Page 1 of 2 12>
Topic Options
#154298 - 2005-12-30 06:31 PM WMF vulnerability - debating on whether to roll out work around with kix
ostech Offline
Lurker

Registered: 2005-07-05
Posts: 4
This latest, currently patch less, vulnerability (Microsoft Security Advisory (912840)) looks like it has possibilities of wide spread infection once the predicted worm makes it out. Currently the only work around is to unregister a dll:
regsvr32 -u %windir%\system32\shimgvw.dll

Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.

I am debating on whether to roll out this work around via the logon script and wanted to open it up for discussion...

Top
#154299 - 2005-12-30 06:50 PM Re: WMF vulnerability - debating on whether to roll out work around with kix
Lonkero Administrator Offline
KiX Master Guru
*****

Registered: 2001-06-05
Posts: 22346
Loc: OK
well, if there is no real bad effect, I don't see why not.
_________________________
!

download KiXnet

Top
#154300 - 2005-12-30 07:11 PM Re: WMF vulnerability - debating on whether to roll out work around with kix
Les Offline
KiX Master
*****

Registered: 2001-06-11
Posts: 12734
Loc: fortfrances.on.ca
How is 912840 different from MS05-053?
_________________________
Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.

Top
#154301 - 2005-12-30 07:46 PM Re: WMF vulnerability - debating on whether to roll out work around with ki
ostech Offline
Lurker

Registered: 2005-07-05
Posts: 4
From the MS FAQ:
** Is this issue related to Microsoft Security Bulletin MS05-053 - Vulnerabilities in Graphics Rendering Engine Could Allow Code Execution (896424) which was released in November?*

No, these are different and separate issues.

Top
#154302 - 2005-12-30 08:29 PM Re: WMF vulnerability - debating on whether to roll out work around with ki
Les Offline
KiX Master
*****

Registered: 2001-06-11
Posts: 12734
Loc: fortfrances.on.ca
Doh!
So it is... that's what I get for just quickly scanning the title of the advisory.

In our environment, there are a lot of faxes sent as email attachment that might be affected by the workaround. I just dug a little deeper and our AV has this one covered. We are covered by three AV products, McAfee, eTrust, and Symantec (belt, suspenders, and duct tape I like to call it) and since there are no yet any mass exploits out there, all systems and clients have a chance to get the latest update before it goes wild.

Something like this can usually be stopped at the firewall with stateful inspection and by blocking the WMF extension but in this case, I think even a renamed file could unleash the exploit depending on the application.
_________________________
Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.

Top
#154303 - 2005-12-30 09:12 PM Re: WMF vulnerability - debating on whether to roll out work around with ki
ostech Offline
Lurker

Registered: 2005-07-05
Posts: 4
Yes, at this point am going to rely on our desktop and perimeter security defenses, blocking known exploit sites, and external web mail. Our help desk would get crushed next week if users could not pull up images and faxes. I am hoping MS comes out with a patch over the weekend so we can get it deployed with WUS and HFNetChkPro before the work week starts. I have a feeling next week this topic will be front page news as the unprotected broadband systems get hit.

Thanks for your responses and have a Happy New Year!

Top
#154304 - 2005-12-30 09:32 PM Re: WMF vulnerability - debating on whether to roll out work around with ki
Allen Administrator Online   shocked
KiX Supporter
*****

Registered: 2003-04-19
Posts: 4549
Loc: USA
Les,

It is actually in the wild... I've been running into this on home pcs for about 2-3 weeks. Until yesterday, I had no idea how it was getting on their pcs (partly because my customers had no idea, and of course never admit to web sites they visit). Here is a link talking about it some more: Microsoft scrambles to fix 'severe' security flaw

Top
#154305 - 2005-12-30 10:08 PM Re: WMF vulnerability - debating on whether to roll out work around with ki
NTDOC Administrator Offline
Administrator
*****

Registered: 2000-07-28
Posts: 11624
Loc: CA

Symantec detects this exploit as:
Bloodhound.Exploit.56
The Bloodhound.Exploit.56 detection was updated as of the December 30th, 2005 LiveUpdate definitions.
http://www.sarc.com/avcenter/venc/data/bloodhound.exploit.56.html

Top
#154306 - 2005-12-30 11:02 PM Re: WMF vulnerability - debating on whether to roll out work around with ki
Les Offline
KiX Master
*****

Registered: 2001-06-11
Posts: 12734
Loc: fortfrances.on.ca
By *wild* I meant crazy. So far Symantec and McAfee give it a pretty low risk assessment.
_________________________
Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.

Top
#154307 - 2005-12-31 12:10 AM Re: WMF vulnerability - debating on whether to roll out work around with ki
Allen Administrator Online   shocked
KiX Supporter
*****

Registered: 2003-04-19
Posts: 4549
Loc: USA
ah... go wild, not in the wild...

Still... I'm surprised they consider this a low threat. From what I've seen it installs a program in the task bar saying your computer is "Infected with Spyware"... and then they try to extort $40 bucks for a piece of crap software that removes imaginary spyware. It also seems to install a few BHOs too.

Top
#154308 - 2006-01-01 04:37 AM Re: WMF vulnerability - debating on whether to roll out work around with ki
mole Offline
Getting the hang of it

Registered: 2003-01-01
Posts: 77
Loc: Indian Head, Maryland, USA
There is an unofficial patch from Ilfak Guilfanov mentioned here: http://isc.sans.org/diary.php?date=2006-01-01 as well as several other well known IT security sites and news groups. It looks like this has gotten worse. I have asked the handlers at SANS if there are command line switches to silence the GUI. Any body have ideas for a silent admin script install? The one from MS is easy enough via regsvr32, but the one from Ilfak Guilfanov does not seem to support the traditional switches.

Thanks,

mole
_________________________
mole

Who is John Galt?

Top
#154309 - 2006-01-01 02:22 PM Re: WMF vulnerability - debating on whether to roll out work around with ki
mole Offline
Getting the hang of it

Registered: 2003-01-01
Posts: 77
Loc: Indian Head, Maryland, USA
Tom Liston at SANS Internet Storm Center wrote me back:

Quote:



You might take a look here:

http://users.utu.fi/vpjsuu/wmfhotfix/

This site has an MSI file created from Ilfak Guilfanov's patch.

You are, however, on your own. The file distributed through the ISC has
been checked, but we can't vouch for files from a third party site.

Regards,

- -TL






The link Tom sent with the *.MSI file placed the same *.dll as the *.exe from the original "unofficial" patch and installs silently with the traditional switches for msiexec.

...And yes, at this point with no official patch use at your own risk. Also remeber to back the "unofficial" patch(es) out before an official one is deployed. I have applied both this patch and unregistered the *.dll on test systems in the as SANS described "belt and suspenders" approach.

mole

BTW - Happy New Year
_________________________
mole

Who is John Galt?

Top
#154310 - 2006-01-02 01:52 AM Re: WMF vulnerability - debating on whether to roll out work around with ki
mole Offline
Getting the hang of it

Registered: 2003-01-01
Posts: 77
Loc: Indian Head, Maryland, USA
A new MSI file here: http://handlers.sans.org/tliston/WindowsMetafileFix.html

...use with the above cautions.

mole
_________________________
mole

Who is John Galt?

Top
#154311 - 2006-01-03 01:14 AM Re: WMF vulnerability - debating on whether to roll out work around with ki
NTDOC Administrator Offline
Administrator
*****

Registered: 2000-07-28
Posts: 11624
Loc: CA

Top
#154312 - 2006-01-03 01:47 AM Re: WMF vulnerability - debating on whether to roll out work around with ki
Lonkero Administrator Offline
KiX Master Guru
*****

Registered: 2001-06-05
Posts: 22346
Loc: OK
doc, that on your system?
_________________________
!

download KiXnet

Top
#154313 - 2006-01-03 09:21 AM Re: WMF vulnerability - debating on whether to roll out work around with ki
Mart Moderator Offline
KiX Supporter
*****

Registered: 2002-03-27
Posts: 4673
Loc: The Netherlands
LOL
Hope this is a joke and it's not really showing up.
_________________________
Mart

- Chuck Norris once sold ebay to ebay on ebay.

Top
#154314 - 2006-01-03 09:46 AM Re: WMF vulnerability - debating on whether to roll out work around with ki
NTDOC Administrator Offline
Administrator
*****

Registered: 2000-07-28
Posts: 11624
Loc: CA
ROFL - No, just a joke Jooel.
Top
#154315 - 2006-01-03 12:36 PM Re: WMF vulnerability - debating on whether to roll out work around with ki
Mart Moderator Offline
KiX Supporter
*****

Registered: 2002-03-27
Posts: 4673
Loc: The Netherlands
MS has a patch ready and is now testing and lozalizing it.

Quote:


....
Microsoft has completed development of the security update for the vulnerability. The security update is now being localized and tested to ensure quality and application compatibility. Microsoft’s goal is to release the update on Tuesday, January 10, 2006, as part of its monthly release of security bulletins. This release is predicated on successful completion of quality testing.

The update will be released worldwide simultaneously in 23 languages for all affected versions of Windows once it passes a series of rigorous testing procedures. It will be available on Microsoft’s Download Center, as well as through Microsoft Update and Windows Update. Customers who use Windows’ Automatic Updates feature will be delivered the fix automatically.
....





http://www.microsoft.com/technet/security/advisory/912840.mspx
_________________________
Mart

- Chuck Norris once sold ebay to ebay on ebay.

Top
#154316 - 2006-01-03 07:59 PM Re: WMF vulnerability - debating on whether to roll out work around with ki
NTDOC Administrator Offline
Administrator
*****

Registered: 2000-07-28
Posts: 11624
Loc: CA
lozalizing is that a Dutch term?
Top
#154317 - 2006-01-03 08:18 PM Re: WMF vulnerability - debating on whether to roll out work around with ki
Mart Moderator Offline
KiX Supporter
*****

Registered: 2002-03-27
Posts: 4673
Loc: The Netherlands
LOL, nope. Made that up on the fly

Wanted to write localizing but it seems that this is also a not existing word.
Just wanted to say that MS is making the patch support some more languages then the one they got it in now.


Edited by Mart (2006-01-03 08:18 PM)
_________________________
Mart

- Chuck Norris once sold ebay to ebay on ebay.

Top
Page 1 of 2 12>


Moderator:  Arend_, Allen, Jochen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Mart 
Hop to:
Shout Box

Who's Online
0 registered and 700 anonymous users online.
Newest Members
Timothy, Jojo67, MaikSimon, kvn317, kixtarts2025
17874 Registered Users

Generated in 0.08 seconds in which 0.029 seconds were spent on a total of 12 queries. Zlib compression enabled.

Search the board with:
superb Board Search
or try with google:
Google
Web kixtart.org