[Previous entry: "Installing Enigmail under Linux"] [Main Index] [Next entry: "Interview with Phyllis Chesler"]

01/03/2006 Archived Entry: "Windows 98 and ME may be safe from WMFs"

A bit of good news: it seems that only Windows XP and Windows 2003 systems are vulnerable to the WMF exploit. eWeek's Larry Seltzer has been doing some testing:

It is true, as F-Secure says, that all versions of Windows back to 3.0 have the vulnerability in GDI32. But most versions of Windows are not quite as vulnerable as they appear. Except for Windows XP and Windows Server 2003, no Windows versions, in their default configuration, have a default association for WMF files, and none of their Paint programs or any other standard programs installed with them can read WMF files. ...

Therefore only consider applying the Guilfanov patch on Windows XP and Windows Server 2003. On other platforms, unless you have installed your own vulnerable default handler for WMF files, the likelihood of compromise even when a system is bombarded with malicious WMFs is low.

Note that the Guilfanov patch (also available from Gibson Research) only works on Windows 2000, 2003, and XP, so you can't install it on Windows 98 or ME anyway. But now it looks like 98/ME users don't need it.  —brad