Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: WMF: Status of Windows 98 and Windows ME ? SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
WMF: Status of Windows 98 and Windows ME ?
We continue to receive questions from Windows 98 and Windows ME users concerning WMF.  To simplify reading (and writing) this diary, I will refer to these two versions of Windows as win9x.

Is there risk?

Win9x has the flawed gdi32.dll library. In the initial advisory, which is no longer online, Microsoft listed that win9x in the company of all of the other vulnerable operating systems.

However, win9x is slightly different from the more recent Windows versions in the way it works. These differences are enough to prevent the current and publicly known exploits from working.  It does seem that Microsoft is confident that these differences are substantial enough to keep win9x tailored WMF exploits from becoming available.

So to answer the question above, yes there is a risk. Win9x is most likely vulnerable but there is no clear and present threat (yet!).

Patch please?

We have been asked for a win9x patch or other foolproof solution for these systems. Unfortunately:
  • Microsoft has not released an official patch so far and there is none on the horizon either.
  • The Microsoft workaround (unregistering shimgvm.dll to prevent access to the vulnerable code in gdi32.dll) for other windows versions cannot be performed in win9x.  The shimgvm.dll library file does not exist in win9x.
  • The unofficial patch which we endorsed in a very specific situation does not work on win9x. These older versions lack technology needed for the patch to protect in memory libraries from being accessed.
  • We know that several software coders have or are going to publish patches for Win9x systems.  However, we highly recommend that you make a risk decision based on your own situation as to whether you wait for a Microsoft patch.  We did the extra-ordinary thing of recommending an unofficial patch earlier for a very specific condition. The conditions for the win9x
    situation are simply not the same now. There is no clear and present threat and the defenses in the form of anti-virus programs have become significantly stronger.

What options that are left?

If you find a no-user-interaction-required exploit of WFM files against win9x, send it to Microsoft (or alternatively send it to us, we will disclose it responsibly to Microsoft).  This would be the last necessary requirement for Microsoft to build and release an official patch for win9x.

It may take a while for this "critical" exploit to surface and some of you want a solution now.  You are left with:
  • Accept the risk and play the wait and see game.
    • Possibly, try to mitigate the risk by getting a good anti-virus program in place, preferably one that is known to trigger on the exploits without triggering on the payload in the WMF. Make sure the signatures are always up to date.
    • Possibly, try to mitigate the risk by isolating the system. Isolating can be done on networks by air-gapping the machines, by removing floppy and cd-rom drives, by disabling USB ports, etc... Some systems might benefit enough from this to remain usable for a while longer.
  • Balance the risks of one of the unofficial patches.
    • I cannot recommend this action at this time, but it is an option you can evaluate, if you find it reduces your overall risk you might have a mitigation strategy.
  • Mitigate the risk by changing the OS
    • You might need to upgrade the hardware in order to be able to upgrade to a more recent version of windows. (Remember: if you pass down the old hardware to your family, friends or a good cause, they now have the problem you had)
    • The hardware capable of running win9x is mostly capable of running alternative operating systems such as Linux, OpenBSD, FreeBSD, and others.  So you have many choices from witch to pick.
You could try to find a combination of the above that fits your specific situation or company policies.

We'd like to give you better alternatives, but currently we see none.

Swa Frantzen

760 Posts
Jan 7th 2006

Sign Up for Free or Log In to start participating in the conversation!