The .WMF has now been picked up by atleast one of the lesser banner ad companies using revolving or rotating ads and is now spreading quite quickly. The last F-Secure reports were 57 varieties and counting.
Happy New Year!
Brent Eads aka ---->beads
Employee Technology Solutions, Inc.
The contents contain privileged and/or confidential information intended for the named recipient of this email. ETSI (Employee Technology Solutions, Inc.) does not warrant that the contents of any electronically transmitted information will remain confidential. If the reader of this email is not the intended recipient you are hereby notified that any use, reproduction, disclosure or distribution of the information contained in the email in error, please reply to us immediately and delete the document.
Viruses, Malware, Phishing and other known and unknown electronic threats: It is the recipient/client's duties to perform virus scans and otherwise test the information provided before loading onto any computer system. No warranty is made that this material is free from computer virus or any other defect.
Any loss/damage incurred by using this material is not the sender's responsibility. Liability will be limited to resupplying the material.
| "Noah Eiger"
<[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED] 12/30/2005 12:48 PM
|
|
Sorry. Maybe it's too much holiday partying: DEP?
-----Original Message-----
From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
[mailto:[EMAIL PROTECTED]
Sent: Thursday, December 29, 2005 5:41 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] ZeroDay-WMF
True...but right now the vector they are using is WMF so it mitgates
that one.
Risk analysis and for right now ...that's the steps I took for my
office. [I'm thinking about DEP enabling everyone as I'm seeing no
impact here and I'm the only one running Irfanview
Now whether I do more tomorrow.... ask me tomorrow :-) I'm still not
ready to unregister dll's..... yet....
{Cool thing about SBSland is the Change Management department around
here is really agreeable with whatever I decide to do}
Crawford, Scott wrote:
>This has been discussed on Jespers blog, but the main problem is that
>blocking wmf files doesn't mitigate the risk because simply renaming a
>file to .jpg or .gif will still cause it to be parsed by the same .dll
>which will treat it as the file type it really is.
>
>-----Original Message-----
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
>CPA aka Ebitz - SBS Rocks [MVP]
>Sent: Thursday, December 29, 2005 7:08 PM
>To: ActiveDir@mail.activedir.org
>Subject: Re: [ActiveDir] ZeroDay-WMF
>
>What did I do?
>
>1. Fired up Trend and blocked the wmf files
>2. Fired up ISA and blocked WMF images
>3. On my high risk workstations [uh...mine] enabled DEP for all
>programs [and seriously considering doing this for all as I'm 100% borg
>XP sp2 here]
>How to Configure Memory Protection in Windows XP SP2:
>http://www.microsoft.com/technet/security/prodtech/windowsxp/depcnfxp.ms
>px
>3. Ensured that the a/v dats were covering it
>4. Informed all of what was going on and telling them to 'be careful'.
>
>I have not unregistered that dll as to me... ripping that out like that
>is last resort. You will break a lot of stuff.
>
>
>E-Bitz - SBS MVP the Official Blog of the SBS "Diva" : So if you have
>ISA here are some things you can do:
>http://msmvps.com/blogs/bradley/archive/2005/12/28/79908.aspx
>E-Bitz - SBS MVP the Official Blog of the SBS "Diva" : Blocking those
>WMF's at the email border:
>http://msmvps.com/blogs/bradley/archive/2005/12/28/79925.aspx
>E-Bitz - SBS MVP the Official Blog of the SBS "Diva" : WMF and blocking:
>http://msmvps.com/blogs/bradley/archive/2005/12/29/79966.aspx
>
>
>Noah Eiger wrote:
>
>
>
>>Susan -
>>
>>
>>
>>I examined the steps you provided for unregistering shimgvw.dll but
>>notes at
>>http://billpstudios.blogspot.com/2005/12/zero-day-wmf-exploit.html
>>seem to indicate that this will only help if you get an infected
>>attachment in email. Or did I mis-read that?
>>
>>
>>
>>Also, if this is a good stop-gap, are you deploying it via script/GPO?
>>
>>
>
>
>
>>At least until MS patches?
>>
>>
>>
>>Thanks.
>>
>>
>>
>>-- nme
>>
>>
>>--
>>No virus found in this outgoing message.
>>Checked by AVG Free Edition.
>>Version: 7.1.371 / Virus Database: 267.14.9/216 - Release Date:
>>
>>
>12/29/2005
>
>
>
>
>
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.14.9/216 - Release Date: 12/29/2005
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.14.9/216 - Release Date: 12/29/2005
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Message scanned by TrendMicro
Message scanned by TrendMicro |
