** HEADS UP ** IE vulnerability. EXTREMELY CRITICAL.

Quote:

---

Originally posted here by HTRegz
Has anyone else seen this or experienced it yet...
This is the only report of seen of it being gdi32.dll so far (that I can remember)... Everyone was initially pointing at shimgvw.dll..

---

Hey HT:

SANS did a presentation showing how the WMF works...it shows that the shimgvw.dll calls the gdi32.dll. Check this graphic out showing this.

Also, SANS posted the presentation presentation PDF

Quote:

---

Originally posted by HTRegz
On a side note... hexblog.com is down (The ISP Killed it due to the large amount of traffic). If anyone wants to fire me both the patch and the mirror it on a couple of servers and then you can feel free to pass the addresses along to mailing lists, buddies, whatever..

---

Two website are hosting Hexblog's hotfix:
* SANS: here
* CastleCops: hotfix v1.4 and WMF exploit checker

We have tested the hotfix and green-lighted deployment of the patch...which is happening right now.

Road: There were no "plans" for the bar.... I built on the fly.... There's a picture of it up here somewhere in Addicts... look in my uploaded files.

Ok... This is what I did... The process is ongoing but it is working:-

Blocked all internet access
Blocked all attachments
Wrote teeny batch file to unreg the dll
Tested the fix - it only functions reliably on my machines when run as an admin.
Stole script from net to add domain users to admin group and place in domain startup script
Wrote whole set of instructions with pictures and attached files and uploaded to our intranet
Sent email to all staff telling them to reboot and follow instructions on intranet.
Sent similar instructions to the other admins within my network
Used my Aida32 inventory setup to verify the installation

Results:-

Within 1 hour I had 150 fixed boxes - yes I was surprised - that's 25%
Encountered issue with a couple of WinXP boxes reporting that the patch was incompatible - yet the checker indicated it worked and Aida32 indicated it was installed
Encountered on issue of the above where it would not install period with the same error
Encountered a couple of Win2K boxes with the above issue - as of yet I am unsure of the status - I will check back if anyone is interested.
Having checked Aida32 for successful install coupled with the users confirming "invulnerable" by the checker I began adding user IP's to the firewall for internet access - Yes, one by one.

So far it has gone a lot better than expected. Of course, just after I finished last night out comes the MSI.... :rolleyes: ... But that's about par for the course with this exploit.....

My mail store is HUGE so it took all night to scan. Not one blip detected. Got lucky since I wasn't available the whole time. Scanned all boxes will all known footprints... nothing. In the mean time while I was blabbing yesterday I blocked all incoming and outgoing attachments in email. OK not blocked but quarantined. You will be amazed at how many attachments are crap. IN addition internet access was blocked to all but the predefined critical list I mentioned earlier. The means about 5 sites REQUIRED for core business function. The 4661 Mcafee dat file detects this so I babysat my enterprise as all clients were forced updated and scanned. Not a thing. So I am taking no other measures at this point. I guess some of the strict internet filtering helped and some spam blocking along with restricted access to program rights. Speaking of SPAM, anyone use this? Xwall It's just another exchange filter but it works in front of exchange and is only 400 bucks per exchange server and was mentioned in a magazine I respect.

Speaking of user rights...

Quote:

---

Stole script from net to add domain users to admin group and place in domain startup script

---

That would be like opening the flood gates in my user base. :p

--------

Nice bar Tiger. :D

Source:BetaNews.com

Quote:

---

However, the patch won't be available until next week's monthly Patch Tuesday release. The company says it needs time to test the fix and prepare it in 23 different languages for all affected versions of Windows.

---

Cure comming soon ..... :p

Road: Don't think for one minute I told my users why they had to reboot before they ran the fixes.... ;-) I'll be undoing that little gem ASAP... In the long run the risk of an issue with them as a local admin outweighs the combination of them whining if they don't have net access and them fuxxoring my network if they have unpatched access to it. I call it a compromise.... :D

Compromises are good. I was hoping to find something so I could test my incident response program hot off the press. :p On a side note I did find some older viruses hiding out in my exchange store archives. Lesson, scan exchange once a week even if it hogs resources because things go undetected until accessed via on-access scanners. Looks bad. :mad:

For Watchguard Firebox users:

If you are adding individual workstations to allow internet access you can "hack" the .cfg file so that you can "mass-add" IP's.

Get your IP list as a space delimited file.
Add an outrageous IP address in the Control Center to the service you want to allow them out on and save the file.
Open .cfg in Notepad and search for the outrageous IP
Now you know the location of the allowed out IP's
make sure you leave the leading space and the trailing CR/LF(?) - it displays as a little rectangle and copy and paste your space delimited list, (there must be no CR/LF's in the list), into place and save it.
Open the .cfg file in Control Center, (the file itself not the firebox), and save the config to the Firebox....
Voila!!!!!

Hope this helps someone

Nice Tiger. Gives me some other ideas. For one encrypting the cfg file. ;)

Don't you use Websense? Click, no internet. :D

Road:

EFS does the trick

Websense.... Wanna send me two licensed copies for 600 users? Didn't think so... ;)

Quote:

---

Websense.... Wanna send me two licensed copies for 600 users? Didn't think so...

---

Ouch!

But getting a daily report of outgoing packets by catagory.. spyware... spam etc is perhaps worth some effort on the financial front but that is even more than the basic price. Have you tried P2P? J/K!