WMF vulnerability - debating on whether to roll out work around with kix - KiXtart.org - official site

You are not logged in. [Log In] KiXtart.org website » Forums » KiXtart » Lounge » WMF vulnerability - debating on whether to roll out work around with kix

Page 1 of 2

1

Topic Options

#154298 - 2005-12-30 06:31 PM WMF vulnerability - debating on whether to roll out work around with kix
ostech ostech Lurker Registered: 2005-07-05 Posts: 4	This latest, currently patch less, vulnerability (Microsoft Security Advisory (912840)) looks like it has possibilities of wide spread infection once the predicted worm makes it out. Currently the only work around is to unregister a dll: regsvr32 -u %windir%\system32\shimgvw.dll Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer. I am debating on whether to roll out this work around via the logon script and wanted to open it up for discussion...
Top

#154299 - 2005-12-30 06:50 PM Re: WMF vulnerability - debating on whether to roll out work around with kix
Lonkero Lonkero KiX Master Guru Registered: 2001-06-05 Posts: 22346 Loc: OK	well, if there is no real bad effect, I don't see why not. _________________________ ! download KiXnet
Top

#154300 - 2005-12-30 07:11 PM Re: WMF vulnerability - debating on whether to roll out work around with kix
Les Les KiX Master Registered: 2001-06-11 Posts: 12734 Loc: fortfrances.on.ca	How is 912840 different from MS05-053? _________________________ Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.
Top

#154301 - 2005-12-30 07:46 PM Re: WMF vulnerability - debating on whether to roll out work around with ki
ostech ostech Lurker Registered: 2005-07-05 Posts: 4	From the MS FAQ: ** Is this issue related to Microsoft Security Bulletin MS05-053 - Vulnerabilities in Graphics Rendering Engine Could Allow Code Execution (896424) which was released in November?* No, these are different and separate issues.
Top

#154302 - 2005-12-30 08:29 PM Re: WMF vulnerability - debating on whether to roll out work around with ki
Les Les KiX Master Registered: 2001-06-11 Posts: 12734 Loc: fortfrances.on.ca	Doh! So it is... that's what I get for just quickly scanning the title of the advisory. In our environment, there are a lot of faxes sent as email attachment that might be affected by the workaround. I just dug a little deeper and our AV has this one covered. We are covered by three AV products, McAfee, eTrust, and Symantec (belt, suspenders, and duct tape I like to call it) and since there are no yet any mass exploits out there, all systems and clients have a chance to get the latest update before it goes wild. Something like this can usually be stopped at the firewall with stateful inspection and by blocking the WMF extension but in this case, I think even a renamed file could unleash the exploit depending on the application. _________________________ Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.
Top

#154303 - 2005-12-30 09:12 PM Re: WMF vulnerability - debating on whether to roll out work around with ki
ostech ostech Lurker Registered: 2005-07-05 Posts: 4	Yes, at this point am going to rely on our desktop and perimeter security defenses, blocking known exploit sites, and external web mail. Our help desk would get crushed next week if users could not pull up images and faxes. I am hoping MS comes out with a patch over the weekend so we can get it deployed with WUS and HFNetChkPro before the work week starts. I have a feeling next week this topic will be front page news as the unprotected broadband systems get hit. Thanks for your responses and have a Happy New Year!
Top

#154304 - 2005-12-30 09:32 PM Re: WMF vulnerability - debating on whether to roll out work around with ki
Allen Allen KiX Supporter Registered: 2003-04-19 Posts: 4549 Loc: USA	Les, It is actually in the wild... I've been running into this on home pcs for about 2-3 weeks. Until yesterday, I had no idea how it was getting on their pcs (partly because my customers had no idea, and of course never admit to web sites they visit). Here is a link talking about it some more: Microsoft scrambles to fix 'severe' security flaw
Top

#154305 - 2005-12-30 10:08 PM Re: WMF vulnerability - debating on whether to roll out work around with ki
NTDOC NTDOC Administrator Registered: 2000-07-28 Posts: 11624 Loc: CA	Symantec detects this exploit as: Bloodhound.Exploit.56 The Bloodhound.Exploit.56 detection was updated as of the December 30th, 2005 LiveUpdate definitions. http://www.sarc.com/avcenter/venc/data/bloodhound.exploit.56.html
Top

#154306 - 2005-12-30 11:02 PM Re: WMF vulnerability - debating on whether to roll out work around with ki
Les Les KiX Master Registered: 2001-06-11 Posts: 12734 Loc: fortfrances.on.ca	By wild I meant crazy. So far Symantec and McAfee give it a pretty low risk assessment. _________________________ Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.
Top

#154307 - 2005-12-31 12:10 AM Re: WMF vulnerability - debating on whether to roll out work around with ki
Allen Allen KiX Supporter Registered: 2003-04-19 Posts: 4549 Loc: USA	ah... go wild, not in the wild... Still... I'm surprised they consider this a low threat. From what I've seen it installs a program in the task bar saying your computer is "Infected with Spyware"... and then they try to extort $40 bucks for a piece of crap software that removes imaginary spyware. It also seems to install a few BHOs too.
Top

#154308 - 2006-01-01 04:37 AM Re: WMF vulnerability - debating on whether to roll out work around with ki
mole mole Getting the hang of it Registered: 2003-01-01 Posts: 77 Loc: Indian Head, Maryland, USA	There is an unofficial patch from Ilfak Guilfanov mentioned here: http://isc.sans.org/diary.php?date=2006-01-01 as well as several other well known IT security sites and news groups. It looks like this has gotten worse. I have asked the handlers at SANS if there are command line switches to silence the GUI. Any body have ideas for a silent admin script install? The one from MS is easy enough via regsvr32, but the one from Ilfak Guilfanov does not seem to support the traditional switches. Thanks, mole _________________________ mole Who is John Galt?
Top

#154309 - 2006-01-01 02:22 PM Re: WMF vulnerability - debating on whether to roll out work around with ki
mole mole Getting the hang of it Registered: 2003-01-01 Posts: 77 Loc: Indian Head, Maryland, USA	Tom Liston at SANS Internet Storm Center wrote me back: Quote: You might take a look here: http://users.utu.fi/vpjsuu/wmfhotfix/ This site has an MSI file created from Ilfak Guilfanov's patch. You are, however, on your own. The file distributed through the ISC has been checked, but we can't vouch for files from a third party site. Regards, - -TL The link Tom sent with the .MSI file placed the same .dll as the .exe from the original "unofficial" patch and installs silently with the traditional switches for msiexec. ...And yes, at this point with no official patch use at your own risk. Also remeber to back the "unofficial" patch(es) out before an official one is deployed. I have applied both this patch and unregistered the .dll on test systems in the as SANS described "belt and suspenders" approach. mole BTW - Happy New Year _________________________ mole Who is John Galt?
Top

#154310 - 2006-01-02 01:52 AM Re: WMF vulnerability - debating on whether to roll out work around with ki
mole mole Getting the hang of it Registered: 2003-01-01 Posts: 77 Loc: Indian Head, Maryland, USA	A new MSI file here: http://handlers.sans.org/tliston/WindowsMetafileFix.html ...use with the above cautions. mole _________________________ mole Who is John Galt?
Top

#154311 - 2006-01-03 01:14 AM Re: WMF vulnerability - debating on whether to roll out work around with ki
NTDOC NTDOC Administrator Registered: 2000-07-28 Posts: 11624 Loc: CA
Top

#154312 - 2006-01-03 01:47 AM Re: WMF vulnerability - debating on whether to roll out work around with ki
Lonkero Lonkero KiX Master Guru Registered: 2001-06-05 Posts: 22346 Loc: OK	doc, that on your system? _________________________ ! download KiXnet
Top

#154313 - 2006-01-03 09:21 AM Re: WMF vulnerability - debating on whether to roll out work around with ki
Mart Mart KiX Supporter Registered: 2002-03-27 Posts: 4673 Loc: The Netherlands	LOL Hope this is a joke and it's not really showing up. _________________________ Mart - Chuck Norris once sold ebay to ebay on ebay.
Top

#154314 - 2006-01-03 09:46 AM Re: WMF vulnerability - debating on whether to roll out work around with ki
NTDOC NTDOC Administrator Registered: 2000-07-28 Posts: 11624 Loc: CA	ROFL - No, just a joke Jooel.
Top

#154315 - 2006-01-03 12:36 PM Re: WMF vulnerability - debating on whether to roll out work around with ki
Mart Mart KiX Supporter Registered: 2002-03-27 Posts: 4673 Loc: The Netherlands	MS has a patch ready and is now testing and lozalizing it. Quote: .... Microsoft has completed development of the security update for the vulnerability. The security update is now being localized and tested to ensure quality and application compatibility. Microsoft’s goal is to release the update on Tuesday, January 10, 2006, as part of its monthly release of security bulletins. This release is predicated on successful completion of quality testing. The update will be released worldwide simultaneously in 23 languages for all affected versions of Windows once it passes a series of rigorous testing procedures. It will be available on Microsoft’s Download Center, as well as through Microsoft Update and Windows Update. Customers who use Windows’ Automatic Updates feature will be delivered the fix automatically. .... http://www.microsoft.com/technet/security/advisory/912840.mspx _________________________ Mart - Chuck Norris once sold ebay to ebay on ebay.
Top

#154316 - 2006-01-03 07:59 PM Re: WMF vulnerability - debating on whether to roll out work around with ki
NTDOC NTDOC Administrator Registered: 2000-07-28 Posts: 11624 Loc: CA	lozalizing is that a Dutch term?
Top

#154317 - 2006-01-03 08:18 PM Re: WMF vulnerability - debating on whether to roll out work around with ki
Mart Mart KiX Supporter Registered: 2002-03-27 Posts: 4673 Loc: The Netherlands	LOL, nope. Made that up on the fly Wanted to write localizing but it seems that this is also a not existing word. Just wanted to say that MS is making the patch support some more languages then the one they got it in now. Edited by Mart (2006-01-03 08:18 PM) _________________________ Mart - Chuck Norris once sold ebay to ebay on ebay.
Top

Page 1 of 2

1

Previous Topic

Previous Topic View All Topics

View All Topics

Index Next Topic

Next Topic

Moderator: Arend_, Allen, Jochen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Mart

Hop to:

Shout Box

Who's Online

0 registered and 920 anonymous users online.

Newest Members

Timothy, Jojo67, MaikSimon, kvn317, kixtarts2025
17874 Registered Users

Generated in 0.075 seconds in which 0.026 seconds were spent on a total of 12 queries. Zlib compression enabled.

click tracking