WMF Vulnerability patch for win98 etc., REALTIME LOG

Secure Home | Search | About

Lost Password?

Computer Software Security

get this group's latest topics as an RSS feed

add this group's latest topics to your My MSN content

add this group's latest topics to your My Yahoo content

add this group's latest topics to your Google content

Subject

Author

Date

WMF Vulnerability patch for win98 etc., REALTIME LOG

Peter

01-05-2006

Re: WMF Vulnerability patch for win98 etc., REALTI...

see.my.sig.4.addr

01-05-2006

Re: WMF Vulnerability patch for win98 etc., REALTI...

Peter

01-06-2006

Re: WMF Vulnerability patch for win98 etc., REALTI...

see.my.sig.4.addr

01-10-2006

Re: WMF Vulnerability patch for win98 etc., REALTI...

Peter

01-10-2006

Re: WMF Vulnerability patch for win98 etc., REALTI...

see.my.sig.4.addr

01-21-2006

Posted by Peter on January 5, 2006, 1:50 pm

If you were Registered and logged in, you could reply and use other advanced thread options

Decided to install it. For the patch see:

http://www.nod32.ch/en/download/tools.php

Below is the realtime log generated by INCTRL4 utility on a win98se PC.
Note that I installed it to a non-default folder. The key thnig to note
is the line:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
GDIPatch=D:\PROGRAMS\WMFPATCH\inject.exe

This causes the patch to run on bootup (as intended).

regards,

Peter//

**************REALTIME LOG OF INSTALL OF WMFPATCH from
nod32.ch******************

Installation report: Install
(generated by INCTRL 4, version 1.1.0.0)
Install program: E:\Download\FileTemp\Install.exe
Thursday, January 5, 2006 05:18 PM
Windows 98se
Notification by Real-time reporting

NO CHANGES MADE TO c:\windows\win.ini...

NO CHANGES MADE TO c:\windows\system.ini...

NO CHANGES MADE TO c:\windows\control.ini...

REGISTRY KEYS ADDED: (1)
---by process E:\DOWNLOAD\FILETEMP\INSTALL.EXE
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\GDI32
- WMF Patch

REGISTRY KEY VALUES ADDED: (3)
---by process E:\DOWNLOAD\FILETEMP\INSTALL.EXE
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\GDI32
- WMF Patch\ DisplayName=GDI32 - WMF Patch
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\GDI32
- WMF Patch\ UninstallString=D:\PROGRAMS\WMFPATCH\UNWISE.EXE
D:\PROGRAMS\WMFPATCH\INSTALL.LOG
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
GDIPatch=D:\PROGRAMS\WMFPATCH\inject.exe

FILES ADDED: (7)
---by process E:\DOWNLOAD\FILETEMP\INSTALL.EXE
D:\PROGRAMS\WMFPATCH\UNWISE.EXE
D:\PROGRAMS\WMFPATCH\GDIHOOK.DLL
D:\PROGRAMS\WMFPATCH\INJECT.EXE
D:\PROGRAMS\WMFPATCH\INSTALL.LOG

FILES DELETED: (10)
---by process E:\DOWNLOAD\FILETEMP\INSTALL.EXE
C:\WINDOWS\TEMP\~GLH0000.TMP
D:\PROGRAMS\WMFPATCH\~GLH0001.TMP
D:\PROGRAMS\WMFPATCH\TEMP.000
D:\PROGRAMS\WMFPATCH\~GLH0003.TMP
D:\PROGRAMS\WMFPATCH\~GLH0005.TMP
C:\WINDOWS\TEMP\GLJ1290.TMP
C:\WINDOWS\TEMP\GLC1290.TMP

FILES CHANGED: (1)
---by process E:\DOWNLOAD\FILETEMP\INSTALL.EXE
C:\WINDOWS\APPLOG\APPLOG.IND

DIRECTORIES ADDED: (1)
---by process E:\DOWNLOAD\FILETEMP\INSTALL.EXE
D:\PROGRAMS\WMFPATCH

DIRECTORIES DELETED: (2)
---by process E:\DOWNLOAD\FILETEMP\INSTALL.EXE
D:\PROGRAMS\WMFPATCH
---by process D:\PROGRAMS\WMFPATCH\INJECT.EXE
C:\WINDOWS\TEMP\INJECT.MADEXCEPT

***********END************************************

Posted by on January 5, 2006, 11:42 pm

If you were Registered and logged in, you could reply and use other advanced thread options

>Decided to install it. For the patch see:

>http://www.nod32.ch/en/download/tools.php

>Below is the realtime log generated by INCTRL4 utility on a win98se PC.

>Note that I installed it to a non-default folder. The key thnig to note

>is the line:

>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\

>GDIPatch=D:\PROGRAMS\WMFPATCH\inject.exe

>This causes the patch to run on bootup (as intended).

>regards,

>Peter//

Does it need to run all the time, or is it a run once?
So you're saying you have to change that line to how you have it or it
wont work?

>**************REALTIME LOG OF INSTALL OF WMFPATCH from

>nod32.ch******************

>Installation report: Install

> (generated by INCTRL 4, version 1.1.0.0)

>Install program: E:\Download\FileTemp\Install.exe

>Thursday, January 5, 2006 05:18 PM

>Windows 98se

>Notification by Real-time reporting

>NO CHANGES MADE TO c:\windows\win.ini...

>NO CHANGES MADE TO c:\windows\system.ini...

>NO CHANGES MADE TO c:\windows\control.ini...

>REGISTRY KEYS ADDED: (1)

>---by process E:\DOWNLOAD\FILETEMP\INSTALL.EXE

>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\GDI32

>- WMF Patch

>REGISTRY KEY VALUES ADDED: (3)

>---by process E:\DOWNLOAD\FILETEMP\INSTALL.EXE

>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\GDI32

>- WMF Patch\ DisplayName=GDI32 - WMF Patch

>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\GDI32

>- WMF Patch\ UninstallString=D:\PROGRAMS\WMFPATCH\UNWISE.EXE

>D:\PROGRAMS\WMFPATCH\INSTALL.LOG

>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\

>GDIPatch=D:\PROGRAMS\WMFPATCH\inject.exe

>FILES ADDED: (7)

>---by process E:\DOWNLOAD\FILETEMP\INSTALL.EXE

>D:\PROGRAMS\WMFPATCH\UNWISE.EXE

>D:\PROGRAMS\WMFPATCH\GDIHOOK.DLL

>D:\PROGRAMS\WMFPATCH\INJECT.EXE

>D:\PROGRAMS\WMFPATCH\INSTALL.LOG

>FILES DELETED: (10)

>---by process E:\DOWNLOAD\FILETEMP\INSTALL.EXE

>C:\WINDOWS\TEMP\~GLH0000.TMP

>D:\PROGRAMS\WMFPATCH\~GLH0001.TMP

>D:\PROGRAMS\WMFPATCH\TEMP.000

>D:\PROGRAMS\WMFPATCH\~GLH0003.TMP

>D:\PROGRAMS\WMFPATCH\~GLH0005.TMP

>C:\WINDOWS\TEMP\GLJ1290.TMP

>C:\WINDOWS\TEMP\GLC1290.TMP

>FILES CHANGED: (1)

>---by process E:\DOWNLOAD\FILETEMP\INSTALL.EXE

>C:\WINDOWS\APPLOG\APPLOG.IND

>DIRECTORIES ADDED: (1)

>---by process E:\DOWNLOAD\FILETEMP\INSTALL.EXE

>D:\PROGRAMS\WMFPATCH

>DIRECTORIES DELETED: (2)

>---by process E:\DOWNLOAD\FILETEMP\INSTALL.EXE

>D:\PROGRAMS\WMFPATCH

>---by process D:\PROGRAMS\WMFPATCH\INJECT.EXE

>C:\WINDOWS\TEMP\INJECT.MADEXCEPT

>***********END************************************

--
_____________________________________________________
For email response, or CC, please mailto:see.my.sig.4.addr(at)bigfoot.com.
Yeah, it's really a real address :)

Posted by Peter on January 6, 2006, 5:44 am

If you were Registered and logged in, you could reply and use other advanced thread options

see.my.sig.4.addr@nowhere.com.invalid wrote:

> >Decided to install it. For the patch see:

> >

> >http://www.nod32.ch/en/download/tools.php

> >

> >Below is the realtime log generated by INCTRL4 utility on a win98se PC.

> >Note that I installed it to a non-default folder. The key thnig to note

> >is the line:

> >

> >HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\

> >GDIPatch=D:\PROGRAMS\WMFPATCH\inject.exe

> >

> >This causes the patch to run on bootup (as intended).

> >

> >regards,

> >

> >Peter//

> >

> Does it need to run all the time, or is it a run once?

> So you're saying you have to change that line to how you have it or it

> wont work?

That line is a registry setting which loads the patch on every win98
boot. So it runs all the time that win98 is running.

But if you want to stop it runnnig do ALT + Ctrl + Del and cancel it.
But it uses absolutely minimal resources, so I leave it running all the
time.

BTW no WMF exploit has yet been discovered for win98. But it's only
prudent to install this patch IMO.

Peter//

<snip>

Posted by on January 10, 2006, 4:12 pm

If you were Registered and logged in, you could reply and use other advanced thread options

>> >Decided to install it. For the patch see:

>> >

>> >http://www.nod32.ch/en/download/tools.php

>> >

>> >Below is the realtime log generated by INCTRL4 utility on a win98se PC.

>> >Note that I installed it to a non-default folder. The key thnig to note

>> >is the line:

>> >

>> >HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\

>> >GDIPatch=D:\PROGRAMS\WMFPATCH\inject.exe

>> >

>> >This causes the patch to run on bootup (as intended).

>> >

>> >regards,

>> >

>> >Peter//

>> >

>> Does it need to run all the time, or is it a run once?

>> So you're saying you have to change that line to how you have it or it

>> wont work?

>That line is a registry setting which loads the patch on every win98

>boot. So it runs all the time that win98 is running.

>But if you want to stop it runnnig do ALT + Ctrl + Del and cancel it.

>But it uses absolutely minimal resources, so I leave it running all the

>time.

>BTW no WMF exploit has yet been discovered for win98. But it's only

>prudent to install this patch IMO.

Ah, that's what I like to hear :)
Seems 9x is immune to most XP/2k exploits these days.
Nice excuse for "progress" with them eh?! But, what do you expect from M$
I guess.
Makes me wonder why you don't hear of people "downgrading" more, or going
to Linux or Mac more.

So will the reg. line addition work for 95 too?
I've got one running that. Dunno if I'll install it if it may slow it
down, it's already slow enough, but I'd like to know in case any exploits
become known.
--
_____________________________________________________
For email response, or CC, please mailto:see.my.sig.4.addr(at)bigfoot.com.
Yeah, it's really a real address :)

Posted by Peter on January 10, 2006, 6:31 pm

If you were Registered and logged in, you could reply and use other advanced thread options

see.my.sig.4.addr@nowhere.com.invalid wrote:

> >> >Decided to install it. For the patch see:

> >> >

> >> >http://www.nod32.ch/en/download/tools.php

> >> >

> >> >Below is the realtime log generated by INCTRL4 utility on a win98se PC.

> >> >Note that I installed it to a non-default folder. The key thnig to note

> >> >is the line:

> >> >

> >> >HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\

> >> >GDIPatch=D:\PROGRAMS\WMFPATCH\inject.exe

> >> >

> >> >This causes the patch to run on bootup (as intended).

> >> >

> >> >regards,

> >> >

> >> >Peter//

> >> >

> >>

> >> Does it need to run all the time, or is it a run once?

> >> So you're saying you have to change that line to how you have it or it

> >> wont work?

> >

> >That line is a registry setting which loads the patch on every win98

> >boot. So it runs all the time that win98 is running.

> >

> >But if you want to stop it runnnig do ALT + Ctrl + Del and cancel it.

> >But it uses absolutely minimal resources, so I leave it running all the

> >time.

> >

> >BTW no WMF exploit has yet been discovered for win98. But it's only

> >prudent to install this patch IMO.

> >

> Ah, that's what I like to hear :)

> Seems 9x is immune to most XP/2k exploits these days.

> Nice excuse for "progress" with them eh?! But, what do you expect from M$

> I guess.

> Makes me wonder why you don't hear of people "downgrading" more, or going

> to Linux or Mac more.

> So will the reg. line addition work for 95 too?

> I've got one running that. Dunno if I'll install it if it may slow it

> down, it's already slow enough, but I'd like to know in case any exploits

> become known.

Newer OSes tend to have more remote networking capabilities. Hence, if
programmers slip up, more remote networking hacks!

Advice I follow is to stick with win98se for internet. Use XP only for
offline work as necessary. Dual boot is pretty easy [Google on win dual
boot] FYI on a test system without firewall: XP -- 45 seconds to infect
(!!) 98se -- much longer (I've seen misconfigured firewalls on win98se
PCs that were not infected after 3 months+)

As for win95 and this patch: don't know for sure. But as the patch is
easily uninstalled, why not give it a try?

Similar Threads	Posted
MS Patch release for Embedded Web Fonts code execution vulnerability	January 10, 2006, 8:08 pm
had installed Ilfak Guilfanov's patch v. MS patch	January 8, 2006, 5:46 pm
Installing Win98 on a P4	June 5, 2005, 11:08 am
WMF patch includes Win 9X/ME	January 4, 2006, 4:38 pm
Windows patch day, kids!	June 14, 2005, 11:02 am
M$ Backs out of releasing a security patch...	September 12, 2005, 3:55 pm
can I uninstall wmfhitfix.dll after windows patch?	February 2, 2006, 1:02 pm
Windows chokes on latest Microsoft patch	October 19, 2005, 12:09 am
Cisco IPv6 Vulnerability	August 1, 2005, 6:23 pm
National Vulnerability Database	August 16, 2005, 6:55 pm

The site map in XML format XML site map