** HEADS UP ** IE vulnerability. EXTREMELY CRITICAL.

[C4573R 7R0Y]

Sweet! Thanks for the up to date info. I am quite suprised that M$ is actually getting their patch out... Maybe now I don't have to worry so much about my VPN users.

Like you said I hope it doesn't break anything else.

[DjM]

For those that have rolled out the patch from SAN 's, watch your printers.

We have received reports and researched an issue with Ilfak's patch AND/OR deregistering SHIMGWV.DLL causing printing issues.


De-registering SHIMGVW.DLL can cause printer issues. This has been verified.
Pedro a fellow SANS handler provided this:
"From Microsoft Windows Server 2003 Inside Out
By William R. Stanek The client first uses the print driver to partially render the document into EMF and then spools the EMF file to the print server. The print server converts the EMF file to final form and then queues the file to the printer queue (printer)."

ScottF another SANS handler states "I have seen a few new printing bugs...basically the printer spooler tray icon pops up and says there is an error and then prints without a problem" this was when SHIMGWV.DLL was deregistered.

It appears that Ilfak Guilfanov's patch can also cause printer problems.
Paul Shane reported
"It seems that users printing with Lotus 1-2-3 V5 for windows (yes...the old version), running on Windows XP, cannot print with the hexblog patch installed. As soon as the patch is uninstalled and the machine is rebooted, printing works."

Finally JimC another SANS handler writing about Ilfak's patch states:
"Actually, I guess this one doesn't surprise me too much. The "legitimate" use of the SETABORTFUNC Escape() call in gdi32.dll is for printing. We have heard of a couple of other widely scattered situations where some sort of printing function was disrupted by the unofficial patch.

Source

Cheers:

[C4573R 7R0Y]

The patch is now posted.

Here is the link: http://www.microsoft.com/technet/sec.../ms06-001.mspx

[brentlea]

It's also been posted to the Windows Update site.

I've installed the patch on a Windows XP Pro SP2 system. So far, I don't see any errors with it. I have not tested against one of the infected URLs yet, but when I do, I'll post the results here.

[dynamoo]

Just going to apply the patch now. If I don't get the BSOD then I'll authorise it via our SUS server. If you don't hear from me..,

[rahhabb]

eWeek has some information about this as well:

http://www.eweek.com/category2/0,1874,1252525,00.asp

Also Ilfak Guilfanov's site has been updated: http://www.hexblog.com/index.html

Also ISC just went to GREEN . http://isc.sans.org/

Cya Fleshbags.

[dynamoo]

Windows XP Pro and Windows 2000 Pro applied the patch just fine for me.

[rapier57]

If you applied the third-party, make sure you remove it first. Don't know if there would be a problem, but it would probably be best to do so. I installed the patch and it worked just fine.

'Course, I haven't been to a nasty site to test.

Not that I plan to go to one ...

[cabby80]

Applied the patch, tested a number of the exploits including one from SANS and one we developed in house, exploit "malicious" code did not run and there didn't seem to be any unstable behaviour.

All going well this stage, big test will be some of our internal legacy apps, some of the programming on these is interesting to say the least, that job is one for today but so far all is good

[Tiger Shark]

Installed the official patch on a fully updated Win2k box over the top of both the MSI for Iflak's patch _and_ Iflak's patch itself, (all three are installed). I am currently VPN'ed into the network using Netmeeting to the patched box with the following apps open:-

Explorer x 3
Notepad x 2
Firefox with 3 tabs open
Outlook 2002 connected to an Exchange server
Cmd prompt

along with 11 systray items running.....

It's running solid......

Oh, BTW, the checker says I'm "invulnerable"... But I knew that anyway, he says - hopefully...