True...but right now the vector they are using is WMF so it mitgates
that one.
Risk analysis and for right now ...that's the steps I took for my
office. [I'm thinking about DEP enabling everyone as I'm seeing no
impact here and I'm the only one running Irfanview
Now whether I do more tomorrow.... ask me tomorrow :-) I'm still not
ready to unregister dll's..... yet....
{Cool thing about SBSland is the Change Management department around
here is really agreeable with whatever I decide to do}
Crawford, Scott wrote:
This has been discussed on Jespers blog, but the main problem is that
blocking wmf files doesn't mitigate the risk because simply renaming a
file to .jpg or .gif will still cause it to be parsed by the same .dll
which will treat it as the file type it really is.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Thursday, December 29, 2005 7:08 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] ZeroDay-WMF
What did I do?
1. Fired up Trend and blocked the wmf files
2. Fired up ISA and blocked WMF images
3. On my high risk workstations [uh...mine] enabled DEP for all
programs [and seriously considering doing this for all as I'm 100% borg
XP sp2 here]
How to Configure Memory Protection in Windows XP SP2:
http://www.microsoft.com/technet/security/prodtech/windowsxp/depcnfxp.ms
px
3. Ensured that the a/v dats were covering it
4. Informed all of what was going on and telling them to 'be careful'.
I have not unregistered that dll as to me... ripping that out like that
is last resort. You will break a lot of stuff.
E-Bitz - SBS MVP the Official Blog of the SBS "Diva" : So if you have
ISA here are some things you can do:
http://msmvps.com/blogs/bradley/archive/2005/12/28/79908.aspx
E-Bitz - SBS MVP the Official Blog of the SBS "Diva" : Blocking those
WMF's at the email border:
http://msmvps.com/blogs/bradley/archive/2005/12/28/79925.aspx
E-Bitz - SBS MVP the Official Blog of the SBS "Diva" : WMF and blocking:
http://msmvps.com/blogs/bradley/archive/2005/12/29/79966.aspx
Noah Eiger wrote:
Susan -
I examined the steps you provided for unregistering shimgvw.dll but
notes at
http://billpstudios.blogspot.com/2005/12/zero-day-wmf-exploit.html
seem to indicate that this will only help if you get an infected
attachment in email. Or did I mis-read that?
Also, if this is a good stop-gap, are you deploying it via script/GPO?
At least until MS patches?
Thanks.
-- nme
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.14.9/216 - Release Date:
12/29/2005
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
