|
-
January 3rd, 2006, 05:35 PM
#101
FYI, MS will issue patch for this on January 10th! http://www.microsoft.com/technet/sec...ry/912840.mspx
My company is currently testing the 3rd party patch by Ilfak against our critical apps our users use. We are coding the script to first run the checker he wrote and if found vulnerable than install patch. If nothing important breaks we'll be deploying the patch and unregistering the DLL starting later today.
3rd party patch: http://www.hexblog.com/2006/01/silen...installer.html
3rd party checker: http://www.hexblog.com/2006/01/wmf_v...y_checker.html
-
January 3rd, 2006, 05:48 PM
#102
This would not be a good time to be surfing the random Pr0N
site.
I came in to the world with nothing. I still have most of it.
-
January 3rd, 2006, 06:06 PM
#103
Hey Hey,
Why would you both deploy the patch and unregister the DLL?? As far as I understand it ones or the other... I ran the Patch (never unregistered a DLL and I haven't found myself vulnerable to any of the tests since)..
Btw... Check out http://handlers.sans.org/tliston/WMFHotfix-1.1.14.msi
It's on the latest SANS Diary Entry... someone has released an MSI for people in corporate environments that want to push it out...
I'm actually kind of jealous.. I spent a few hours playing with WinInstall LE that came with the Server 2000 CD and it won't package files (only access against a share)... which sucked..I wasted time but learned something I guess... anyways.. now there's an MSI if you're interested.
Peace,
HT
-
January 3rd, 2006, 06:16 PM
#104
Originally posted here by HTRegz
Why would you both deploy the patch and unregister the DLL?? As far as I understand it ones or the other... I ran the Patch (never unregistered a DLL and I haven't found myself vulnerable to any of the tests since)..
From what SANS and couple others are saying the 3rd party patch alone may not protect you. We are testing so if we find major breakage we may just forgo the unregistering of that DLL.
-
January 3rd, 2006, 08:42 PM
#105
Hey Hey,
Has anyone else seen this or experienced it yet...
Source: http://www.viruslist.com/en/weblog?d...92530&return=1
Going back to the wmf vulnerability itself, we see number of sites mention that shimgvw.dll is the vulnerable file.
This doesn't seem correct as it's possible to exploit a system on which shimgvw.dll has been unregistered and deleted. The vulnerability seems to be in gdi32.dll.
So while unregistering shimgvw.dll may make you less vulnerable, several attack scenarios come to mind where the system can still be compromised.
It has to be noted that in this case the attack vector of web browsers seems significantly smaller than that of explorer+third party programs.
This is the only report of seen of it being gdi32.dll so far (that I can remember)... Everyone was initially pointing at shimgvw.dll..
Peace,
HT
-
January 3rd, 2006, 08:44 PM
#106
Rc, might be a good idea to hide that for people looking at work or school. Some people are offended by nipples.
-
January 3rd, 2006, 10:33 PM
#107
I'm actually kind of jealous.. I spent a few hours playing with WinInstall LE
Group Policy is a beautiful thing. 
Off Topic. Tiger did you build that bar? Send me the plans it looks nice in my future play room. Right now I am building a HERMS system that will need a bar later.
Well I got totally fuxored going on vacation with no external access to my core systems. The initial scrub check doesn't show anything. I know for a fact that I have some users who make a donkey look intelligent so I have to dig deeper but 99 percent are restricted severely. How many calls do I get a week begging for access to the desktop. If you are cute you get it. wink wink. j/k.
Oh hey HT Welcome to the real world. When **** hits the fan... what do you do? As Tiger hinted and we all hear every day.... risk mitigation. If the risk is high for instance, is it worth filtering and quarantining ALL attachments for your review before users get them? I have done that in the past. Hell back in the day before snort and good virus scanners I would pull the internet right out of the wall plug. That too is an option and today outside correspondence can be granted access past gateway filtering on a case by case basis. With the click of a mouse you should be able to block all external connections save a predetermined critical list. This is a real world disaster prep scenario or lesson. What if you were on vacation? I have to struggle with my own fear of VPNs. 
West of House
You are standing in an open field west of a white house, with a boarded front door.
There is a small mailbox here.
-
January 3rd, 2006, 10:46 PM
#108
Originally posted here by RoadClosed
Oh hey HT Welcome to the real world. When **** hits the fan... what do you do? As Tiger hinted and we all hear every day.... risk mitigation. If the risk is high for instance, is it worth filtering and quarantining ALL attachments for your review before users get them? I have done that in the past. Hell back in the day before snort and good virus scanners I would pull the internet right out of the wall plug. That too is an option and today outside correspondence can be granted access past gateway filtering on a case by case basis. With the click of a mouse you should be able to block all external connections save a predetermined critical list. This is a real world disaster prep scenario or lesson. What if you were on vacation? I have to struggle with my own fear of VPNs.
You make some good points... Since I'm a small company.. it's still my goal to get a linux box up and running between the router and the modem... that way I would have more control... I tried to get a small cisco 800 series but it was no go.. and the linksys I've got is one of the first released... they have had new firmware for it since 2001... basically what this means is I have no control over my network.... so killing it would be the only solution.. however it would also be my ass and my job..
On a side note... hexblog.com is down (The ISP Killed it due to the large amount of traffic). If anyone wants to fire me both the patch and the mirror it on a couple of servers and then you can feel free to pass the addresses along to mailing lists, buddies, whatever..
Another humerous thing... The Wall Street Journal Online just published an article regarding this whole WMF incident.... they are refering to it as the well known "metasploit virus"...
Peace,
HT
-
January 3rd, 2006, 11:02 PM
#109
Where do you want to go today?
Mcrosoft's response (5 clicks from frontpage of microsoft.com)..
Customers who follow safe browsing best practices are not likely to be compromised by any exploitation of the WMF vulnerability. Users should take care not to visit unfamiliar or un-trusted Web sites that could potentially host the malicious code.
I thought the Windows slogan was: Where do you want to go today?
So what can we trust..
MSN 'homepages' with user uploaded images ??
To think I had a specimen of a 'bad' wmf on my linux test box before christmas..
And couldn't find out what it was
So that's been over a week, nearing on two..
ASCII stupid question, get a stupid ANSI.
When in Russia, pet a PETSCII.
Get your ass over to SLAYRadio the best station for C64 Remixes !
-
January 3rd, 2006, 11:12 PM
#110
I actually have a dial up modem connected to an obscure PC. That's pretty safe. But it didn't work. I have come to terms that with the necessity for 24 hours access and I will accept some risk. The other month or two I had a mail server that went unpatched for 6 hours. I sweat the ENTIRE time. But I am going to use a WAN with the VPN gateway outside the local network on it's own dedicated DSL connection. At a point where I can lock the sub-net down more than the local network and where my critical devices stay hidden like a like em.
West of House
You are standing in an open field west of a white house, with a boarded front door.
There is a small mailbox here.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
