[Dshield] WMF redirect. gdi32.dll is the problem

Aaron Lewis aaron at adldatacomm.net
Thu Jan 5 16:57:50 GMT 2006


I think the idea of unregistering shimgvw.dll was to avoid unintentional
viewing of thumbnails and image previews. It was a step towards prevention
not a solution.

ADL

-----Original Message-----
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org]On Behalf Of
Matt.Carpenter at alticor.com
Sent: Tuesday, January 03, 2006 2:16 PM
To: list at lists.dshield.org
Subject: [Dshield] WMF redirect. gdi32.dll is the problem


forwarded from BugTraq:
--------------------------------------

Apologies if you've already read this, but this is interesting news:

Apparently shimgvw.dll isn't the problem; according to the Kaspersky
Lab blog, gdi32.dll is.

>From http://www.viruslist.com/en/weblog?discuss=176892530&return=1
(which talks about an IM worm that uses this):

"Going back to the wmf vulnerability itself, we see number of sites
mention that shimgvw.dll is the vulnerable file.
This doesn't seem correct as it's possible to exploit a system on
which shimgvw.dll has been unregistered and deleted. The vulnerability
seems to be in gdi32.dll."

_________________________________________
Learn about Intrusion Detection in Depth from the comfort of your own couch:
https://www.sans.org/athome/details.php?id=1341&d=1

_______________________________________________
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list



More information about the list mailing list