Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Checking for .wmf Vulnerabilities SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Checking for .wmf Vulnerabilities
As far as we know there are no tools available yet for remote scanning and detection of systems vulnerable to the .wmf issue.  Ilfak Guilfanov has a testing tool available on his website, and he cautions users that it only checks for one version of the exploit so it might not detect new variations. 

If you want to experiment with another file submitted to us by Kevin Gennuso (thanks, Kevin) you can download it here.  The file will open calc.exe and kill explorer.exe on vulnerable systems but otherwise causes no damage as far as we can tell.  As always, test this file before using it on a production or enterprise computer.  This file is useful for seeing if Ilfak's patch worked for your system.

Reik Bohne sent us a link to a test on  It's in German but essentially what it does is provides you with a way to check your browser and your email client to see if you are vulnerable.  Like the file above, it starts calc.exe on an unpatched system.


301 Posts
ISC Handler
Jan 2nd 2006

Sign Up for Free or Log In to start participating in the conversation!