RE: [H] Windows vulnerability?

[Bill]

> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Veech
> Sent: Monday, January 02, 2006 10:20 PM
> To: The Hardware List
> Subject: [H] Windows vulnerability?
> 
> 
> Guys, what's your opinion of this?
> 
> http://www.grc.com/sn/notes-020.htm
> 
> Sounds troubling..


To quote the SANS article, "The Microsoft WMF vulnerability is bad.  It is very,
very bad."
http://isc.sans.org/diary.php?rss&storyid=996

This link defines the problem pretty well. I'll let the article speak for
itself.
http://antivirus.about.com/od/virusdescriptions/a/wmfexploit_4.htm

Any app that displays a WMF (Windows Meatfile) can cause a user's system to
become infected.
But again, AFAIK this is another example of "social engineering" to the extent
that a user must interact or click on a URL that contains infected content. But
I don't know if this is 100% correct. There may be other scenarios where a
system can become infected.

It's a Windows vulnerability and not a browser issue. No difference if one is
using IE or Firefox. You don't have to specifically be using Windows Picture and
Fax Viewer.If the image is infected it can allegedly install trojans, spyware,
toolbars and lots of other nasty stuff. All this occurs on a fully patched
Windows system.

There is currently no Windows patch for this and may not be available until
perhaps next week.
AV protection is also a rather dicey affair.
http://www.eweek.com/article2/0,1895,1907102,00.asp

Thus as of this writing there are only 2 solution. I believe SANS recommends
BOTH as they are the only solutions currently available.
Unregister the affected  .dll. You know the drill:
Start/Run
regsvr32 -u %windir%\system32\shimgvw.dll

There is an unofficial patch for the vulnerability.
You can snag it directly from here:
http://www.hexblog.com/security/files/wmffix_hexblog13.exe

It can be uninstalled when the MS patch becomes available.
Bill

Re: [H] Windows vulnerability?

[warpmedia]

This guy must be getting flooded, site is not coming up.


Bill wrote:


There is an unofficial patch for the vulnerability.
You can snag it directly from here:
http://www.hexblog.com/security/files/wmffix_hexblog13.exe

Re: [H] Windows vulnerability?

[warpmedia]

http://handlers.sans.org/tliston/wmffix_hexblog13.exe


warpmedia wrote:

This guy must be getting flooded, site is not coming up.


Bill wrote:



There is an unofficial patch for the vulnerability.
You can snag it directly from here:
http://www.hexblog.com/security/files/wmffix_hexblog13.exe

RE: [H] Windows vulnerability?

[Bill]

> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Robert Turnbull
> Sent: Tuesday, January 03, 2006 2:12 PM
> To: hardware@hardwaregroup.com
> Subject: [H] Windows vulnerability?
> 
>  From ZDNet: 
> 
> Microsoft's official workaround to unregister a certain DLL file using the
command of "regsvr32 /u shimgvw.dll" at the Start-Run prompt
> seems to also be very effective.  Unfortunately, it kills the ability for
Windows Explorer to display thumbnail images but I'm afraid
> we'll have to live without it until an official patch from Microsoft comes out
(hopefully next month's patch cycle).  There are new
> reports that there are certain cases where this fix doesn't work.  MSPaint and
Lotus Notes can still be exploited even with this DLL
> unregistered.  I think we haven't heard the end of this one yet and there may
be many more applications vulnerable to this exploit but
> the combination of hardware-enforced DEP and unregistering the shimgvw.dll
file seems to be very effective for now.
> 
> 
> Best to all.
> 
> Robert Turnbull, Toronto, Canada
> l, Toronto, Canada

Good point, however unregistering shimgvw.dll ALONE is currently viewed as
insufficient.
There is speculation that the exploit might perhaps have the ability to
re-register the DLL leaving one vulnerable once again.

Bill

RE: [H] Windows vulnerability?

[dhs]

I've been following this thread closely.
I have done the regsvr32 command on all my pc's so far.
Is this command also safe for a server w/Win2K Server?
Thanks,
Duncan


On Tue, 03 Jan 2006 17:37 , Bill <[EMAIL PROTECTED]> sent:

>
>
>
>> -Original Message-
>> From: [EMAIL PROTECTED]
>[EMAIL PROTECTED]','','','')">[EMAIL PROTECTED] On Behalf Of Robert Turnbull
>> Sent: Tuesday, January 03, 2006 2:12 PM
>> To: hardware@hardwaregroup.com
>> Subject: [H] Windows vulnerability?
>> 
>>  From ZDNet: http://blogs.zdnet.com/Ou/index.php\?p=143&tag=nl.e589>
>> 
>> Microsoft's official workaround to unregister a certain DLL file using the
>command of "regsvr32 /u shimgvw.dll" at the Start-Run prompt
>> seems to also be very effective.  Unfortunately, it kills the ability for
>Windows Explorer to display thumbnail images but I'm afraid
>> we'll have to live without it until an official patch from Microsoft comes 
>> out
>(hopefully next month's patch cycle).  There are new
>> reports that there are certain cases where this fix doesn't work.  MSPaint 
>> and
>Lotus Notes can still be exploited even with this DLL
>> unregistered.  I think we haven't heard the end of this one yet and there may
>be many more applications vulnerable to this exploit but
>> the combination of hardware-enforced DEP and unregistering the shimgvw.dll
>file seems to be very effective for now.
>> 
>> 
>> Best to all.
>> 
>> Robert Turnbull, Toronto, Canada
>> l, Toronto, Canada
>
>Good point, however unregistering shimgvw.dll ALONE is currently viewed as
>insufficient.
>There is speculation that the exploit might perhaps have the ability to
>re-register the DLL leaving one vulnerable once again.
>
>Bill
>
>
>
>





This email scanned for Viruses and Spam by ZCloud.net 

Re: [H] Windows vulnerability?

[CW]

In a strange way, a feather in AMD's cap, as so far the tests show that 
hardwareDEP (in the Athlon64) pretty much kills the loop.

-Original message-
From: Robert Turnbull [EMAIL PROTECTED]
Date: Tue, 03 Jan 2006 16:12:31 -0600
To: hardware@hardwaregroup.com
Subject: [H] Windows vulnerability?

>  From ZDNet: 
> 
> Microsoft's official workaround to unregister a certain DLL file using the 
> command of "regsvr32 /u shimgvw.dll" at the Start-Run prompt seems to also 
> be very effective.  Unfortunately, it kills the ability for Windows 
> Explorer to display thumbnail images but I'm afraid we'll have to live 
> without it until an official patch from Microsoft comes out (hopefully next 
> month's patch cycle).  There are new reports that there are certain cases 
> where this fix doesn't work.  MSPaint and Lotus Notes can still be 
> exploited even with this DLL unregistered.  I think we haven't heard the 
> end of this one yet and there may be many more applications vulnerable to 
> this exploit but the combination of hardware-enforced DEP and unregistering 
> the shimgvw.dll file seems to be very effective for now.
> 
> 
> Best to all.
> 
> Robert Turnbull, Toronto, Canada
> 

RE: [H] Windows vulnerability?

[Bill]

> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of dhs
> Sent: Tuesday, January 03, 2006 5:57 PM
> To: The Hardware List
> Subject: RE: [H] Windows vulnerability?
> 
> I've been following this thread closely.
> I have done the regsvr32 command on all my pc's so far.
> Is this command also safe for a server w/Win2K Server?
> Thanks,
> Duncan

Should be..

http://www.frsirt.com/english/advisories/2005/3086

Bill

RE: [H] Windows vulnerability?

[Chris Reeves]

Microsoft's opinion on this to beta testers and onecare users:

January 3, 2006 Advisory: How to know if you are protected from the WMF
vulnerability
A security vulnerability in Windows could allow malicious software to infect
your computer when opening an infected graphic or a malicious Web site.
Microsoft is working on a patch, but Windows OneCare is protecting you now
from known viruses using this flaw. As long as your Windows OneCare status
remains "green" or "yellow" while you're connected to the Internet, Windows
OneCare is protecting you. If your status is "red" (at risk), please either
take the requested action or go to the Help Center.

To find out more about this vulnerability, please see
http://www.windowsonecare.com/secinfo/wmf1228.aspx.






--
FIGHT BACK AGAINST SPAM!
Download Spam Inspector, the Award Winning Anti-Spam Filter
http://mail.giantcompany.com

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:hardware-
> [EMAIL PROTECTED] On Behalf Of Bill
> Sent: Tuesday, January 03, 2006 8:43 PM
> To: 'The Hardware List'
> Subject: RE: [H] Windows vulnerability?
> 
> 
> 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of dhs
> > Sent: Tuesday, January 03, 2006 5:57 PM
> > To: The Hardware List
> > Subject: RE: [H] Windows vulnerability?
> >
> > I've been following this thread closely.
> > I have done the regsvr32 command on all my pc's so far.
> > Is this command also safe for a server w/Win2K Server?
> > Thanks,
> > Duncan
> 
> Should be..
> 
> http://www.frsirt.com/english/advisories/2005/3086
> 
> Bill

RE: [H] Windows vulnerability?

[Bobby Heid]

I saw something yesterday, that, IIRC, MS has a patch that they expect to
release on the 19th.

Bobby

RE: [H] Windows vulnerability?

[Bobby Heid]

Update.  It appears the date is Jan 10, not Jan 19.

I just found this:
http://www.tgdaily.com/2006/01/03/microsoft_windows_fix/ 
which links to the original here:
http://www.cbc.ca/cp/business/060103/b010372.html

Bobby

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bobby Heid
Sent: Wednesday, January 04, 2006 7:08 AM
To: 'The Hardware List'
Subject: RE: [H] Windows vulnerability?


I saw something yesterday, that, IIRC, MS has a patch that they expect to
release on the 19th.

Bobby

RE: [H] Windows vulnerability?

[FORC5]

tried this windowsonecare on one of my test boxes, looks good but not ready for 
prime time. Would lock up and not run. ( the program, not the puter )
wish it was a download so I could try it again after uninstall or on another 
test box without the mother may I routine, but I will anyway for grins. <:-|
I uninstalled Norton Corp b4 but I wonder if that had some affect on this. MS 
should concentrate on keeping windows stable and cheap and stay out of the rest 
of it IMO

Would be nice for customer boxes if it works out.
fp

At 08:15 PM 1/3/2006, Chris Reeves Poked the stick with:

>Microsoft's opinion on this to beta testers and onecare users:
>
>January 3, 2006 Advisory: How to know if you are protected from the WMF
>vulnerability
>A security vulnerability in Windows could allow malicious software to infect
>your computer when opening an infected graphic or a malicious Web site.
>Microsoft is working on a patch, but Windows OneCare is protecting you now
>from known viruses using this flaw. As long as your Windows OneCare status
>remains "green" or "yellow" while you're connected to the Internet, Windows
>OneCare is protecting you. If your status is "red" (at risk), please either
>take the requested action or go to the Help Center.
>
>To find out more about this vulnerability, please see
>http://www.windowsonecare.com/secinfo/wmf1228.aspx.
>

-- 
Tallyho ! ]:8)
Taglines below !
--
Nothing succeeds like failure.

RE: [H] Windows vulnerability?

[Thane Sherrington (S)]

At 11:47 AM 04/01/2006, FORC5 wrote:
tried this windowsonecare on one of my test boxes, looks good but not 
ready for prime time. Would lock up and not run. ( the program, not the puter )
wish it was a download so I could try it again after uninstall or on 
another test box without the mother may I routine, but I will anyway for 
grins. <:-|
I uninstalled Norton Corp b4 but I wonder if that had some affect on this. 
MS should concentrate on keeping windows stable and cheap and stay out of 
the rest of it IMO


From what I've read, NOD32 and Kaspersky are keeping up with the exploits, 
so MS' attempt to "solve" their vulnerabilities by adding a new product 
seems a waste of time.


T 

RE: [H] Windows vulnerability?

[Mark Dodge]

I'm testing this and it seems that if you let it do it's thing for a while
after the first boot it will not lock up. I tried twice to use the computer
after the reboot and got the One call lock up. The third time I just let it
do it's thing, just left the computer for an hour or so and everything is
fine now. They are working on the back ground stuff at the first boot, right
now its priority is a little haywire, grabs too much CPU time at first. 


Mark Dodge
MD Computers
360-772-2433 
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of FORC5
Sent: Wednesday, January 04, 2006 7:48 AM
To: The Hardware List
Subject: RE: [H] Windows vulnerability?

tried this windowsonecare on one of my test boxes, looks good but not ready
for prime time. Would lock up and not run. ( the program, not the puter )
wish it was a download so I could try it again after uninstall or on another
test box without the mother may I routine, but I will anyway for grins. <:-|
I uninstalled Norton Corp b4 but I wonder if that had some affect on this.
MS should concentrate on keeping windows stable and cheap and stay out of
the rest of it IMO

Would be nice for customer boxes if it works out.
fp

At 08:15 PM 1/3/2006, Chris Reeves Poked the stick with:

>Microsoft's opinion on this to beta testers and onecare users:
>
>January 3, 2006 Advisory: How to know if you are protected from the WMF 
>vulnerability A security vulnerability in Windows could allow malicious 
>software to infect your computer when opening an infected graphic or a 
>malicious Web site.
>Microsoft is working on a patch, but Windows OneCare is protecting you 
>now from known viruses using this flaw. As long as your Windows OneCare 
>status remains "green" or "yellow" while you're connected to the 
>Internet, Windows OneCare is protecting you. If your status is "red" 
>(at risk), please either take the requested action or go to the Help
Center.
>
>To find out more about this vulnerability, please see 
>http://www.windowsonecare.com/secinfo/wmf1228.aspx.
>

--
Tallyho ! ]:8)
Taglines below !
--
Nothing succeeds like failure.

RE: [H] Windows vulnerability?

[FORC5]

try it again but I did install it twice. Shouldn't do that.

wonder what paid subscription cost 
fred

At 06:17 AM 1/5/2006, Mark Dodge Poked the stick with:
>I'm testing this and it seems that if you let it do it's thing for a while
>after the first boot it will not lock up. I tried twice to use the computer
>after the reboot and got the One call lock up. The third time I just let it
>do it's thing, just left the computer for an hour or so and everything is
>fine now. They are working on the back ground stuff at the first boot, right
>now its priority is a little haywire, grabs too much CPU time at first. 
>
>
>Mark Dodge

-- 
Tallyho ! ]:8)
Taglines below !
--
Every absurdity has a champion to defend it.

RE: [H] Windows vulnerability?

[Neil Atwood]

MS have decided to release the WMF patch early:

<http://www.microsoft.com/downloads/details.aspx?FamilyID=0c1b4c96-57ae-499e-b89b-215b7bb4d8e9&DisplayLang=en>

Regards


Neil Atwood - Sydney, Australia

http://westserve.org/ - Blog, Christianity and Tech Stuff.
http://ministrygrounds.net - A blog about selecting, roasting and drinking fine 
coffee



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Dodge
Sent: Friday, 6 January 2006 12:18 AM
To: 'The Hardware List'
Subject: RE: [H] Windows vulnerability?

I'm testing this and it seems that if you let it do it's thing for a while
after the first boot it will not lock up. I tried twice to use the computer
after the reboot and got the One call lock up. The third time I just let it
do it's thing, just left the computer for an hour or so and everything is
fine now. They are working on the back ground stuff at the first boot, right
now its priority is a little haywire, grabs too much CPU time at first. 


Mark Dodge
MD Computers
360-772-2433 
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of FORC5
Sent: Wednesday, January 04, 2006 7:48 AM
To: The Hardware List
Subject: RE: [H] Windows vulnerability?

tried this windowsonecare on one of my test boxes, looks good but not ready
for prime time. Would lock up and not run. ( the program, not the puter )
wish it was a download so I could try it again after uninstall or on another
test box without the mother may I routine, but I will anyway for grins. <:-|
I uninstalled Norton Corp b4 but I wonder if that had some affect on this.
MS should concentrate on keeping windows stable and cheap and stay out of
the rest of it IMO

Would be nice for customer boxes if it works out.
fp

At 08:15 PM 1/3/2006, Chris Reeves Poked the stick with:

>Microsoft's opinion on this to beta testers and onecare users:
>
>January 3, 2006 Advisory: How to know if you are protected from the WMF 
>vulnerability A security vulnerability in Windows could allow malicious 
>software to infect your computer when opening an infected graphic or a 
>malicious Web site.
>Microsoft is working on a patch, but Windows OneCare is protecting you 
>now from known viruses using this flaw. As long as your Windows OneCare 
>status remains "green" or "yellow" while you're connected to the 
>Internet, Windows OneCare is protecting you. If your status is "red" 
>(at risk), please either take the requested action or go to the Help
Center.
>
>To find out more about this vulnerability, please see 
>http://www.windowsonecare.com/secinfo/wmf1228.aspx.
>

--
Tallyho ! ]:8)
Taglines below !
--
Nothing succeeds like failure.

Re: [H] Windows vulnerability?

[jeff.lane]

Thanks, Neil.

Jeff

- Original Message - 
From: "Neil Atwood" <[EMAIL PROTECTED]>

To: "'The Hardware List'" 
Sent: Thursday, January 05, 2006 12:43 PM
Subject: RE: [H] Windows vulnerability?



MS have decided to release the WMF patch early:

<http://www.microsoft.com/downloads/details.aspx?FamilyID=0c1b4c96-57ae-499e-b89b-215b7bb4d8e9&DisplayLang=en>

Regards


Neil Atwood - Sydney, Australia

http://westserve.org/ - Blog, Christianity and Tech Stuff.
http://ministrygrounds.net - A blog about selecting, roasting and drinking 
fine coffee




-Original Message-
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Dodge

Sent: Friday, 6 January 2006 12:18 AM
To: 'The Hardware List'
Subject: RE: [H] Windows vulnerability?

I'm testing this and it seems that if you let it do it's thing for a while
after the first boot it will not lock up. I tried twice to use the 
computer
after the reboot and got the One call lock up. The third time I just let 
it

do it's thing, just left the computer for an hour or so and everything is
fine now. They are working on the back ground stuff at the first boot, 
right

now its priority is a little haywire, grabs too much CPU time at first.


Mark Dodge
MD Computers
360-772-2433
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of FORC5
Sent: Wednesday, January 04, 2006 7:48 AM
To: The Hardware List
Subject: RE: [H] Windows vulnerability?

tried this windowsonecare on one of my test boxes, looks good but not 
ready

for prime time. Would lock up and not run. ( the program, not the puter )
wish it was a download so I could try it again after uninstall or on 
another
test box without the mother may I routine, but I will anyway for grins. 
<:-|

I uninstalled Norton Corp b4 but I wonder if that had some affect on this.
MS should concentrate on keeping windows stable and cheap and stay out of
the rest of it IMO

Would be nice for customer boxes if it works out.
fp

At 08:15 PM 1/3/2006, Chris Reeves Poked the stick with:


Microsoft's opinion on this to beta testers and onecare users:

January 3, 2006 Advisory: How to know if you are protected from the WMF
vulnerability A security vulnerability in Windows could allow malicious
software to infect your computer when opening an infected graphic or a
malicious Web site.
Microsoft is working on a patch, but Windows OneCare is protecting you
now from known viruses using this flaw. As long as your Windows OneCare
status remains "green" or "yellow" while you're connected to the
Internet, Windows OneCare is protecting you. If your status is "red"
(at risk), please either take the requested action or go to the Help

Center.


To find out more about this vulnerability, please see
http://www.windowsonecare.com/secinfo/wmf1228.aspx.



--
Tallyho ! ]:8)
Taglines below !
--
Nothing succeeds like failure.