I saw a post on Larry Seltzer’s excellent security blog that iDEFENSE is claiming that only Windows XP, SP1, SP2, Windows 2003, SP1 and (possibly) Lotus Notes are vulnerable to WMF exploit. Windows 2000, ME, and 98 are not vulnerable (they didn’t test Windows NT). Link here.
Later, Larry did some more testing and came to the following conclusion:
I have been testing a lot tonight and it appears to me that iDEFENSE is right: In a practical sense, only Windows XP and Windows Server 2003 (in all their service pack levels) are vulnerable to the WMF flaw. Here’s why.
Link here. F-Secure also mentions his blog.
Note that I have one email from a user who tested the exploit, and got an infestation, on a W2k machine using a third-party graphics handler. It’s a research point…
Alex Eckelberry