically BD's Tech Support said that you either need to uninstall the AV or go without the WMF Hotfix. They assured me that Bitdefender's AV update will protect against the exploit. I was suspect so I asked more questions and basically got hung up on.
|
|
| Back to top |
|
|
Diazruanova
Lieutenant
Joined: Sep 22, 2004
Posts: 162
Location: Mexico
|
| Posted: Thu Jan 05, 2006 1:34 pm Post subject: |
|
|
| vclimber wrote: |
I had a chat with Tech Support about BD 9 and they said that BD uses the same registry key as the WMF Hotfix. So when you reboot BD will re-write the registry entry and as a result the test program will say that you are still vunerable.
To verify I uninstalled BD 9 and tried the Hotfix again. Everything worked fine.
So basically BD's Tech Support said that you either need to uninstall the AV or go without the WMF Hotfix. They assured me that Bitdefender's AV update will protect against the exploit. I was suspect so I asked more questions and basically got hung up on. |
Yes, that is correct, the registry key shows "sockspy.dll", which belongs to BD9, but having W2K, I already checkd if there is a program that opens automatically the .wmf´s and there is none, so acording to Kaspersky, I am protected unless I install a program that reads these type of file, which I do not intend to do 
I am also confident about the HiVE "heuristics" that BD9 has developed, it seems to be amongst the very best on the market and it has showed it by detecting all the variants of this exploit acording to av-test.org
Thanks for your reply vclimber
|
|
| Back to top |
|
|
|
|
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
- 
