[MDGx]

The Anonymous author of unofficial U891711, KERNEL32.DLL, SHELL32.DLL, GDI32.DLL + GDI.EXE patches sent me this message regarding the newly discovered [?] Windows XP/2003/Vista + MS IE 5/6/7 .ANI [animated] cursor security vulnerability accessed through the GDI engine.
M$ *knew* about it and *ignored* it since December 2006 [!].
But only on April 3 2007 M$ issued patches for Windows XP, 2003 + Vista, 32 + 64 bit [if any1 interested]:
http://www.microsoft.com/technet/security/...n/ms07-017.mspx
Guess what... Windows 98 (FE), 98 SP1, 98 SE + ME are already protected [sic! ] if you install unofficial U891711 fix:

U891711: Unofficial Windows 98/98 SP1/98 SE/ME Q891711.DLL 4.10.2223 + KB891711.EXE 4.10.2227 Fix [119 KB]:
http://www.mdgx.com/files/U891711.EXE
Read U891711.TXT FIRST:
http://www.mdgx.com/files/U891711.TXT
U891711 MSFN forum:
http://www.msfn.org/...showtopic=58780

Quote

AFAICT, the unofficial KB891711.EXE (4.10.2227) already protects against
the newly discovered animated cursor vulnerability (Win2k, WinXP, Vista).

I hope this helps.

HTH

[Rick Chauvin]

That's really great, thank you for U891711.exe ....which I'm haappy to say I already had installed it previously

~~~~~~~~~~~~~~~~~~~

I hope Anonymous still is considering releasing Shell32.dll v4.72.3812.640, please

[BenoitRen]

How about an actual patch of user32.dll, instead of this work-around?

[Ninho]

Note : The unofficial fix also works in Windows 95 ! Cf. :
http://www.msfn.org/board/index.php?showto...st&p=643507

-- Ninho

This post has been edited by Ninho: 10 April 2007 - 04:44 AM

[MDGx]

BenoitRen, on Apr 6 2007, 11:30 AM, said:

How about an actual patch of user32.dll, instead of this work-around?

BenoitRen:

Anonymous author replies to your question:

Quote

KB891711 + U891711 (official & unoffical) are not work-arounds 'BenoitRen', but the even better news is: It would have been too time-consuming to search for the code segment in USER.EXE where .ANI files are parsed (not where USER.LoadImage is), but I just happened to come across it the other day, so there will be a Win98SE USER.EXE/USER32.DLL patch (4.10.2234) in due course. A Win98FE patch is far beyond what I can manage to do, even a WinME patch is highly, highly unlikely I am afraid.

HTH

__________________________________

Rick Chauvin, on Apr 6 2007, 08:45 AM, said:

That's really great, thank you for U891711.exe ....which I'm haappy to say I already had installed it previously

I hope Anonymous still is considering releasing Shell32.dll v4.72.3812.640, please

Please see the answer to your request here:
http://www.msfn.org/board/?s=&showtopi...st&p=643804

HTH

[BenoitRen]

If he found it in Win98 SE's user.exe, it wouldn't be too hard to find in the other versions, no? After all, they're all built on their previous versions instead of rewritten code. I'd like to help looking, but I don't know what to look for, or even how to do it.

[Max_04]

BenoitRen, on Apr 11 2007, 02:54 PM, said:

If he found it in Win98 SE's user.exe, it wouldn't be too hard to find in the other versions, no? After all, they're all built on their previous versions instead of rewritten code. I'd like to help looking, but I don't know what to look for, or even how to do it.

In Italy we say:

"Don't spit in the plate where you have been eating".

The plate where you have been eating is this section of MSFN.

Here everybody (anonymous author included) give their contribute, without to force someone to do something.

It's my thought.

[BenoitRen]

Note that I am offering my help.

Also, being a Windows 95 user, I'm barely fed here.

This post has been edited by BenoitRen: 11 April 2007 - 01:04 PM

[Max_04]

BenoitRen, on Apr 11 2007, 08:55 PM, said:

Note that I am offering my help.

Also, being a Windows 95 user, I'm barely fed here.

Right, but without to annoy people, as you've done before.

This post has been edited by Max_04: 11 April 2007 - 03:52 PM

[MDGx]

galahs + Ninho:

Anonymous author replies to your questions:

Quote

'galahs' wrote on Apr 7 2007, 08:50 PM:

> So what is the advantage of using the unofficial Q891711 patch over
> Zerts?

There are 2 advantages:

(1) AFAICT, the latest ZERT patch does not address the previous
vulnerabilities as described in KB891711. It only addresses the most
recent vulnerability, that is, it only checks for the correct length of
any 'anih' chunk.

(2) As 'Ninho' pointed out correctly, "... it is USER.EXE which needs a
patch. USER32 is just a small stub, all the meat is in the 16 bit USER."
Only KB891711.EXE patches USER.EXE.

As an additional note:

> (Ninho) "... on Windows 9x in no case can a "sploit" of this kind cause
> instructions, contained as data in the malicious file, to be handed
> control and executed..."

I would revise this statement: It is virtually impossible (not in no
case) to craft a file that leads to arbitrary code execution under the
segmented memory model. In addition, if the .ANI file was actually parsed
in USER32.DLL the exploit would work under Win9x as it does under Win2k,
WinXP, etc. This is important to remember as, for example, part of an .EMF
file is not parsed in GDI.EXE, but, similar to WinNT, Win2K, WInXP, etc.,
in GDI32.DLL.

HTH

[galahs]

Thanks for the reply.

[MDGx]

UPDATED 4-28-2007

Please see top of this topic to download + install updated patch:
http://www.msfn.org/...showtopic=58780

_____________________________


Update:
* Win98 SE = Old U891711 [temporary fix] replaced by new Q891711 [permanent fix]:
http://www.mdgx.com/files/Q891711.TXT

[BenoitRen]

Awesome! Congratulations to the author.
I hope he'll be able to provide a fix for Windows 95's files as well (both version 4.00.950, unless those got updates somewhere?).

I have a question, though. It's my understanding that the parsing happens in user.exe, and that the way to fix the vulnerabilities is to check the size of what user32.dll returns. So why does user32.dll need patching? I don't mean to criticise, I just want to learn.

[Analada]

MDGx, on Apr 29 2007, 12:44 PM, said:

UPDATED 4-28-2007

Please see top of this topic to download + install updated patch:
http://www.msfn.org/...showtopic=58780

_____________________________


Update:
* Win98 SE = Old U891711 [temporary fix] replaced by new Q891711 [permanent fix]:
http://www.mdgx.com/files/Q891711.TXT

The versions of the fixed user.exe + user32.dll are 4.10.22.33. These are in fact *older* than the ones which existed on my system, 4.90.3001, which were there by doing (I guess) the 98SE2ME upgrade.

But it's better to have a permanent fix. So (1) Uninstall the temporary U891711 first (using add/remove programs); (2) Install new permanent fix even though the file versions are older, than those installed by 98SE2ME.

Is above correct?

This post has been edited by Analada: 30 April 2007 - 09:52 AM

[MDGx]

Analada, on Apr 30 2007, 09:48 AM, said:

The versions of the fixed user.exe + user32.dll are 4.10.22.33. These are in fact *older* than the ones which existed on my system, 4.90.3001, which were there by doing (I guess) the 98SE2ME upgrade.

But it's better to have a permanent fix. So (1) Uninstall the temporary U891711 first (using add/remove programs); (2) Install new permanent fix even though the file versions are older, than those installed by 98SE2ME.

Is above correct?

Version number is 4.10.2233 for both 98SE USER*.* files.

The USER*.* files you have in %windir%\system are newer version number, because they are from an older WinME hotfix [USER*.* 4.90.3001]:

Quote

* Microsoft Windows ME Erratic Mouse Pointer Movement USER32.DLL + USER.EXE 4.90.3001 Fix:
http://support.micro....com/?id=280800
Direct download [453 KB, English]:
http://www.mdgx.com/files/ME280800.EXE
More info:
http://support.micro....com/?id=267139

All ME system files have a higher version number than all 98SE files [normal "operation"].
But, as you well caught on, the ME files don't have the permanent fix [yet, anyway, and if they will ever do, it's all up to the anonymous author who created the 98SE fix].

1. Yes, please uninstall U891711 thru Control Panel -> Add/Remove programs.
FYI:
I am going to [at some point] include an uninstall feature for U891711 into the Q891711 INF.

2. Yes, please install 98SE USER*.* 4.10.2233 permanent fix to overwrite ME USER*.* 4.90.3001 :

Quote

* Unofficial Windows 98 SE Animated Cursor (.ANI) + Icon Handling USER32.DLL + USER.EXE 4.10.2233 Security Vulnerability Fix:
http://www.mdgx.com/files/Q891711.TXT
Direct download [375 KB, English]:
http://www.mdgx.com/files/Q891711.EXE
This Fix replaces ALL PREVIOUS Microsoft MS07-017 (Q925902):
http://www.microsoft.com/technet/security/...n/ms07-017.mspx
MS05-002 (Q891711):
http://www.microsoft.com/technet/security/...n/ms05-002.mspx
+ unofficial (U891711) Animated Cursor (.ANI) + Icon Handling Security Vulnerabilities Fixes, which are now OBSOLETE!
Q891711 MSFN forum:
http://www.msfn.org/...showtopic=58780

HTH

[Eck]

I may be mistaken but I think 98SE2ME versions that have that Windows Me version number include the latest fixes so there's no need to reinstall the ones with the older version numbers. Since I generally apply all the fixes before installing 98SE2ME I get the Me version installed. Then if a newer 891711 unofficial patch comes out I have let it replace those Me versions when it asked. But I believe I've read that those USER files are already patched when 98SE2ME installs them. If a new 891711 comes out I install the 98SE version as that is what we are running. Installing the version made especially for Windows Me is a definite no no! But that is not what 98SE2ME does. Um, I think.

Edit - MDGx posted as I was typing. Oh! Then, do what he just said, as will I when it's time for me to install this stuff again. I'm just waiting now on a new Auto-Patcher to get released.

This post has been edited by Eck: 30 April 2007 - 10:13 AM

[PROBLEMCHYLD]

MDGx, on Apr 30 2007, 11:07 AM, said:

2. Yes, please install 98SE USER*.* 4.10.2233 permanent fix to overwrite ME USER*.* 4.90.3001

Does this means you are removing USER*.* 4.90.3001 from 98SE2ME?

[Analada]

PROBLEMCHYLD, on Apr 30 2007, 11:07 AM, said:

MDGx, on Apr 30 2007, 11:07 AM, said:

2. Yes, please install 98SE USER*.* 4.10.2233 permanent fix to overwrite ME USER*.* 4.90.3001

Does this means you are removing USER*.* 4.90.3001 from 98SE2ME?

Good question. But whatever MDGx decides, based on the facts already given I deduce:

a) If you want a permanent fix, get rid of the TSR-based U891711 stuff, (recommended for 98SE2ME users) then do the permanent fix.

If you have already done U891711 + 98SE2ME and now do nothing, there's no harm. You're still protected.

What I don't know is that, ignoring above, whether there are any inherent advantages to using USER*.* 4.90.3001?

This post has been edited by Analada: 30 April 2007 - 01:19 PM

[BenoitRen]

Quote

Yes, please uninstall U891711 thru Control Panel -> Add/Remove programs.
FYI:
I am going to [at some point] include an uninstall feature for U891711 into the Q891711 INF.

I don't understand this. An uninstall feature? You can already uninstall the thing from Add/Remove Programs. Isn't that good enough? Everything should be able to get uninstalled that way.

[MDGx]

BenoitRen, on Apr 30 2007, 05:08 PM, said:

Quote

Yes, please uninstall U891711 thru Control Panel -> Add/Remove programs.
FYI:
I am going to [at some point] include an uninstall feature for U891711 into the Q891711 INF.

I don't understand this. An uninstall feature? You can already uninstall the thing from Add/Remove Programs. Isn't that good enough? Everything should be able to get uninstalled that way.

An uninstall feature for the older U891711 which installs Q891711.DLL + KB891711.EXE, not for Q891711 which installs the new USER*.* files.
That's because old U891711 files [temporary fix] are not necessary anymore once Q891711 is installed [permanent fix].
Please see the ReadMe for details:
http://www.mdgx.com/files/Q891711.TXT

HTH