[41897] in bugtraq
Re: WMF Exploit
daemon@ATHENA.MIT.EDU (Justin Myers)
Tue Jan 3 13:59:43 2006
Message-ID: <92d887e20601011231m1b6b7aecwd529bee5ee6cce22@mail.gmail.com>
Date: Sun, 1 Jan 2006 14:31:57 -0600
From: Justin Myers <masterbofh@gmail.com>
To: bugtraq@securityfocus.com
In-Reply-To: <Pine.LNX.4.44.0512301538130.15122-100000@bugsbunny.castlecops.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Apologies if you've already read this, but this is interesting news:
Apparently shimgvw.dll isn't the problem; according to the Kaspersky
Lab blog, gdi32.dll is.
From http://www.viruslist.com/en/weblog?discuss=176892530&return=1
(which talks about an IM worm that uses this):
"Going back to the wmf vulnerability itself, we see number of sites
mention that shimgvw.dll is the vulnerable file.
This doesn't seem correct as it's possible to exploit a system on
which shimgvw.dll has been unregistered and deleted. The vulnerability
seems to be in gdi32.dll."
