RE: New IE zero day exploit in the wild

2009-07-12 Thread David Florea 
Piled Higher and Deeper.

 

 

From: Rob Bonfiglio [mailto:robbonfig...@gmail.com] 
Sent: Friday, July 10, 2009 9:22 AM
To: NT System Admin Issues
Subject: Re: New IE zero day exploit in the wild

 

Exactly!  I don't know what happens when they give out the PhD'sbut a
good 85% of them seem to lose touch with reality.

On Fri, Jul 10, 2009 at 11:56 AM, Ziots, Edward  wrote:

PHD=Pretty High Degree= Lack of Common Sense=Can be wrong more than it likes
to admit.

 

Z

 

Edward Ziots

Network Engineer

Lifespan Organization

MCSE,MCSA,MCP+I, ME, CCA, Security +, Network +

ezi...@lifespan.org

Phone:401-639-3505

  _  

From: Rob Bonfiglio [mailto:robbonfig...@gmail.com] 
Sent: Friday, July 10, 2009 11:40 AM 


To: NT System Admin Issues
Subject: Re: New IE zero day exploit in the wild

 

I've worked in EDU quite a bit, but never for an MD or a lawyer.  But from
what I've heard, I'd probably have to agree.  The PhD's are above..but not
too far above, the Lawyer, and below the doctor.  Mostly because the PhD
starts his/her research one year on $5 million equipment, and wants to make
that equipment last for the next 15 years...which means you end up trying to
support oold equipment!  Not to mention, the PhD also doesn't like being
told he's wrong.  He does, after all, have a PhD and that makes him smarter
than you in all facets of life.

On Fri, Jul 10, 2009 at 11:18 AM, Ziots, Edward  wrote:

Below Dr and Above Lawyers, because you can't go lower than the bottom (
Lawyers) 

 

Z

 

Edward Ziots

Network Engineer

Lifespan Organization

MCSE,MCSA,MCP+I, ME, CCA, Security +, Network +

ezi...@lifespan.org

Phone:401-639-3505

  _  

From: Devin Meade [mailto:devin.me...@gmail.com] 
Sent: Thursday, July 09, 2009 5:09 PM 


To: NT System Admin Issues
Subject: Re: New IE zero day exploit in the wild

 

Where do your rate Grad School Professors?  Below or above Dr's and/or
Lawyers (grin)?

On Thu, Jul 9, 2009 at 4:06 PM, Kurt Buff  wrote:

Yeah, well...

In the medical field, right after doctors, I'd put CCU nurses. Heh.

Kurt


On Thu, Jul 9, 2009 at 12:27, paul chinnery wrote:
> Thanks.  I am so forwarding this to our Clincal Analyst; she's a licensed
RN
> who use to work in CCU.
>
>> Date: Thu, 9 Jul 2009 11:44:54 -0700

>> Subject: Re: New IE zero day exploit in the wild

>> From: kurt.b...@gmail.com 


>> To: ntsysadmin@lyris.sunbelt-software.com
>>
>> Since I don't work with doctors in my capacity of IT geek, I don't
>> know for sure. However, I was married to a critical care nurse for 7
>> years, and I'll put my money on the doctors.
>>
>> Heh.
>>

>> On Thu, Jul 9, 2009 at 05:04, paul chinnery wrote:
>> > A third of my users are doctors.  I wonder which group is harder to
work
>> > with: engineers or doctors?
>> >

>> >> Date: Wed, 8 Jul 2009 11:51:09 -0700

>> >> Subject: Re: New IE zero day exploit in the wild

>> >> From: kurt.b...@gmail.com 


>> >> To: ntsysadmin@lyris.sunbelt-software.com
>> >>
>> >> Truth. However, there are also political and training issues.
>> >>
>> >> 1) We haven't, as a company (nor within IT) figured out how to make
>> >> our standard apps work under under non-admin accounts. This will take
>> >> time and resources to figure out, and then further time and resources
>> >> to figure out how to "productionise" the application of these settings
>> >> and apply them across the domain, including two offices overseas.
>> >>
>> >> 2) A large portion of our users are engineers who have a rabid
>> >> aversion to the idea that they can't be admins on their own boxes. I'm
>> >> in the (multi-year!) process of simply trying to convince engineering
>> >> managers that none of the staff need two NICs in their boxes - one for
>> >> the production LAN and one for the test/dev LAN.
>> >>
>> >> 3) The overseas offices are also politically resistant to this idea.
>> >>
>> >> While I agree that the load would be lessened, and we'd have a much
>> >> better managed and more secure environment, this is not a trivial
>> >> effort, and at times I despair. But, I persist, and have it as a goal
>> >> to work toward this fiscal year.
>> >>
>> >> The first step is to get signoff by company management, in the form of
>> >> an actual policy - something of which there are no good examples.
>> >> There are practices and recommendations regarding IT, but very little
>> >> in the way of a real IT policy that has been agreed

Re: New IE zero day exploit in the wild

2009-07-10 Thread Jon Harris 
"Lose touch" or forget about reality?  Some of the ones I work with don't
but some I don't think ever were based in this reality in the first place.

Jon

On Fri, Jul 10, 2009 at 12:21 PM, Rob Bonfiglio wrote:

> Exactly!  I don't know what happens when they give out the PhD'sbut a
> good 85% of them seem to lose touch with reality.
>
>
> On Fri, Jul 10, 2009 at 11:56 AM, Ziots, Edward wrote:
>
>>  PHD=Pretty High Degree= Lack of Common Sense=Can be wrong more than it
>> likes to admit…
>>
>>
>>
>> Z
>>
>>
>>
>> Edward Ziots
>>
>> Network Engineer
>>
>> Lifespan Organization
>>
>> MCSE,MCSA,MCP+I, ME, CCA, Security +, Network +
>>
>> ezi...@lifespan.org
>>
>> Phone:401-639-3505
>>  --------------
>>
>> *From:* Rob Bonfiglio [mailto:robbonfig...@gmail.com]
>> *Sent:* Friday, July 10, 2009 11:40 AM
>>
>> *To:* NT System Admin Issues
>> *Subject:* Re: New IE zero day exploit in the wild
>>
>>
>>
>> I've worked in EDU quite a bit, but never for an MD or a lawyer.  But from
>> what I've heard, I'd probably have to agree.  The PhD's are above..but not
>> too far above, the Lawyer, and below the doctor.  Mostly because the PhD
>> starts his/her research one year on $5 million equipment, and wants to make
>> that equipment last for the next 15 years...which means you end up trying to
>> support oold equipment!  Not to mention, the PhD also doesn't like being
>> told he's wrong.  He does, after all, have a PhD and that makes him smarter
>> than you in all facets of life.
>>
>> On Fri, Jul 10, 2009 at 11:18 AM, Ziots, Edward 
>> wrote:
>>
>> Below Dr and Above Lawyers, because you can’t go lower than the bottom (
>> Lawyers)
>>
>>
>>
>> Z
>>
>>
>>
>> Edward Ziots
>>
>> Network Engineer
>>
>> Lifespan Organization
>>
>> MCSE,MCSA,MCP+I, ME, CCA, Security +, Network +
>>
>> ezi...@lifespan.org
>>
>> Phone:401-639-3505
>>  --
>>
>> *From:* Devin Meade [mailto:devin.me...@gmail.com]
>> *Sent:* Thursday, July 09, 2009 5:09 PM
>>
>>
>> *To:* NT System Admin Issues
>> *Subject:* Re: New IE zero day exploit in the wild
>>
>>
>>
>> Where do your rate Grad School Professors?  Below or above Dr's and/or
>> Lawyers (grin)?
>>
>> On Thu, Jul 9, 2009 at 4:06 PM, Kurt Buff  wrote:
>>
>> Yeah, well...
>>
>> In the medical field, right after doctors, I'd put CCU nurses. Heh.
>>
>> Kurt
>>
>>
>> On Thu, Jul 9, 2009 at 12:27, paul chinnery wrote:
>> > Thanks.  I am so forwarding this to our Clincal Analyst; she's a
>> licensed RN
>> > who use to work in CCU.
>> >
>> >> Date: Thu, 9 Jul 2009 11:44:54 -0700
>>
>> >> Subject: Re: New IE zero day exploit in the wild
>>
>> >> From: kurt.b...@gmail.com
>>
>>
>> >> To: ntsysadmin@lyris.sunbelt-software.com
>> >>
>> >> Since I don't work with doctors in my capacity of IT geek, I don't
>> >> know for sure. However, I was married to a critical care nurse for 7
>> >> years, and I'll put my money on the doctors.
>> >>
>> >> Heh.
>> >>
>>
>> >> On Thu, Jul 9, 2009 at 05:04, paul chinnery
>> wrote:
>> >> > A third of my users are doctors.  I wonder which group is harder to
>> work
>> >> > with: engineers or doctors?
>> >> >
>>
>> >> >> Date: Wed, 8 Jul 2009 11:51:09 -0700
>>
>> >> >> Subject: Re: New IE zero day exploit in the wild
>>
>> >> >> From: kurt.b...@gmail.com
>>
>>
>> >> >> To: ntsysadmin@lyris.sunbelt-software.com
>> >> >>
>> >> >> Truth. However, there are also political and training issues.
>> >> >>
>> >> >> 1) We haven't, as a company (nor within IT) figured out how to make
>> >> >> our standard apps work under under non-admin accounts. This will
>> take
>> >> >> time and resources to figure out, and then further time and
>> resources
>> >> >> to figure out how to "productionise" the application of these
>> settings
>> >> >> and apply them across the domain, including two offices ov

Re: New IE zero day exploit in the wild

2009-07-10 Thread Rob Bonfiglio 
Exactly!  I don't know what happens when they give out the PhD'sbut a
good 85% of them seem to lose touch with reality.

On Fri, Jul 10, 2009 at 11:56 AM, Ziots, Edward  wrote:

>  PHD=Pretty High Degree= Lack of Common Sense=Can be wrong more than it
> likes to admit…
>
>
>
> Z
>
>
>
> Edward Ziots
>
> Network Engineer
>
> Lifespan Organization
>
> MCSE,MCSA,MCP+I, ME, CCA, Security +, Network +
>
> ezi...@lifespan.org
>
> Phone:401-639-3505
>  --
>
> *From:* Rob Bonfiglio [mailto:robbonfig...@gmail.com]
> *Sent:* Friday, July 10, 2009 11:40 AM
>
> *To:* NT System Admin Issues
> *Subject:* Re: New IE zero day exploit in the wild
>
>
>
> I've worked in EDU quite a bit, but never for an MD or a lawyer.  But from
> what I've heard, I'd probably have to agree.  The PhD's are above..but not
> too far above, the Lawyer, and below the doctor.  Mostly because the PhD
> starts his/her research one year on $5 million equipment, and wants to make
> that equipment last for the next 15 years...which means you end up trying to
> support oold equipment!  Not to mention, the PhD also doesn't like being
> told he's wrong.  He does, after all, have a PhD and that makes him smarter
> than you in all facets of life.
>
> On Fri, Jul 10, 2009 at 11:18 AM, Ziots, Edward 
> wrote:
>
> Below Dr and Above Lawyers, because you can’t go lower than the bottom (
> Lawyers)
>
>
>
> Z
>
>
>
> Edward Ziots
>
> Network Engineer
>
> Lifespan Organization
>
> MCSE,MCSA,MCP+I, ME, CCA, Security +, Network +
>
> ezi...@lifespan.org
>
> Phone:401-639-3505
>  --
>
> *From:* Devin Meade [mailto:devin.me...@gmail.com]
> *Sent:* Thursday, July 09, 2009 5:09 PM
>
>
> *To:* NT System Admin Issues
> *Subject:* Re: New IE zero day exploit in the wild
>
>
>
> Where do your rate Grad School Professors?  Below or above Dr's and/or
> Lawyers (grin)?
>
> On Thu, Jul 9, 2009 at 4:06 PM, Kurt Buff  wrote:
>
> Yeah, well...
>
> In the medical field, right after doctors, I'd put CCU nurses. Heh.
>
> Kurt
>
>
> On Thu, Jul 9, 2009 at 12:27, paul chinnery wrote:
> > Thanks.  I am so forwarding this to our Clincal Analyst; she's a licensed
> RN
> > who use to work in CCU.
> >
> >> Date: Thu, 9 Jul 2009 11:44:54 -0700
>
> >> Subject: Re: New IE zero day exploit in the wild
>
> >> From: kurt.b...@gmail.com
>
>
> >> To: ntsysadmin@lyris.sunbelt-software.com
> >>
> >> Since I don't work with doctors in my capacity of IT geek, I don't
> >> know for sure. However, I was married to a critical care nurse for 7
> >> years, and I'll put my money on the doctors.
> >>
> >> Heh.
> >>
>
> >> On Thu, Jul 9, 2009 at 05:04, paul chinnery wrote:
> >> > A third of my users are doctors.  I wonder which group is harder to
> work
> >> > with: engineers or doctors?
> >> >
>
> >> >> Date: Wed, 8 Jul 2009 11:51:09 -0700
>
> >> >> Subject: Re: New IE zero day exploit in the wild
>
> >> >> From: kurt.b...@gmail.com
>
>
> >> >> To: ntsysadmin@lyris.sunbelt-software.com
> >> >>
> >> >> Truth. However, there are also political and training issues.
> >> >>
> >> >> 1) We haven't, as a company (nor within IT) figured out how to make
> >> >> our standard apps work under under non-admin accounts. This will take
> >> >> time and resources to figure out, and then further time and resources
> >> >> to figure out how to "productionise" the application of these
> settings
> >> >> and apply them across the domain, including two offices overseas.
> >> >>
> >> >> 2) A large portion of our users are engineers who have a rabid
> >> >> aversion to the idea that they can't be admins on their own boxes.
> I'm
> >> >> in the (multi-year!) process of simply trying to convince engineering
> >> >> managers that none of the staff need two NICs in their boxes - one
> for
> >> >> the production LAN and one for the test/dev LAN.
> >> >>
> >> >> 3) The overseas offices are also politically resistant to this idea.
> >> >>
> >> >> While I agree that the load would be lessened, and we'd have a much
> >> >> better managed and more secure environment, this is not a t

RE: New IE zero day exploit in the wild

2009-07-10 Thread Ziots, Edward 
PHD=Pretty High Degree= Lack of Common Sense=Can be wrong more than it
likes to admit...

 

Z

 

Edward Ziots

Network Engineer

Lifespan Organization

MCSE,MCSA,MCP+I, ME, CCA, Security +, Network +

ezi...@lifespan.org

Phone:401-639-3505



From: Rob Bonfiglio [mailto:robbonfig...@gmail.com] 
Sent: Friday, July 10, 2009 11:40 AM
To: NT System Admin Issues
Subject: Re: New IE zero day exploit in the wild

 

I've worked in EDU quite a bit, but never for an MD or a lawyer.  But
from what I've heard, I'd probably have to agree.  The PhD's are
above..but not too far above, the Lawyer, and below the doctor.  Mostly
because the PhD starts his/her research one year on $5 million
equipment, and wants to make that equipment last for the next 15
years...which means you end up trying to support oold equipment!
Not to mention, the PhD also doesn't like being told he's wrong.  He
does, after all, have a PhD and that makes him smarter than you in all
facets of life.

On Fri, Jul 10, 2009 at 11:18 AM, Ziots, Edward 
wrote:

Below Dr and Above Lawyers, because you can't go lower than the bottom (
Lawyers) 

 

Z

 

Edward Ziots

Network Engineer

Lifespan Organization

MCSE,MCSA,MCP+I, ME, CCA, Security +, Network +

ezi...@lifespan.org

Phone:401-639-3505



From: Devin Meade [mailto:devin.me...@gmail.com] 
Sent: Thursday, July 09, 2009 5:09 PM 


To: NT System Admin Issues
Subject: Re: New IE zero day exploit in the wild

 

Where do your rate Grad School Professors?  Below or above Dr's and/or
Lawyers (grin)?

On Thu, Jul 9, 2009 at 4:06 PM, Kurt Buff  wrote:

Yeah, well...

In the medical field, right after doctors, I'd put CCU nurses. Heh.

Kurt


On Thu, Jul 9, 2009 at 12:27, paul chinnery wrote:
> Thanks.  I am so forwarding this to our Clincal Analyst; she's a
licensed RN
> who use to work in CCU.
>
>> Date: Thu, 9 Jul 2009 11:44:54 -0700

>> Subject: Re: New IE zero day exploit in the wild

>> From: kurt.b...@gmail.com 


>> To: ntsysadmin@lyris.sunbelt-software.com
>>
>> Since I don't work with doctors in my capacity of IT geek, I don't
>> know for sure. However, I was married to a critical care nurse for 7
>> years, and I'll put my money on the doctors.
>>
>> Heh.
>>

>> On Thu, Jul 9, 2009 at 05:04, paul chinnery
wrote:
>> > A third of my users are doctors.  I wonder which group is harder to
work
>> > with: engineers or doctors?
>> >

>> >> Date: Wed, 8 Jul 2009 11:51:09 -0700

>> >> Subject: Re: New IE zero day exploit in the wild

>> >> From: kurt.b...@gmail.com 


>> >> To: ntsysadmin@lyris.sunbelt-software.com
>> >>
>> >> Truth. However, there are also political and training issues.
>> >>
>> >> 1) We haven't, as a company (nor within IT) figured out how to
make
>> >> our standard apps work under under non-admin accounts. This will
take
>> >> time and resources to figure out, and then further time and
resources
>> >> to figure out how to "productionise" the application of these
settings
>> >> and apply them across the domain, including two offices overseas.
>> >>
>> >> 2) A large portion of our users are engineers who have a rabid
>> >> aversion to the idea that they can't be admins on their own boxes.
I'm
>> >> in the (multi-year!) process of simply trying to convince
engineering
>> >> managers that none of the staff need two NICs in their boxes - one
for
>> >> the production LAN and one for the test/dev LAN.
>> >>
>> >> 3) The overseas offices are also politically resistant to this
idea.
>> >>
>> >> While I agree that the load would be lessened, and we'd have a
much
>> >> better managed and more secure environment, this is not a trivial
>> >> effort, and at times I despair. But, I persist, and have it as a
goal
>> >> to work toward this fiscal year.
>> >>
>> >> The first step is to get signoff by company management, in the
form of
>> >> an actual policy - something of which there are no good examples.
>> >> There are practices and recommendations regarding IT, but very
little
>> >> in the way of a real IT policy that has been agreed to by
management.
>> >>
>> >> Kurt
>> >>
>> >> On Wed, Jul 8, 2009 at 07:52, Jonathan
Link
>> >> wrote:
>> >> > After taking local admin rights away from users my plate is less
>> >> > full.
>> >> > YMMV.
>> >> >
>> >>

Re: New IE zero day exploit in the wild

2009-07-10 Thread Rob Bonfiglio 
I've worked in EDU quite a bit, but never for an MD or a lawyer.  But from
what I've heard, I'd probably have to agree.  The PhD's are above..but not
too far above, the Lawyer, and below the doctor.  Mostly because the PhD
starts his/her research one year on $5 million equipment, and wants to make
that equipment last for the next 15 years...which means you end up trying to
support oold equipment!  Not to mention, the PhD also doesn't like being
told he's wrong.  He does, after all, have a PhD and that makes him smarter
than you in all facets of life.

On Fri, Jul 10, 2009 at 11:18 AM, Ziots, Edward  wrote:

>  Below Dr and Above Lawyers, because you can’t go lower than the bottom (
> Lawyers)
>
>
>
> Z
>
>
>
> Edward Ziots
>
> Network Engineer
>
> Lifespan Organization
>
> MCSE,MCSA,MCP+I, ME, CCA, Security +, Network +
>
> ezi...@lifespan.org
>
> Phone:401-639-3505
>  --
>
> *From:* Devin Meade [mailto:devin.me...@gmail.com]
> *Sent:* Thursday, July 09, 2009 5:09 PM
> *To:* NT System Admin Issues
> *Subject:* Re: New IE zero day exploit in the wild
>
>
>
> Where do your rate Grad School Professors?  Below or above Dr's and/or
> Lawyers (grin)?
>
> On Thu, Jul 9, 2009 at 4:06 PM, Kurt Buff  wrote:
>
> Yeah, well...
>
> In the medical field, right after doctors, I'd put CCU nurses. Heh.
>
> Kurt
>
>
> On Thu, Jul 9, 2009 at 12:27, paul chinnery wrote:
> > Thanks.  I am so forwarding this to our Clincal Analyst; she's a licensed
> RN
> > who use to work in CCU.
> >
> >> Date: Thu, 9 Jul 2009 11:44:54 -0700
>
> >> Subject: Re: New IE zero day exploit in the wild
>
> >> From: kurt.b...@gmail.com
> >> To: ntsysadmin@lyris.sunbelt-software.com
> >>
> >> Since I don't work with doctors in my capacity of IT geek, I don't
> >> know for sure. However, I was married to a critical care nurse for 7
> >> years, and I'll put my money on the doctors.
> >>
> >> Heh.
> >>
>
>  >> On Thu, Jul 9, 2009 at 05:04, paul chinnery
> wrote:
> >> > A third of my users are doctors.  I wonder which group is harder to
> work
> >> > with: engineers or doctors?
> >> >
>
> >> >> Date: Wed, 8 Jul 2009 11:51:09 -0700
>
> >> >> Subject: Re: New IE zero day exploit in the wild
>
> >> >> From: kurt.b...@gmail.com
>
> >> >> To: ntsysadmin@lyris.sunbelt-software.com
> >> >>
> >> >> Truth. However, there are also political and training issues.
> >> >>
> >> >> 1) We haven't, as a company (nor within IT) figured out how to make
> >> >> our standard apps work under under non-admin accounts. This will take
> >> >> time and resources to figure out, and then further time and resources
> >> >> to figure out how to "productionise" the application of these
> settings
> >> >> and apply them across the domain, including two offices overseas.
> >> >>
> >> >> 2) A large portion of our users are engineers who have a rabid
> >> >> aversion to the idea that they can't be admins on their own boxes.
> I'm
> >> >> in the (multi-year!) process of simply trying to convince engineering
> >> >> managers that none of the staff need two NICs in their boxes - one
> for
> >> >> the production LAN and one for the test/dev LAN.
> >> >>
> >> >> 3) The overseas offices are also politically resistant to this idea.
> >> >>
> >> >> While I agree that the load would be lessened, and we'd have a much
> >> >> better managed and more secure environment, this is not a trivial
> >> >> effort, and at times I despair. But, I persist, and have it as a goal
> >> >> to work toward this fiscal year.
> >> >>
> >> >> The first step is to get signoff by company management, in the form
> of
> >> >> an actual policy - something of which there are no good examples.
> >> >> There are practices and recommendations regarding IT, but very little
> >> >> in the way of a real IT policy that has been agreed to by management.
> >> >>
> >> >> Kurt
> >> >>
> >> >> On Wed, Jul 8, 2009 at 07:52, Jonathan Link
> >> >> wrote:
> >> >> > After taking local admin rights away from users my plate is less
> >> >> > full.
&

RE: New IE zero day exploit in the wild

2009-07-10 Thread Ziots, Edward 
Below Dr and Above Lawyers, because you can't go lower than the bottom (
Lawyers) 

 

Z

 

Edward Ziots

Network Engineer

Lifespan Organization

MCSE,MCSA,MCP+I, ME, CCA, Security +, Network +

ezi...@lifespan.org

Phone:401-639-3505



From: Devin Meade [mailto:devin.me...@gmail.com] 
Sent: Thursday, July 09, 2009 5:09 PM
To: NT System Admin Issues
Subject: Re: New IE zero day exploit in the wild

 

Where do your rate Grad School Professors?  Below or above Dr's and/or
Lawyers (grin)?

On Thu, Jul 9, 2009 at 4:06 PM, Kurt Buff  wrote:

Yeah, well...

In the medical field, right after doctors, I'd put CCU nurses. Heh.

Kurt


On Thu, Jul 9, 2009 at 12:27, paul chinnery wrote:
> Thanks.  I am so forwarding this to our Clincal Analyst; she's a
licensed RN
> who use to work in CCU.
>
>> Date: Thu, 9 Jul 2009 11:44:54 -0700

>> Subject: Re: New IE zero day exploit in the wild

>> From: kurt.b...@gmail.com
>> To: ntsysadmin@lyris.sunbelt-software.com
>>
>> Since I don't work with doctors in my capacity of IT geek, I don't
>> know for sure. However, I was married to a critical care nurse for 7
>> years, and I'll put my money on the doctors.
>>
>> Heh.
>>

>> On Thu, Jul 9, 2009 at 05:04, paul chinnery
wrote:
>> > A third of my users are doctors.  I wonder which group is harder to
work
>> > with: engineers or doctors?
>> >

>> >> Date: Wed, 8 Jul 2009 11:51:09 -0700

>> >> Subject: Re: New IE zero day exploit in the wild

>> >> From: kurt.b...@gmail.com
>> >> To: ntsysadmin@lyris.sunbelt-software.com
>> >>
>> >> Truth. However, there are also political and training issues.
>> >>
>> >> 1) We haven't, as a company (nor within IT) figured out how to
make
>> >> our standard apps work under under non-admin accounts. This will
take
>> >> time and resources to figure out, and then further time and
resources
>> >> to figure out how to "productionise" the application of these
settings
>> >> and apply them across the domain, including two offices overseas.
>> >>
>> >> 2) A large portion of our users are engineers who have a rabid
>> >> aversion to the idea that they can't be admins on their own boxes.
I'm
>> >> in the (multi-year!) process of simply trying to convince
engineering
>> >> managers that none of the staff need two NICs in their boxes - one
for
>> >> the production LAN and one for the test/dev LAN.
>> >>
>> >> 3) The overseas offices are also politically resistant to this
idea.
>> >>
>> >> While I agree that the load would be lessened, and we'd have a
much
>> >> better managed and more secure environment, this is not a trivial
>> >> effort, and at times I despair. But, I persist, and have it as a
goal
>> >> to work toward this fiscal year.
>> >>
>> >> The first step is to get signoff by company management, in the
form of
>> >> an actual policy - something of which there are no good examples.
>> >> There are practices and recommendations regarding IT, but very
little
>> >> in the way of a real IT policy that has been agreed to by
management.
>> >>
>> >> Kurt
>> >>
>> >> On Wed, Jul 8, 2009 at 07:52, Jonathan
Link
>> >> wrote:
>> >> > After taking local admin rights away from users my plate is less
>> >> > full.
>> >> > YMMV.
>> >> >
>> >> > On Wed, Jul 8, 2009 at 10:47 AM, Kurt Buff 
>> >> > wrote:
>> >> >>
>> >> >> Yes, unfortunately, all our users are admins. It sucks, but I
use it
>> >> >> to my advantage when I can.
>> >> >>
>> >> >> The reason we've not done a GP is because we haven't had the
luxury
>> >> >> of
>> >> >> studying to understand them. Our plates always seem to be full
with
>> >> >> other things.
>> >> >>
>> >> >> On Tue, Jul 7, 2009 at 19:04, Ken
Schaefer
>> >> >> wrote:
>> >> >> > Are all your users admins? Otherwise, how is that logon
script
>> >> >> > going
>> >> >> > to
>> >> >> > update HKLM?
>> >> >> >
>> >> >> > Machine-based startup script would be better idea, no?
>> >> >> >
>> >> >> > Cheers
>> >>

RE: New IE zero day exploit in the wild

2009-07-09 Thread Steven M. Caesare 
See also: Alec Baldwin in Malice.

-sc

-Original Message-
From: Ziots, Edward [mailto:ezi...@lifespan.org] 
Sent: Thursday, July 09, 2009 3:52 PM
To: NT System Admin Issues
Subject: RE: New IE zero day exploit in the wild

+1 (Agreed)

When you tend to play GOD for a living, which basically Dr's do to a certain 
extent ( They have our lives in there capable hands) I guess it can come with 
the territory. Not all of them are this way though. 

Z

Edward Ziots
Network Engineer
Lifespan Organization
MCSE,MCSA,MCP+I, ME, CCA, Security +, Network +
ezi...@lifespan.org
Phone:401-639-3505

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Thursday, July 09, 2009 3:21 PM
To: NT System Admin Issues
Subject: Re: New IE zero day exploit in the wild

On Thu, Jul 9, 2009 at 8:04 AM, paul chinnery wrote:
> A third of my users are doctors.  I wonder which group is harder to work
> with: engineers or doctors?

  Doctors.  Engineers know they're being arrogant.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: New IE zero day exploit in the wild

2009-07-09 Thread Kurt Buff 
No real experience, but you might glean some humor from this:

http://www.phdcomics.com/

On Thu, Jul 9, 2009 at 14:08, Devin Meade wrote:
> Where do your rate Grad School Professors?  Below or above Dr's and/or
> Lawyers (grin)?
>
> On Thu, Jul 9, 2009 at 4:06 PM, Kurt Buff  wrote:
>>
>> Yeah, well...
>>
>> In the medical field, right after doctors, I'd put CCU nurses. Heh.
>>
>> Kurt
>>
>> On Thu, Jul 9, 2009 at 12:27, paul chinnery wrote:
>> > Thanks.  I am so forwarding this to our Clincal Analyst; she's a
>> > licensed RN
>> > who use to work in CCU.
>> >
>> >> Date: Thu, 9 Jul 2009 11:44:54 -0700
>> >> Subject: Re: New IE zero day exploit in the wild
>> >> From: kurt.b...@gmail.com
>> >> To: ntsysadmin@lyris.sunbelt-software.com
>> >>
>> >> Since I don't work with doctors in my capacity of IT geek, I don't
>> >> know for sure. However, I was married to a critical care nurse for 7
>> >> years, and I'll put my money on the doctors.
>> >>
>> >> Heh.
>> >>
>> >> On Thu, Jul 9, 2009 at 05:04, paul chinnery wrote:
>> >> > A third of my users are doctors.  I wonder which group is harder to
>> >> > work
>> >> > with: engineers or doctors?
>> >> >
>> >> >> Date: Wed, 8 Jul 2009 11:51:09 -0700
>> >> >> Subject: Re: New IE zero day exploit in the wild
>> >> >> From: kurt.b...@gmail.com
>> >> >> To: ntsysadmin@lyris.sunbelt-software.com
>> >> >>
>> >> >> Truth. However, there are also political and training issues.
>> >> >>
>> >> >> 1) We haven't, as a company (nor within IT) figured out how to make
>> >> >> our standard apps work under under non-admin accounts. This will
>> >> >> take
>> >> >> time and resources to figure out, and then further time and
>> >> >> resources
>> >> >> to figure out how to "productionise" the application of these
>> >> >> settings
>> >> >> and apply them across the domain, including two offices overseas.
>> >> >>
>> >> >> 2) A large portion of our users are engineers who have a rabid
>> >> >> aversion to the idea that they can't be admins on their own boxes.
>> >> >> I'm
>> >> >> in the (multi-year!) process of simply trying to convince
>> >> >> engineering
>> >> >> managers that none of the staff need two NICs in their boxes - one
>> >> >> for
>> >> >> the production LAN and one for the test/dev LAN.
>> >> >>
>> >> >> 3) The overseas offices are also politically resistant to this idea.
>> >> >>
>> >> >> While I agree that the load would be lessened, and we'd have a much
>> >> >> better managed and more secure environment, this is not a trivial
>> >> >> effort, and at times I despair. But, I persist, and have it as a
>> >> >> goal
>> >> >> to work toward this fiscal year.
>> >> >>
>> >> >> The first step is to get signoff by company management, in the form
>> >> >> of
>> >> >> an actual policy - something of which there are no good examples.
>> >> >> There are practices and recommendations regarding IT, but very
>> >> >> little
>> >> >> in the way of a real IT policy that has been agreed to by
>> >> >> management.
>> >> >>
>> >> >> Kurt
>> >> >>
>> >> >> On Wed, Jul 8, 2009 at 07:52, Jonathan Link
>> >> >> wrote:
>> >> >> > After taking local admin rights away from users my plate is less
>> >> >> > full.
>> >> >> > YMMV.
>> >> >> >
>> >> >> > On Wed, Jul 8, 2009 at 10:47 AM, Kurt Buff 
>> >> >> > wrote:
>> >> >> >>
>> >> >> >> Yes, unfortunately, all our users are admins. It sucks, but I use
>> >> >> >> it
>> >> >> >> to my advantage when I can.
>> >> >> >>
>> >> >> >> The reason we've not done a GP is because we haven't had the
>> >> >> &g

Re: New IE zero day exploit in the wild

2009-07-09 Thread Devin Meade 
Where do your rate Grad School Professors?  Below or above Dr's and/or
Lawyers (grin)?

On Thu, Jul 9, 2009 at 4:06 PM, Kurt Buff  wrote:

> Yeah, well...
>
> In the medical field, right after doctors, I'd put CCU nurses. Heh.
>
> Kurt
>
> On Thu, Jul 9, 2009 at 12:27, paul chinnery wrote:
> > Thanks.  I am so forwarding this to our Clincal Analyst; she's a licensed
> RN
> > who use to work in CCU.
> >
> >> Date: Thu, 9 Jul 2009 11:44:54 -0700
> >> Subject: Re: New IE zero day exploit in the wild
> >> From: kurt.b...@gmail.com
> >> To: ntsysadmin@lyris.sunbelt-software.com
> >>
> >> Since I don't work with doctors in my capacity of IT geek, I don't
> >> know for sure. However, I was married to a critical care nurse for 7
> >> years, and I'll put my money on the doctors.
> >>
> >> Heh.
> >>
> >> On Thu, Jul 9, 2009 at 05:04, paul chinnery wrote:
> >> > A third of my users are doctors.  I wonder which group is harder to
> work
> >> > with: engineers or doctors?
> >> >
> >> >> Date: Wed, 8 Jul 2009 11:51:09 -0700
> >> >> Subject: Re: New IE zero day exploit in the wild
> >> >> From: kurt.b...@gmail.com
> >> >> To: ntsysadmin@lyris.sunbelt-software.com
> >> >>
> >> >> Truth. However, there are also political and training issues.
> >> >>
> >> >> 1) We haven't, as a company (nor within IT) figured out how to make
> >> >> our standard apps work under under non-admin accounts. This will take
> >> >> time and resources to figure out, and then further time and resources
> >> >> to figure out how to "productionise" the application of these
> settings
> >> >> and apply them across the domain, including two offices overseas.
> >> >>
> >> >> 2) A large portion of our users are engineers who have a rabid
> >> >> aversion to the idea that they can't be admins on their own boxes.
> I'm
> >> >> in the (multi-year!) process of simply trying to convince engineering
> >> >> managers that none of the staff need two NICs in their boxes - one
> for
> >> >> the production LAN and one for the test/dev LAN.
> >> >>
> >> >> 3) The overseas offices are also politically resistant to this idea.
> >> >>
> >> >> While I agree that the load would be lessened, and we'd have a much
> >> >> better managed and more secure environment, this is not a trivial
> >> >> effort, and at times I despair. But, I persist, and have it as a goal
> >> >> to work toward this fiscal year.
> >> >>
> >> >> The first step is to get signoff by company management, in the form
> of
> >> >> an actual policy - something of which there are no good examples.
> >> >> There are practices and recommendations regarding IT, but very little
> >> >> in the way of a real IT policy that has been agreed to by management.
> >> >>
> >> >> Kurt
> >> >>
> >> >> On Wed, Jul 8, 2009 at 07:52, Jonathan Link
> >> >> wrote:
> >> >> > After taking local admin rights away from users my plate is less
> >> >> > full.
> >> >> > YMMV.
> >> >> >
> >> >> > On Wed, Jul 8, 2009 at 10:47 AM, Kurt Buff 
> >> >> > wrote:
> >> >> >>
> >> >> >> Yes, unfortunately, all our users are admins. It sucks, but I use
> it
> >> >> >> to my advantage when I can.
> >> >> >>
> >> >> >> The reason we've not done a GP is because we haven't had the
> luxury
> >> >> >> of
> >> >> >> studying to understand them. Our plates always seem to be full
> with
> >> >> >> other things.
> >> >> >>
> >> >> >> On Tue, Jul 7, 2009 at 19:04, Ken Schaefer
> >> >> >> wrote:
> >> >> >> > Are all your users admins? Otherwise, how is that logon script
> >> >> >> > going
> >> >> >> > to
> >> >> >> > update HKLM?
> >> >> >> >
> >> >> >> > Machine-based startup script would be better idea, no?
> >> >> >> >
> >> >> >> > Cheers

Re: New IE zero day exploit in the wild

2009-07-09 Thread Kurt Buff 
Yeah, well...

In the medical field, right after doctors, I'd put CCU nurses. Heh.

Kurt

On Thu, Jul 9, 2009 at 12:27, paul chinnery wrote:
> Thanks.  I am so forwarding this to our Clincal Analyst; she's a licensed RN
> who use to work in CCU.
>
>> Date: Thu, 9 Jul 2009 11:44:54 -0700
>> Subject: Re: New IE zero day exploit in the wild
>> From: kurt.b...@gmail.com
>> To: ntsysadmin@lyris.sunbelt-software.com
>>
>> Since I don't work with doctors in my capacity of IT geek, I don't
>> know for sure. However, I was married to a critical care nurse for 7
>> years, and I'll put my money on the doctors.
>>
>> Heh.
>>
>> On Thu, Jul 9, 2009 at 05:04, paul chinnery wrote:
>> > A third of my users are doctors.  I wonder which group is harder to work
>> > with: engineers or doctors?
>> >
>> >> Date: Wed, 8 Jul 2009 11:51:09 -0700
>> >> Subject: Re: New IE zero day exploit in the wild
>> >> From: kurt.b...@gmail.com
>> >> To: ntsysadmin@lyris.sunbelt-software.com
>> >>
>> >> Truth. However, there are also political and training issues.
>> >>
>> >> 1) We haven't, as a company (nor within IT) figured out how to make
>> >> our standard apps work under under non-admin accounts. This will take
>> >> time and resources to figure out, and then further time and resources
>> >> to figure out how to "productionise" the application of these settings
>> >> and apply them across the domain, including two offices overseas.
>> >>
>> >> 2) A large portion of our users are engineers who have a rabid
>> >> aversion to the idea that they can't be admins on their own boxes. I'm
>> >> in the (multi-year!) process of simply trying to convince engineering
>> >> managers that none of the staff need two NICs in their boxes - one for
>> >> the production LAN and one for the test/dev LAN.
>> >>
>> >> 3) The overseas offices are also politically resistant to this idea.
>> >>
>> >> While I agree that the load would be lessened, and we'd have a much
>> >> better managed and more secure environment, this is not a trivial
>> >> effort, and at times I despair. But, I persist, and have it as a goal
>> >> to work toward this fiscal year.
>> >>
>> >> The first step is to get signoff by company management, in the form of
>> >> an actual policy - something of which there are no good examples.
>> >> There are practices and recommendations regarding IT, but very little
>> >> in the way of a real IT policy that has been agreed to by management.
>> >>
>> >> Kurt
>> >>
>> >> On Wed, Jul 8, 2009 at 07:52, Jonathan Link
>> >> wrote:
>> >> > After taking local admin rights away from users my plate is less
>> >> > full.
>> >> > YMMV.
>> >> >
>> >> > On Wed, Jul 8, 2009 at 10:47 AM, Kurt Buff 
>> >> > wrote:
>> >> >>
>> >> >> Yes, unfortunately, all our users are admins. It sucks, but I use it
>> >> >> to my advantage when I can.
>> >> >>
>> >> >> The reason we've not done a GP is because we haven't had the luxury
>> >> >> of
>> >> >> studying to understand them. Our plates always seem to be full with
>> >> >> other things.
>> >> >>
>> >> >> On Tue, Jul 7, 2009 at 19:04, Ken Schaefer
>> >> >> wrote:
>> >> >> > Are all your users admins? Otherwise, how is that logon script
>> >> >> > going
>> >> >> > to
>> >> >> > update HKLM?
>> >> >> >
>> >> >> > Machine-based startup script would be better idea, no?
>> >> >> >
>> >> >> > Cheers
>> >> >> > Ken
>> >> >> >
>> >> >> > 
>> >> >> > From: Kurt Buff [kurt.b...@gmail.com]
>> >> >> > Sent: Wednesday, 8 July 2009 2:41 AM
>> >> >> > To: NT System Admin Issues
>> >> >> > Subject: Re: New IE zero day exploit in the wild
>> >> >> >
>> >> >> > I'm just pushing out the .reg file in the login script:
>> >> &g

RE: New IE zero day exploit in the wild

2009-07-09 Thread John Aldrich 
Well, my doctor doesn't have an IT guy on staff (he works in a group
practice) and he doesn't know squat about computers and freely admits it.
:-) I've offered to help him out a time or two, but so far, no nibbles... I
think maybe he's afraid of my fees. ;-)




-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Thursday, July 09, 2009 3:21 PM
To: NT System Admin Issues
Subject: Re: New IE zero day exploit in the wild

On Thu, Jul 9, 2009 at 8:04 AM, paul chinnery wrote:
> A third of my users are doctors.  I wonder which group is harder to work
> with: engineers or doctors?

  Doctors.  Engineers know they're being arrogant.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~


Checked by AVG - www.avg.com 
Version: 8.5.387 / Virus Database: 270.13.8/2227 - Release Date: 07/09/09
05:55:00

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: New IE zero day exploit in the wild

2009-07-09 Thread Ziots, Edward 
+1 (Agreed)

When you tend to play GOD for a living, which basically Dr's do to a certain 
extent ( They have our lives in there capable hands) I guess it can come with 
the territory. Not all of them are this way though. 

Z

Edward Ziots
Network Engineer
Lifespan Organization
MCSE,MCSA,MCP+I, ME, CCA, Security +, Network +
ezi...@lifespan.org
Phone:401-639-3505

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Thursday, July 09, 2009 3:21 PM
To: NT System Admin Issues
Subject: Re: New IE zero day exploit in the wild

On Thu, Jul 9, 2009 at 8:04 AM, paul chinnery wrote:
> A third of my users are doctors.  I wonder which group is harder to work
> with: engineers or doctors?

  Doctors.  Engineers know they're being arrogant.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: New IE zero day exploit in the wild

2009-07-09 Thread Ziots, Edward 
I am beating my TAM and his MGR over the head right now, trying to find
out if the ACTIVE X 0 day is going to be included in next Tuesdays
patches, for his sake he better hope so, or there is going to be some
hate-mail coming his way. 

 

Z

 

Edward Ziots

Network Engineer

Lifespan Organization

MCSE,MCSA,MCP+I, ME, CCA, Security +, Network +

ezi...@lifespan.org

Phone:401-639-3505



From: paul chinnery [mailto:pdw1...@hotmail.com] 
Sent: Thursday, July 09, 2009 3:27 PM
To: NT System Admin Issues
Subject: RE: New IE zero day exploit in the wild

 

Thanks.  I am so forwarding this to our Clincal Analyst; she's a
licensed RN who use to work in CCU.

> Date: Thu, 9 Jul 2009 11:44:54 -0700
> Subject: Re: New IE zero day exploit in the wild
> From: kurt.b...@gmail.com
> To: ntsysadmin@lyris.sunbelt-software.com
> 
> Since I don't work with doctors in my capacity of IT geek, I don't
> know for sure. However, I was married to a critical care nurse for 7
> years, and I'll put my money on the doctors.
> 
> Heh.
> 
> On Thu, Jul 9, 2009 at 05:04, paul chinnery
wrote:
> > A third of my users are doctors.  I wonder which group is harder to
work
> > with: engineers or doctors?
> >
> >> Date: Wed, 8 Jul 2009 11:51:09 -0700
> >> Subject: Re: New IE zero day exploit in the wild
> >> From: kurt.b...@gmail.com
> >> To: ntsysadmin@lyris.sunbelt-software.com
> >>
> >> Truth. However, there are also political and training issues.
> >>
> >> 1) We haven't, as a company (nor within IT) figured out how to make
> >> our standard apps work under under non-admin accounts. This will
take
> >> time and resources to figure out, and then further time and
resources
> >> to figure out how to "productionise" the application of these
settings
> >> and apply them across the domain, including two offices overseas.
> >>
> >> 2) A large portion of our users are engineers who have a rabid
> >> aversion to the idea that they can't be admins on their own boxes.
I'm
> >> in the (multi-year!) process of simply trying to convince
engineering
> >> managers that none of the staff need two NICs in their boxes - one
for
> >> the production LAN and one for the test/dev LAN.
> >>
> >> 3) The overseas offices are also politically resistant to this
idea.
> >>
> >> While I agree that the load would be lessened, and we'd have a much
> >> better managed and more secure environment, this is not a trivial
> >> effort, and at times I despair. But, I persist, and have it as a
goal
> >> to work toward this fiscal year.
> >>
> >> The first step is to get signoff by company management, in the form
of
> >> an actual policy - something of which there are no good examples.
> >> There are practices and recommendations regarding IT, but very
little
> >> in the way of a real IT policy that has been agreed to by
management.
> >>
> >> Kurt
> >>
> >> On Wed, Jul 8, 2009 at 07:52, Jonathan
Link
> >> wrote:
> >> > After taking local admin rights away from users my plate is less
full.
> >> > YMMV.
> >> >
> >> > On Wed, Jul 8, 2009 at 10:47 AM, Kurt Buff 
wrote:
> >> >>
> >> >> Yes, unfortunately, all our users are admins. It sucks, but I
use it
> >> >> to my advantage when I can.
> >> >>
> >> >> The reason we've not done a GP is because we haven't had the
luxury of
> >> >> studying to understand them. Our plates always seem to be full
with
> >> >> other things.
> >> >>
> >> >> On Tue, Jul 7, 2009 at 19:04, Ken Schaefer
wrote:
> >> >> > Are all your users admins? Otherwise, how is that logon script
going
> >> >> > to
> >> >> > update HKLM?
> >> >> >
> >> >> > Machine-based startup script would be better idea, no?
> >> >> >
> >> >> > Cheers
> >> >> > Ken
> >> >> >
> >> >> > 
> >> >> > From: Kurt Buff [kurt.b...@gmail.com]
> >> >> > Sent: Wednesday, 8 July 2009 2:41 AM
> >> >> > To: NT System Admin Issues
> >> >> > Subject: Re: New IE zero day exploit in the wild
> >> >> >
> >> >> > I'm just pushing out the .reg file in the login script:
> >> >> >
> >> >> > regedit /s \\fileser

Re: New IE zero day exploit in the wild

2009-07-09 Thread Jonathan Link 
They would call it precise.

On Thu, Jul 9, 2009 at 3:21 PM, Ben Scott  wrote:

> On Thu, Jul 9, 2009 at 8:04 AM, paul chinnery wrote:
> > A third of my users are doctors.  I wonder which group is harder to work
> > with: engineers or doctors?
>
>  Doctors.  Engineers know they're being arrogant.
>
> -- Ben
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: New IE zero day exploit in the wild

2009-07-09 Thread paul chinnery 

Thanks.  I am so forwarding this to our Clincal Analyst; she's a licensed RN 
who use to work in CCU.

> Date: Thu, 9 Jul 2009 11:44:54 -0700
> Subject: Re: New IE zero day exploit in the wild
> From: kurt.b...@gmail.com
> To: ntsysadmin@lyris.sunbelt-software.com
> 
> Since I don't work with doctors in my capacity of IT geek, I don't
> know for sure. However, I was married to a critical care nurse for 7
> years, and I'll put my money on the doctors.
> 
> Heh.
> 
> On Thu, Jul 9, 2009 at 05:04, paul chinnery wrote:
> > A third of my users are doctors.  I wonder which group is harder to work
> > with: engineers or doctors?
> >
> >> Date: Wed, 8 Jul 2009 11:51:09 -0700
> >> Subject: Re: New IE zero day exploit in the wild
> >> From: kurt.b...@gmail.com
> >> To: ntsysadmin@lyris.sunbelt-software.com
> >>
> >> Truth. However, there are also political and training issues.
> >>
> >> 1) We haven't, as a company (nor within IT) figured out how to make
> >> our standard apps work under under non-admin accounts. This will take
> >> time and resources to figure out, and then further time and resources
> >> to figure out how to "productionise" the application of these settings
> >> and apply them across the domain, including two offices overseas.
> >>
> >> 2) A large portion of our users are engineers who have a rabid
> >> aversion to the idea that they can't be admins on their own boxes. I'm
> >> in the (multi-year!) process of simply trying to convince engineering
> >> managers that none of the staff need two NICs in their boxes - one for
> >> the production LAN and one for the test/dev LAN.
> >>
> >> 3) The overseas offices are also politically resistant to this idea.
> >>
> >> While I agree that the load would be lessened, and we'd have a much
> >> better managed and more secure environment, this is not a trivial
> >> effort, and at times I despair. But, I persist, and have it as a goal
> >> to work toward this fiscal year.
> >>
> >> The first step is to get signoff by company management, in the form of
> >> an actual policy - something of which there are no good examples.
> >> There are practices and recommendations regarding IT, but very little
> >> in the way of a real IT policy that has been agreed to by management.
> >>
> >> Kurt
> >>
> >> On Wed, Jul 8, 2009 at 07:52, Jonathan Link
> >> wrote:
> >> > After taking local admin rights away from users my plate is less full.
> >> > YMMV.
> >> >
> >> > On Wed, Jul 8, 2009 at 10:47 AM, Kurt Buff  wrote:
> >> >>
> >> >> Yes, unfortunately, all our users are admins. It sucks, but I use it
> >> >> to my advantage when I can.
> >> >>
> >> >> The reason we've not done a GP is because we haven't had the luxury of
> >> >> studying to understand them. Our plates always seem to be full with
> >> >> other things.
> >> >>
> >> >> On Tue, Jul 7, 2009 at 19:04, Ken Schaefer wrote:
> >> >> > Are all your users admins? Otherwise, how is that logon script going
> >> >> > to
> >> >> > update HKLM?
> >> >> >
> >> >> > Machine-based startup script would be better idea, no?
> >> >> >
> >> >> > Cheers
> >> >> > Ken
> >> >> >
> >> >> > 
> >> >> > From: Kurt Buff [kurt.b...@gmail.com]
> >> >> > Sent: Wednesday, 8 July 2009 2:41 AM
> >> >> > To: NT System Admin Issues
> >> >> > Subject: Re: New IE zero day exploit in the wild
> >> >> >
> >> >> > I'm just pushing out the .reg file in the login script:
> >> >> >
> >> >> > regedit /s \\fileserver\public\patches\videokillbits.reg
> >> >> >
> >> >> > The file was easy to create, in a capable editor (not notepad or
> >> >> > wordpad) that allows metacharacter search and replace, such as '\n'
> >> >> > for CRLF and '\t' for tab. I used the ancient, no-longer-supported
> >> >> > PFE32. I really should switch to VIM, I suppose.
> >> >> >
> >> >> > On Tue, Jul 7, 2009 at 08:40, Eric
> >> >> > Witter

Re: New IE zero day exploit in the wild

2009-07-09 Thread Ben Scott 
On Thu, Jul 9, 2009 at 8:04 AM, paul chinnery wrote:
> A third of my users are doctors.  I wonder which group is harder to work
> with: engineers or doctors?

  Doctors.  Engineers know they're being arrogant.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: New IE zero day exploit in the wild

2009-07-09 Thread Kurt Buff 
Since I don't work with doctors in my capacity of IT geek, I don't
know for sure. However, I was married to a critical care nurse for 7
years, and I'll put my money on the doctors.

Heh.

On Thu, Jul 9, 2009 at 05:04, paul chinnery wrote:
> A third of my users are doctors.  I wonder which group is harder to work
> with: engineers or doctors?
>
>> Date: Wed, 8 Jul 2009 11:51:09 -0700
>> Subject: Re: New IE zero day exploit in the wild
>> From: kurt.b...@gmail.com
>> To: ntsysadmin@lyris.sunbelt-software.com
>>
>> Truth. However, there are also political and training issues.
>>
>> 1) We haven't, as a company (nor within IT) figured out how to make
>> our standard apps work under under non-admin accounts. This will take
>> time and resources to figure out, and then further time and resources
>> to figure out how to "productionise" the application of these settings
>> and apply them across the domain, including two offices overseas.
>>
>> 2) A large portion of our users are engineers who have a rabid
>> aversion to the idea that they can't be admins on their own boxes. I'm
>> in the (multi-year!) process of simply trying to convince engineering
>> managers that none of the staff need two NICs in their boxes - one for
>> the production LAN and one for the test/dev LAN.
>>
>> 3) The overseas offices are also politically resistant to this idea.
>>
>> While I agree that the load would be lessened, and we'd have a much
>> better managed and more secure environment, this is not a trivial
>> effort, and at times I despair. But, I persist, and have it as a goal
>> to work toward this fiscal year.
>>
>> The first step is to get signoff by company management, in the form of
>> an actual policy - something of which there are no good examples.
>> There are practices and recommendations regarding IT, but very little
>> in the way of a real IT policy that has been agreed to by management.
>>
>> Kurt
>>
>> On Wed, Jul 8, 2009 at 07:52, Jonathan Link
>> wrote:
>> > After taking local admin rights away from users my plate is less full.
>> > YMMV.
>> >
>> > On Wed, Jul 8, 2009 at 10:47 AM, Kurt Buff  wrote:
>> >>
>> >> Yes, unfortunately, all our users are admins. It sucks, but I use it
>> >> to my advantage when I can.
>> >>
>> >> The reason we've not done a GP is because we haven't had the luxury of
>> >> studying to understand them. Our plates always seem to be full with
>> >> other things.
>> >>
>> >> On Tue, Jul 7, 2009 at 19:04, Ken Schaefer wrote:
>> >> > Are all your users admins? Otherwise, how is that logon script going
>> >> > to
>> >> > update HKLM?
>> >> >
>> >> > Machine-based startup script would be better idea, no?
>> >> >
>> >> > Cheers
>> >> > Ken
>> >> >
>> >> > 
>> >> > From: Kurt Buff [kurt.b...@gmail.com]
>> >> > Sent: Wednesday, 8 July 2009 2:41 AM
>> >> > To: NT System Admin Issues
>> >> > Subject: Re: New IE zero day exploit in the wild
>> >> >
>> >> > I'm just pushing out the .reg file in the login script:
>> >> >
>> >> >     regedit /s \\fileserver\public\patches\videokillbits.reg
>> >> >
>> >> > The file was easy to create, in a capable editor (not notepad or
>> >> > wordpad) that allows metacharacter search and replace, such as '\n'
>> >> > for CRLF and '\t' for tab. I used the ancient, no-longer-supported
>> >> > PFE32. I really should switch to VIM, I suppose.
>> >> >
>> >> > On Tue, Jul 7, 2009 at 08:40, Eric
>> >> > Wittersheim wrote:
>> >> >> I'm pushing out the .reg via GP.  So far so good.
>> >> >>
>> >> >> On Tue, Jul 7, 2009 at 10:38 AM, David Lum 
>> >> >> wrote:
>> >> >>>
>> >> >>> The “Microsoft fix-it” is an MSI that I am pushing via SMS and is
>> >> >>> pushing
>> >> >>> fine (so far just a few test cases have it, but no issues). Beats
>> >> >>> trying to
>> >> >>> push out a .REG or something…
>> >> >>>
>> >> >>>
>> >> >>>
>> >> >>> David Lum // SYSTEMS ENGINEER
>> >> >>> NORTHWEST EVALUATION ASSOCIATION
>> >> >>> (Desk) 971.222.1025 // (Cell) 503.267.9764
>> >> >>>
>> >> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> >> > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>> >> >
>> >> >
>> >>
>> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>> >>
>> >
>> >
>> >
>> >
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
>>
>
> 
> Insert movie times and more without leaving Hotmail®. See how.
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: New IE zero day exploit in the wild

2009-07-09 Thread James Kerr 
Doctors are worse for sure. I used to admin at a civil engineering firm. I now 
mostly work with doctors, medical staff and a bunch of social workers. Social 
workers are the worst of the lot, I swear! ;-)

James
  - Original Message - 
  From: paul chinnery 
  To: NT System Admin Issues 
  Sent: Thursday, July 09, 2009 8:04 AM
  Subject: RE: New IE zero day exploit in the wild


  A third of my users are doctors.  I wonder which group is harder to work 
with: engineers or doctors?

  > Date: Wed, 8 Jul 2009 11:51:09 -0700
  > Subject: Re: New IE zero day exploit in the wild
  > From: kurt.b...@gmail.com
  > To: ntsysadmin@lyris.sunbelt-software.com
  > 
  > Truth. However, there are also political and training issues.
  > 
  > 1) We haven't, as a company (nor within IT) figured out how to make
  > our standard apps work under under non-admin accounts. This will take
  > time and resources to figure out, and then further time and resources
  > to figure out how to "productionise" the application of these settings
  > and apply them across the domain, including two offices overseas.
  > 
  > 2) A large portion of our users are engineers who have a rabid
  > aversion to the idea that they can't be admins on their own boxes. I'm
  > in the (multi-year!) process of simply trying to convince engineering
  > managers that none of the staff need two NICs in their boxes - one for
  > the production LAN and one for the test/dev LAN.
  > 
  > 3) The overseas offices are also politically resistant to this idea.
  > 
  > While I agree that the load would be lessened, and we'd have a much
  > better managed and more secure environment, this is not a trivial
  > effort, and at times I despair. But, I persist, and have it as a goal
  > to work toward this fiscal year.
  > 
  > The first step is to get signoff by company management, in the form of
  > an actual policy - something of which there are no good examples.
  > There are practices and recommendations regarding IT, but very little
  > in the way of a real IT policy that has been agreed to by management.
  > 
  > Kurt
  > 
  > On Wed, Jul 8, 2009 at 07:52, Jonathan Link wrote:
  > > After taking local admin rights away from users my plate is less full.
  > > YMMV.
  > >
  > > On Wed, Jul 8, 2009 at 10:47 AM, Kurt Buff  wrote:
  > >>
  > >> Yes, unfortunately, all our users are admins. It sucks, but I use it
  > >> to my advantage when I can.
  > >>
  > >> The reason we've not done a GP is because we haven't had the luxury of
  > >> studying to understand them. Our plates always seem to be full with
  > >> other things.
  > >>
  > >> On Tue, Jul 7, 2009 at 19:04, Ken Schaefer wrote:
  > >> > Are all your users admins? Otherwise, how is that logon script going to
  > >> > update HKLM?
  > >> >
  > >> > Machine-based startup script would be better idea, no?
  > >> >
  > >> > Cheers
  > >> > Ken
  > >> >
  > >> > 
  > >> > From: Kurt Buff [kurt.b...@gmail.com]
  > >> > Sent: Wednesday, 8 July 2009 2:41 AM
  > >> > To: NT System Admin Issues
  > >> > Subject: Re: New IE zero day exploit in the wild
  > >> >
  > >> > I'm just pushing out the .reg file in the login script:
  > >> >
  > >> > regedit /s \\fileserver\public\patches\videokillbits.reg
  > >> >
  > >> > The file was easy to create, in a capable editor (not notepad or
  > >> > wordpad) that allows metacharacter search and replace, such as '\n'
  > >> > for CRLF and '\t' for tab. I used the ancient, no-longer-supported
  > >> > PFE32. I really should switch to VIM, I suppose.
  > >> >
  > >> > On Tue, Jul 7, 2009 at 08:40, Eric
  > >> > Wittersheim wrote:
  > >> >> I'm pushing out the .reg via GP.  So far so good.
  > >> >>
  > >> >> On Tue, Jul 7, 2009 at 10:38 AM, David Lum  wrote:
  > >> >>>
  > >> >>> The “Microsoft fix-it” is an MSI that I am pushing via SMS and is
  > >> >>> pushing
  > >> >>> fine (so far just a few test cases have it, but no issues). Beats
  > >> >>> trying to
  > >> >>> push out a .REG or something…
  > >> >>>
  > >> >>>
  > >> >>>
  > >> >>> David Lum // SYSTEMS ENGINEER
  > >> >>> NORTHWEST EVALUATION ASSOCIATION
  > >>

RE: New IE zero day exploit in the wild

2009-07-09 Thread David Lum 
I pushed the .MSI fix to 300 machines yesterday morning, no death screams yet. 
I have one person complaining about some unknown active-x process taking up 
CPU, but I haven't even determined if it started yesterday or has been ongoing.

David Lum // SYSTEMS ENGINEER
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764
-Original Message-
From: Richard Stovall [mailto:richard.stov...@researchdata.com]
Sent: Thursday, July 09, 2009 8:11 AM
To: NT System Admin Issues
Subject: RE: New IE zero day exploit in the wild

I've deployed a startup script via Group Policy to a couple of machines in a 
test OU that successfully sets the killbit for all 45 CLSIDs relevant to this 
vulnerability.  I'm about ready to link it to our production OUs, but wanted to 
ask if anyone has experienced any negative consequences after doing so.

Thanks to everyone who chipped in about this issue.

RS

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: New IE zero day exploit in the wild

2009-07-09 Thread Richard Stovall 
I've deployed a startup script via Group Policy to a couple of machines in a 
test OU that successfully sets the killbit for all 45 CLSIDs relevant to this 
vulnerability.  I'm about ready to link it to our production OUs, but wanted to 
ask if anyone has experienced any negative consequences after doing so.

Thanks to everyone who chipped in about this issue.

RS

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: New IE zero day exploit in the wild

2009-07-09 Thread David Lum 
I work with one law firm, and they are generally receptive to adapting most 
best practices, and sometimes they pay the bill the same day I am there (once I 
got a check before they got the invoicehang on let me send you the invoice 
for this check���!). It helps to have excellent working relationships. Then 
again 100% of my clients have been word of mouth and I only take on the ones 
that feel like a good fit (and that I feel I have time to adequately service).

It also doesn���t hurt that the consultant I replaced (a few years ago) they 
felt like he was just creating work for himself to make some cash initially 
I was brought on to cover for times this guy was go�oddly after my 2nd 
onsite visit they booted the other guy. A few months ago I got what I 
considered the ultimate unsolicited compliment:You have saved us so much 
money!���.

I realize this firm may or may not be representative, but not a one of them 
would I consider the typical lawyer snake.

Dave

From: Jon Harris [mailto:jk.har...@gmail.com]
Sent: Thursday, July 09, 2009 5:16 AM
To: NT System Admin Issues
Subject: Re: New IE zero day exploit in the wild

Depends on the engineering type.  I know Chemical and Nuclear understand rules 
and will work inside them with little fuss Metallurgical seem to be willing if 
they can't find a loop hole, but they look hard for loop holes to slip through. 
 Doctors and Chemist ignore rules for the most part until someone beats on them 
producing enough pain to get compliance.  All of that is from personal 
experience.  Doctors seem to be the worst at paying the bill, BTW.

I have been lucky enough to stay away from lawyers so I know nothing of their 
management.

Jon
On Thu, Jul 9, 2009 at 8:05 AM, paul chinnery 
mailto:pdw1...@hotmail.com>> wrote:


> Subject: RE: New IE zero day exploit in the wild
> Date: Wed, 8 Jul 2009 14:56:01 -0400
> From: don.gu...@prufoxroach.com<mailto:don.gu...@prufoxroach.com>

> To: 
> ntsysadmin@lyris.sunbelt-software.com<mailto:ntsysadmin@lyris.sunbelt-software.com>
>
> We're going through something similar right now. Although, not "everyone" is 
> a local admin, there are enough of them to cause additional workload on the 
> field techs.
>
> We also have a few thousand Sales Agents who are allowed to bring in their 
> home laptops and connect to the network.
>
> That's another battle altogether..
>
> Don Guyer
> Systems Engineer - Information Services
> Prudential, Fox & Roach/Trident Group
> 431 W. Lancaster Avenue
> Devon, PA 19333
> Direct: (610) 993-3299
> Fax: (610) 650-5306
> don.gu...@prufoxroach.com<mailto:don.gu...@prufoxroach.com>
>
>
> -Original Message-
> From: Kurt Buff [mailto:kurt.b...@gmail.com<mailto:kurt.b...@gmail.com>]
> Sent: Wednesday, July 08, 2009 2:51 PM
> To: NT System Admin Issues
> Subject: Re: New IE zero day exploit in the wild
>
> Truth. However, there are also political and training issues.
>
> 1) We haven't, as a company (nor within IT) figured out how to make
> our standard apps work under under non-admin accounts. This will take
> time and resources to figure out, and then further time and resources
> to figure out how to "productionise" the application of these settings
> and apply them across the domain, including two offices overseas.
>
> 2) A large portion of our users are engineers who have a rabid
> aversion to the idea that they can't be admins on their own boxes. I'm
> in the (multi-year!) process of simply trying to convince engineering
> managers that none of the staff need two NICs in their boxes - one for
> the production LAN and one for the test/dev LAN.
>
> 3) The overseas offices are also politically resistant to this idea.
>
> While I agree that the load would be lessened, and we'd have a much
> better managed and more secure environment, this is not a trivial
> effort, and at times I despair. But, I persist, and have it as a goal
> to work toward this fiscal year.
>
> The first step is to get signoff by company management, in the form of
> an actual policy - something of which there are no good examples.
> There are practices and recommendations regarding IT, but very little
> in the way of a real IT policy that has been agreed to by management.
>
> Kurt
>
> On Wed, Jul 8, 2009 at 07:52, Jonathan 
> Linkmailto:jonathan.l...@gmail.com>> wrote:
> > After taking local admin rights away from users my plate is less full.
> > YMMV.
> >
> > On Wed, Jul 8, 2009 at 10:47 AM, Kurt Buff 
> > mailto:kurt.b...@gmail.com>> wrote:
> >>
> >> Yes, unfortunately, all our users are admins. It sucks, but I use it
> >> to my advantage when I can.
> >>
> >&g

RE: New IE zero day exploit in the wild

2009-07-09 Thread Ziots, Edward 
Doctors: Period, and this is coming from an Engineer. (Yes I have a BSME
from Penn State :-) )

 

Z

 

Edward Ziots

Network Engineer

Lifespan Organization

MCSE,MCSA,MCP+I, ME, CCA, Security +, Network +

ezi...@lifespan.org

Phone:401-639-3505



From: paul chinnery [mailto:pdw1...@hotmail.com] 
Sent: Thursday, July 09, 2009 8:05 AM
To: NT System Admin Issues
Subject: RE: New IE zero day exploit in the wild

 

A third of my users are doctors.  I wonder which group is harder to work
with: engineers or doctors?

> Date: Wed, 8 Jul 2009 11:51:09 -0700
> Subject: Re: New IE zero day exploit in the wild
> From: kurt.b...@gmail.com
> To: ntsysadmin@lyris.sunbelt-software.com
> 
> Truth. However, there are also political and training issues.
> 
> 1) We haven't, as a company (nor within IT) figured out how to make
> our standard apps work under under non-admin accounts. This will take
> time and resources to figure out, and then further time and resources
> to figure out how to "productionise" the application of these settings
> and apply them across the domain, including two offices overseas.
> 
> 2) A large portion of our users are engineers who have a rabid
> aversion to the idea that they can't be admins on their own boxes. I'm
> in the (multi-year!) process of simply trying to convince engineering
> managers that none of the staff need two NICs in their boxes - one for
> the production LAN and one for the test/dev LAN.
> 
> 3) The overseas offices are also politically resistant to this idea.
> 
> While I agree that the load would be lessened, and we'd have a much
> better managed and more secure environment, this is not a trivial
> effort, and at times I despair. But, I persist, and have it as a goal
> to work toward this fiscal year.
> 
> The first step is to get signoff by company management, in the form of
> an actual policy - something of which there are no good examples.
> There are practices and recommendations regarding IT, but very little
> in the way of a real IT policy that has been agreed to by management.
> 
> Kurt
> 
> On Wed, Jul 8, 2009 at 07:52, Jonathan Link
wrote:
> > After taking local admin rights away from users my plate is less
full.
> > YMMV.
> >
> > On Wed, Jul 8, 2009 at 10:47 AM, Kurt Buff 
wrote:
> >>
> >> Yes, unfortunately, all our users are admins. It sucks, but I use
it
> >> to my advantage when I can.
> >>
> >> The reason we've not done a GP is because we haven't had the luxury
of
> >> studying to understand them. Our plates always seem to be full with
> >> other things.
> >>
> >> On Tue, Jul 7, 2009 at 19:04, Ken Schaefer
wrote:
> >> > Are all your users admins? Otherwise, how is that logon script
going to
> >> > update HKLM?
> >> >
> >> > Machine-based startup script would be better idea, no?
> >> >
> >> > Cheers
> >> > Ken
> >> >
> >> > 
> >> > From: Kurt Buff [kurt.b...@gmail.com]
> >> > Sent: Wednesday, 8 July 2009 2:41 AM
> >> > To: NT System Admin Issues
> >> > Subject: Re: New IE zero day exploit in the wild
> >> >
> >> > I'm just pushing out the .reg file in the login script:
> >> >
> >> > regedit /s \\fileserver\public\patches\videokillbits.reg
> >> >
> >> > The file was easy to create, in a capable editor (not notepad or
> >> > wordpad) that allows metacharacter search and replace, such as
'\n'
> >> > for CRLF and '\t' for tab. I used the ancient,
no-longer-supported
> >> > PFE32. I really should switch to VIM, I suppose.
> >> >
> >> > On Tue, Jul 7, 2009 at 08:40, Eric
> >> > Wittersheim wrote:
> >> >> I'm pushing out the .reg via GP.  So far so good.
> >> >>
> >> >> On Tue, Jul 7, 2009 at 10:38 AM, David Lum 
wrote:
> >> >>>
> >> >>> The "Microsoft fix-it" is an MSI that I am pushing via SMS and
is
> >> >>> pushing
> >> >>> fine (so far just a few test cases have it, but no issues).
Beats
> >> >>> trying to
> >> >>> push out a .REG or something...
> >> >>>
> >> >>>
> >> >>>
> >> >>> David Lum // SYSTEMS ENGINEER
> >> >>> NORTHWEST EVALUATION ASSOCIATION
> >> >>> (Desk) 971.222.1025 // (Cell) 503.267.9764
> >> >>>
> >> > ~ Finally, powerful endpoint security that ISN'T a resource hog!
~
> >> > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
> >> >
> >> >
> >>
> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
> >>
> >
> >
> >
> >
> 
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
> 



Insert movie times and more without leaving Hotmail(r). See how.
<http://windowslive.com/Tutorial/Hotmail/QuickAdd?ocid=TXT_TAGLM_WL_HM_T
utorial_QuickAdd_062009>  

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: New IE zero day exploit in the wild

2009-07-09 Thread Jon Harris 
Depends on the engineering type.  I know Chemical and Nuclear understand
rules and will work inside them with little fuss Metallurgical seem to be
willing if they can't find a loop hole, but they look hard for loop holes to
slip through.  Doctors and Chemist ignore rules for the most part until
someone beats on them producing enough pain to get compliance.  All of that
is from personal experience.  Doctors seem to be the worst at paying the
bill, BTW.

I have been lucky enough to stay away from lawyers so I know nothing of
their management.

Jon

On Thu, Jul 9, 2009 at 8:05 AM, paul chinnery  wrote:

>
>
> > Subject: RE: New IE zero day exploit in the wild
> > Date: Wed, 8 Jul 2009 14:56:01 -0400
> > From: don.gu...@prufoxroach.com
> > To: ntsysadmin@lyris.sunbelt-software.com
> >
> > We're going through something similar right now. Although, not "everyone"
> is a local admin, there are enough of them to cause additional workload on
> the field techs.
> >
> > We also have a few thousand Sales Agents who are allowed to bring in
> their home laptops and connect to the network.
> >
> > That's another battle altogether..
> >
> > Don Guyer
> > Systems Engineer - Information Services
> > Prudential, Fox & Roach/Trident Group
> > 431 W. Lancaster Avenue
> > Devon, PA 19333
> > Direct: (610) 993-3299
> > Fax: (610) 650-5306
> > don.gu...@prufoxroach.com
> >
> >
> > -----Original Message-----
> > From: Kurt Buff [mailto:kurt.b...@gmail.com]
> > Sent: Wednesday, July 08, 2009 2:51 PM
>  > To: NT System Admin Issues
> > Subject: Re: New IE zero day exploit in the wild
> >
> > Truth. However, there are also political and training issues.
> >
> > 1) We haven't, as a company (nor within IT) figured out how to make
> > our standard apps work under under non-admin accounts. This will take
> > time and resources to figure out, and then further time and resources
> > to figure out how to "productionise" the application of these settings
> > and apply them across the domain, including two offices overseas.
> >
> > 2) A large portion of our users are engineers who have a rabid
> > aversion to the idea that they can't be admins on their own boxes. I'm
> > in the (multi-year!) process of simply trying to convince engineering
> > managers that none of the staff need two NICs in their boxes - one for
> > the production LAN and one for the test/dev LAN.
> >
> > 3) The overseas offices are also politically resistant to this idea.
> >
> > While I agree that the load would be lessened, and we'd have a much
> > better managed and more secure environment, this is not a trivial
> > effort, and at times I despair. But, I persist, and have it as a goal
> > to work toward this fiscal year.
> >
> > The first step is to get signoff by company management, in the form of
> > an actual policy - something of which there are no good examples.
> > There are practices and recommendations regarding IT, but very little
> > in the way of a real IT policy that has been agreed to by management.
> >
> > Kurt
> >
> > On Wed, Jul 8, 2009 at 07:52, Jonathan Link
> wrote:
> > > After taking local admin rights away from users my plate is less full.
> > > YMMV.
> > >
> > > On Wed, Jul 8, 2009 at 10:47 AM, Kurt Buff 
> wrote:
> > >>
> > >> Yes, unfortunately, all our users are admins. It sucks, but I use it
> > >> to my advantage when I can.
> > >>
> > >> The reason we've not done a GP is because we haven't had the luxury of
> > >> studying to understand them. Our plates always seem to be full with
> > >> other things.
> > >>
> > >> On Tue, Jul 7, 2009 at 19:04, Ken Schaefer
> wrote:
> > >> > Are all your users admins? Otherwise, how is that logon script going
> to
> > >> > update HKLM?
> > >> >
> > >> > Machine-based startup script would be better idea, no?
> > >> >
> > >> > Cheers
> > >> > Ken
> > >> >
> > >> > 
> > >> > From: Kurt Buff [kurt.b...@gmail.com]
> > >> > Sent: Wednesday, 8 July 2009 2:41 AM
> > >> > To: NT System Admin Issues
> > >> > Subject: Re: New IE zero day exploit in the wild
> > >> >
> > >> > I'm just pushing out the .reg file in the login script:
> > >> >
> > >> >ĸĸŋĸĸŋĸĸŋĸ

RE: New IE zero day exploit in the wild

2009-07-09 Thread paul chinnery 



> Subject: RE: New IE zero day exploit in the wild
> Date: Wed, 8 Jul 2009 14:56:01 -0400
> From: don.gu...@prufoxroach.com
> To: ntsysadmin@lyris.sunbelt-software.com
> 
> We're going through something similar right now. Although, not "everyone" is 
> a local admin, there are enough of them to cause additional workload on the 
> field techs.
> 
> We also have a few thousand Sales Agents who are allowed to bring in their 
> home laptops and connect to the network.
> 
> That's another battle altogether..
> 
> Don Guyer
> Systems Engineer - Information Services
> Prudential, Fox & Roach/Trident Group
> 431 W. Lancaster Avenue
> Devon, PA 19333
> Direct: (610) 993-3299
> Fax: (610) 650-5306
> don.gu...@prufoxroach.com
> 
> 
> -Original Message-
> From: Kurt Buff [mailto:kurt.b...@gmail.com] 
> Sent: Wednesday, July 08, 2009 2:51 PM
> To: NT System Admin Issues
> Subject: Re: New IE zero day exploit in the wild
> 
> Truth. However, there are also political and training issues.
> 
> 1) We haven't, as a company (nor within IT) figured out how to make
> our standard apps work under under non-admin accounts. This will take
> time and resources to figure out, and then further time and resources
> to figure out how to "productionise" the application of these settings
> and apply them across the domain, including two offices overseas.
> 
> 2) A large portion of our users are engineers who have a rabid
> aversion to the idea that they can't be admins on their own boxes. I'm
> in the (multi-year!) process of simply trying to convince engineering
> managers that none of the staff need two NICs in their boxes - one for
> the production LAN and one for the test/dev LAN.
> 
> 3) The overseas offices are also politically resistant to this idea.
> 
> While I agree that the load would be lessened, and we'd have a much
> better managed and more secure environment, this is not a trivial
> effort, and at times I despair. But, I persist, and have it as a goal
> to work toward this fiscal year.
> 
> The first step is to get signoff by company management, in the form of
> an actual policy - something of which there are no good examples.
> There are practices and recommendations regarding IT, but very little
> in the way of a real IT policy that has been agreed to by management.
> 
> Kurt
> 
> On Wed, Jul 8, 2009 at 07:52, Jonathan Link wrote:
> > After taking local admin rights away from users my plate is less full.
> > YMMV.
> >
> > On Wed, Jul 8, 2009 at 10:47 AM, Kurt Buff  wrote:
> >>
> >> Yes, unfortunately, all our users are admins. It sucks, but I use it
> >> to my advantage when I can.
> >>
> >> The reason we've not done a GP is because we haven't had the luxury of
> >> studying to understand them. Our plates always seem to be full with
> >> other things.
> >>
> >> On Tue, Jul 7, 2009 at 19:04, Ken Schaefer wrote:
> >> > Are all your users admins? Otherwise, how is that logon script going to
> >> > update HKLM?
> >> >
> >> > Machine-based startup script would be better idea, no?
> >> >
> >> > Cheers
> >> > Ken
> >> >
> >> > 
> >> > From: Kurt Buff [kurt.b...@gmail.com]
> >> > Sent: Wednesday, 8 July 2009 2:41 AM
> >> > To: NT System Admin Issues
> >> > Subject: Re: New IE zero day exploit in the wild
> >> >
> >> > I'm just pushing out the .reg file in the login script:
> >> >
> >> regedit /s 
> >>\\fileserver\public\patches\videokillbits.reg
> >> >
> >> > The file was easy to create, in a capable editor (not notepad or
> >> > wordpad) that allows metacharacter search and replace, such as '\n'
> >> > for CRLF and '\t' for tab. I used the ancient, no-longer-supported
> >> > PFE32. I really should switch to VIM, I suppose.
> >> >
> >> > On Tue, Jul 7, 2009 at 08:40, Eric
> >> > Wittersheim wrote:
> >> >> I'm pushing out the .reg via GPSo far so good.
> >> >>
> >> >> On Tue, Jul 7, 2009 at 10:38 AM, David Lum  wrote:
> >> >>>
> >> >>> Th���Microsoft fix�� is an MSI that I am pushing 
> >> >>> via SMS and is
> >> >>> pushing
> >> >>> fine (so far just a few test cases have it, but no issues). Beats
> >> >>

RE: New IE zero day exploit in the wild

2009-07-09 Thread paul chinnery 

A third of my users are doctors.  I wonder which group is harder to work with: 
engineers or doctors?

> Date: Wed, 8 Jul 2009 11:51:09 -0700
> Subject: Re: New IE zero day exploit in the wild
> From: kurt.b...@gmail.com
> To: ntsysadmin@lyris.sunbelt-software.com
> 
> Truth. However, there are also political and training issues.
> 
> 1) We haven't, as a company (nor within IT) figured out how to make
> our standard apps work under under non-admin accounts. This will take
> time and resources to figure out, and then further time and resources
> to figure out how to "productionise" the application of these settings
> and apply them across the domain, including two offices overseas.
> 
> 2) A large portion of our users are engineers who have a rabid
> aversion to the idea that they can't be admins on their own boxes. I'm
> in the (multi-year!) process of simply trying to convince engineering
> managers that none of the staff need two NICs in their boxes - one for
> the production LAN and one for the test/dev LAN.
> 
> 3) The overseas offices are also politically resistant to this idea.
> 
> While I agree that the load would be lessened, and we'd have a much
> better managed and more secure environment, this is not a trivial
> effort, and at times I despair. But, I persist, and have it as a goal
> to work toward this fiscal year.
> 
> The first step is to get signoff by company management, in the form of
> an actual policy - something of which there are no good examples.
> There are practices and recommendations regarding IT, but very little
> in the way of a real IT policy that has been agreed to by management.
> 
> Kurt
> 
> On Wed, Jul 8, 2009 at 07:52, Jonathan Link wrote:
> > After taking local admin rights away from users my plate is less full.
> > YMMV.
> >
> > On Wed, Jul 8, 2009 at 10:47 AM, Kurt Buff  wrote:
> >>
> >> Yes, unfortunately, all our users are admins. It sucks, but I use it
> >> to my advantage when I can.
> >>
> >> The reason we've not done a GP is because we haven't had the luxury of
> >> studying to understand them. Our plates always seem to be full with
> >> other things.
> >>
> >> On Tue, Jul 7, 2009 at 19:04, Ken Schaefer wrote:
> >> > Are all your users admins? Otherwise, how is that logon script going to
> >> > update HKLM?
> >> >
> >> > Machine-based startup script would be better idea, no?
> >> >
> >> > Cheers
> >> > Ken
> >> >
> >> > 
> >> > From: Kurt Buff [kurt.b...@gmail.com]
> >> > Sent: Wednesday, 8 July 2009 2:41 AM
> >> > To: NT System Admin Issues
> >> > Subject: Re: New IE zero day exploit in the wild
> >> >
> >> > I'm just pushing out the .reg file in the login script:
> >> >
> >> > regedit /s \\fileserver\public\patches\videokillbits.reg
> >> >
> >> > The file was easy to create, in a capable editor (not notepad or
> >> > wordpad) that allows metacharacter search and replace, such as '\n'
> >> > for CRLF and '\t' for tab. I used the ancient, no-longer-supported
> >> > PFE32. I really should switch to VIM, I suppose.
> >> >
> >> > On Tue, Jul 7, 2009 at 08:40, Eric
> >> > Wittersheim wrote:
> >> >> I'm pushing out the .reg via GP.  So far so good.
> >> >>
> >> >> On Tue, Jul 7, 2009 at 10:38 AM, David Lum  wrote:
> >> >>>
> >> >>> The “Microsoft fix-it” is an MSI that I am pushing via SMS and is
> >> >>> pushing
> >> >>> fine (so far just a few test cases have it, but no issues). Beats
> >> >>> trying to
> >> >>> push out a .REG or something…
> >> >>>
> >> >>>
> >> >>>
> >> >>> David Lum // SYSTEMS ENGINEER
> >> >>> NORTHWEST EVALUATION ASSOCIATION
> >> >>> (Desk) 971.222.1025 // (Cell) 503.267.9764
> >> >>>
> >> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> >> > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
> >> >
> >> >
> >>
> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
> >>
> >
> >
> >
> >
> 
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
> 

_
Insert movie times and more without leaving Hotmail®. 
http://windowslive.com/Tutorial/Hotmail/QuickAdd?ocid=TXT_TAGLM_WL_HM_Tutorial_QuickAdd_062009
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: New IE zero day exploit in the wild

2009-07-08 Thread Kurt Buff 
I took that list of CLSIDs, and used PFE32 to search and replace

 '{'
with
 '[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{'

I then did a search and replace of

 '}'
with
 '}]\n"Compatibility Flags"=dword:0400'

Note the \n at the beginning - in PFE32 this is a special character
for the newline.

Fix up the bit at the beginning with the line:

 Windows Registry Editor Version 5.00

and then save the file off, and you're good to go.

Kurt

On Wed, Jul 8, 2009 at 07:56, Ziots, Edward wrote:
> Question,
>
> According to the Microsoft article it looks like you need to add a whole a 
> lot of CSLID's that need the kill bit set, is this what everyone else is 
> doing? So basically adding each one of these CSLID's to a .reg file and then 
> scheduling a bat file to be run at the computer startup like the following?

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: New IE zero day exploit in the wild

2009-07-08 Thread Don Guyer 
We're going through something similar right now. Although, not "everyone" is a 
local admin, there are enough of them to cause additional workload on the field 
techs.

We also have a few thousand Sales Agents who are allowed to bring in their home 
laptops and connect to the network.

That's another battle altogether..

Don Guyer
Systems Engineer - Information Services
Prudential, Fox & Roach/Trident Group
431 W. Lancaster Avenue
Devon, PA 19333
Direct: (610) 993-3299
Fax: (610) 650-5306
don.gu...@prufoxroach.com


-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com] 
Sent: Wednesday, July 08, 2009 2:51 PM
To: NT System Admin Issues
Subject: Re: New IE zero day exploit in the wild

Truth. However, there are also political and training issues.

1) We haven't, as a company (nor within IT) figured out how to make
our standard apps work under under non-admin accounts. This will take
time and resources to figure out, and then further time and resources
to figure out how to "productionise" the application of these settings
and apply them across the domain, including two offices overseas.

2) A large portion of our users are engineers who have a rabid
aversion to the idea that they can't be admins on their own boxes. I'm
in the (multi-year!) process of simply trying to convince engineering
managers that none of the staff need two NICs in their boxes - one for
the production LAN and one for the test/dev LAN.

3) The overseas offices are also politically resistant to this idea.

While I agree that the load would be lessened, and we'd have a much
better managed and more secure environment, this is not a trivial
effort, and at times I despair. But, I persist, and have it as a goal
to work toward this fiscal year.

The first step is to get signoff by company management, in the form of
an actual policy - something of which there are no good examples.
There are practices and recommendations regarding IT, but very little
in the way of a real IT policy that has been agreed to by management.

Kurt

On Wed, Jul 8, 2009 at 07:52, Jonathan Link wrote:
> After taking local admin rights away from users my plate is less full.
> YMMV.
>
> On Wed, Jul 8, 2009 at 10:47 AM, Kurt Buff  wrote:
>>
>> Yes, unfortunately, all our users are admins. It sucks, but I use it
>> to my advantage when I can.
>>
>> The reason we've not done a GP is because we haven't had the luxury of
>> studying to understand them. Our plates always seem to be full with
>> other things.
>>
>> On Tue, Jul 7, 2009 at 19:04, Ken Schaefer wrote:
>> > Are all your users admins? Otherwise, how is that logon script going to
>> > update HKLM?
>> >
>> > Machine-based startup script would be better idea, no?
>> >
>> > Cheers
>> > Ken
>> >
>> > 
>> > From: Kurt Buff [kurt.b...@gmail.com]
>> > Sent: Wednesday, 8 July 2009 2:41 AM
>> > To: NT System Admin Issues
>> > Subject: Re: New IE zero day exploit in the wild
>> >
>> > I'm just pushing out the .reg file in the login script:
>> >
>> >�� regedit /s \\fileserver\public\patches\videokillbits.reg
>> >
>> > The file was easy to create, in a capable editor (not notepad or
>> > wordpad) that allows metacharacter search and replace, such as '\n'
>> > for CRLF and '\t' for tab. I used the ancient, no-longer-supported
>> > PFE32. I really should switch to VIM, I suppose.
>> >
>> > On Tue, Jul 7, 2009 at 08:40, Eric
>> > Wittersheim wrote:
>> >> I'm pushing out the .reg via GP. ��So far so good.
>> >>
>> >> On Tue, Jul 7, 2009 at 10:38 AM, David Lum  wrote:
>> >>>
>> >>> The ���Microsoft fix-i is an MSI that I am pushing via SMS and is
>> >>> pushing
>> >>> fine (so far just a few test cases have it, but no issues). Beats
>> >>> trying to
>> >>> push out a .REG or something���
>> >>>
>> >>>
>> >>>
>> >>> David Lum // SYSTEMS ENGINEER
>> >>> NORTHWEST EVALUATION ASSOCIATION
>> >>> (Desk) 971.222.1025 // (Cell) 503.267.9764
>> >>>
>> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>���~
>> >
>> >
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/�� ~
>>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: New IE zero day exploit in the wild

2009-07-08 Thread Kurt Buff 
Truth. However, there are also political and training issues.

1) We haven't, as a company (nor within IT) figured out how to make
our standard apps work under under non-admin accounts. This will take
time and resources to figure out, and then further time and resources
to figure out how to "productionise" the application of these settings
and apply them across the domain, including two offices overseas.

2) A large portion of our users are engineers who have a rabid
aversion to the idea that they can't be admins on their own boxes. I'm
in the (multi-year!) process of simply trying to convince engineering
managers that none of the staff need two NICs in their boxes - one for
the production LAN and one for the test/dev LAN.

3) The overseas offices are also politically resistant to this idea.

While I agree that the load would be lessened, and we'd have a much
better managed and more secure environment, this is not a trivial
effort, and at times I despair. But, I persist, and have it as a goal
to work toward this fiscal year.

The first step is to get signoff by company management, in the form of
an actual policy - something of which there are no good examples.
There are practices and recommendations regarding IT, but very little
in the way of a real IT policy that has been agreed to by management.

Kurt

On Wed, Jul 8, 2009 at 07:52, Jonathan Link wrote:
> After taking local admin rights away from users my plate is less full.
> YMMV.
>
> On Wed, Jul 8, 2009 at 10:47 AM, Kurt Buff  wrote:
>>
>> Yes, unfortunately, all our users are admins. It sucks, but I use it
>> to my advantage when I can.
>>
>> The reason we've not done a GP is because we haven't had the luxury of
>> studying to understand them. Our plates always seem to be full with
>> other things.
>>
>> On Tue, Jul 7, 2009 at 19:04, Ken Schaefer wrote:
>> > Are all your users admins? Otherwise, how is that logon script going to
>> > update HKLM?
>> >
>> > Machine-based startup script would be better idea, no?
>> >
>> > Cheers
>> > Ken
>> >
>> > ________________
>> > From: Kurt Buff [kurt.b...@gmail.com]
>> > Sent: Wednesday, 8 July 2009 2:41 AM
>> > To: NT System Admin Issues
>> > Subject: Re: New IE zero day exploit in the wild
>> >
>> > I'm just pushing out the .reg file in the login script:
>> >
>> >     regedit /s \\fileserver\public\patches\videokillbits.reg
>> >
>> > The file was easy to create, in a capable editor (not notepad or
>> > wordpad) that allows metacharacter search and replace, such as '\n'
>> > for CRLF and '\t' for tab. I used the ancient, no-longer-supported
>> > PFE32. I really should switch to VIM, I suppose.
>> >
>> > On Tue, Jul 7, 2009 at 08:40, Eric
>> > Wittersheim wrote:
>> >> I'm pushing out the .reg via GP.  So far so good.
>> >>
>> >> On Tue, Jul 7, 2009 at 10:38 AM, David Lum  wrote:
>> >>>
>> >>> The “Microsoft fix-it” is an MSI that I am pushing via SMS and is
>> >>> pushing
>> >>> fine (so far just a few test cases have it, but no issues). Beats
>> >>> trying to
>> >>> push out a .REG or something…
>> >>>
>> >>>
>> >>>
>> >>> David Lum // SYSTEMS ENGINEER
>> >>> NORTHWEST EVALUATION ASSOCIATION
>> >>> (Desk) 971.222.1025 // (Cell) 503.267.9764
>> >>>
>> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>> >
>> >
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: New IE zero day exploit in the wild

2009-07-08 Thread Jon Harris 
+2

Jon
On Wed, Jul 8, 2009 at 1:16 PM, Phillip Partipilo  wrote:

>  +1
>
>
> Phillip Partipilo
> Parametric Solutions Inc.
> Jupiter, Florida
> (561) 747-6107
>
>
>  --
> *From:* Jonathan Link [mailto:jonathan.l...@gmail.com]
> *Sent:* Wednesday, July 08, 2009 10:53 AM
> *To:* NT System Admin Issues
> *Subject:* Re: New IE zero day exploit in the wild
>
>  After taking local admin rights away from users my plate is less full.
> YMMV.
>
>   On Wed, Jul 8, 2009 at 10:47 AM, Kurt Buff  wrote:
>
>> Yes, unfortunately, all our users are admins. It sucks, but I use it
>> to my advantage when I can.
>>
>> The reason we've not done a GP is because we haven't had the luxury of
>> studying to understand them. Our plates always seem to be full with
>> other things.
>>
>> On Tue, Jul 7, 2009 at 19:04, Ken Schaefer wrote:
>> > Are all your users admins? Otherwise, how is that logon script going to
>> update HKLM?
>> >
>> > Machine-based startup script would be better idea, no?
>> >
>> > Cheers
>> > Ken
>> >
>> > ____________
>> > From: Kurt Buff [kurt.b...@gmail.com]
>> > Sent: Wednesday, 8 July 2009 2:41 AM
>> > To: NT System Admin Issues
>> > Subject: Re: New IE zero day exploit in the wild
>> >
>> > I'm just pushing out the .reg file in the login script:
>> >
>> > regedit /s \\fileserver\public\patches\videokillbits.reg
>> >
>> > The file was easy to create, in a capable editor (not notepad or
>> > wordpad) that allows metacharacter search and replace, such as '\n'
>> > for CRLF and '\t' for tab. I used the ancient, no-longer-supported
>> > PFE32. I really should switch to VIM, I suppose.
>> >
>> > On Tue, Jul 7, 2009 at 08:40, Eric
>> > Wittersheim wrote:
>> >> I'm pushing out the .reg via GP.  So far so good.
>> >>
>> >> On Tue, Jul 7, 2009 at 10:38 AM, David Lum  wrote:
>> >>>
>> >>> The “Microsoft fix-it” is an MSI that I am pushing via SMS and is
>> pushing
>> >>> fine (so far just a few test cases have it, but no issues). Beats
>> trying to
>> >>> push out a .REG or something…
>> >>>
>> >>>
>> >>>
>> >>> David Lum // SYSTEMS ENGINEER
>> >>> NORTHWEST EVALUATION ASSOCIATION
>> >>> (Desk) 971.222.1025 // (Cell) 503.267.9764
>> >>>
>>  > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>> >
>> >
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>>
>>
>
>
>
>
>
> --
> If this email is spam, report it here:
> http://www.OnlyMyEmail.com/ReportSpam<http://www.onlymyemail.com/view/?action=reportSpam&Id=ODEzNjQ6OTI2MTkwNzgwOnBqcEBwc25ldC5jb20%3D>
> THIS ELECTRONIC MESSAGE AND ANY ATTACHMENTS ARE CONFIDENTIAL AND
> PROPRIETARY PROPERTY OF THE SENDER. THE INFORMATION IS INTENDED FOR USE BY
> THE ADDRESSEE ONLY. ANY OTHER INTERCEPTION, COPYING, ACCESSING, OR
> DISCLOSURE OF THIS MESSAGE IS PROHIBITED. IF YOU HAVE RECEIVED THIS MESSAGE
> IN ERROR, PLEASE IMMEDIATELY NOTIFY THE SENDER AND DELETE THIS MAIL AND ALL
> ATTACHMENTS. DO NOT FORWARD THIS MESSAGE WITHOUT PERMISSION OF THE SENDER.
>
>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: New IE zero day exploit in the wild

2009-07-08 Thread Phillip Partipilo 
+1
 
 
Phillip Partipilo
Parametric Solutions Inc.
Jupiter, Florida
(561) 747-6107
 
 
  _  

From: Jonathan Link [mailto:jonathan.l...@gmail.com] 
Sent: Wednesday, July 08, 2009 10:53 AM
To: NT System Admin Issues
Subject: Re: New IE zero day exploit in the wild


After taking local admin rights away from users my plate is less full.
YMMV.


On Wed, Jul 8, 2009 at 10:47 AM, Kurt Buff  wrote:


Yes, unfortunately, all our users are admins. It sucks, but I use it
to my advantage when I can.

The reason we've not done a GP is because we haven't had the luxury of
studying to understand them. Our plates always seem to be full with
other things.


On Tue, Jul 7, 2009 at 19:04, Ken Schaefer wrote:
> Are all your users admins? Otherwise, how is that logon script going to
update HKLM?
>
> Machine-based startup script would be better idea, no?
>
> Cheers
> Ken
>
> 
> From: Kurt Buff [kurt.b...@gmail.com]

> Sent: Wednesday, 8 July 2009 2:41 AM

> To: NT System Admin Issues

> Subject: Re: New IE zero day exploit in the wild

>
> I'm just pushing out the .reg file in the login script:
>
> regedit /s \\fileserver\public\patches\videokillbits.reg
>
> The file was easy to create, in a capable editor (not notepad or
> wordpad) that allows metacharacter search and replace, such as '\n'
> for CRLF and '\t' for tab. I used the ancient, no-longer-supported
> PFE32. I really should switch to VIM, I suppose.
>
> On Tue, Jul 7, 2009 at 08:40, Eric
> Wittersheim wrote:
>> I'm pushing out the .reg via GP.  So far so good.
>>
>> On Tue, Jul 7, 2009 at 10:38 AM, David Lum  wrote:
>>>
>>> The "Microsoft fix-it" is an MSI that I am pushing via SMS and is
pushing
>>> fine (so far just a few test cases have it, but no issues). Beats trying
to
>>> push out a .REG or something.
>>>
>>>
>>>

>>> David Lum // SYSTEMS ENGINEER
>>> NORTHWEST EVALUATION ASSOCIATION
>>> (Desk) 971.222.1025 // (Cell) 503.267.9764
>>>

> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~




 


 


  _  

If this email is spam, report it here:
http://www.OnlyMyEmail.com/ReportSpam
<http://www.onlymyemail.com/view/?action=reportSpam&Id=ODEzNjQ6OTI2MTkwNzgwO
nBqcEBwc25ldC5jb20%3D>  


THIS ELECTRONIC MESSAGE AND ANY ATTACHMENTS ARE CONFIDENTIAL
AND PROPRIETARY PROPERTY OF THE SENDER. THE INFORMATION IS 
INTENDED FOR USE BY THE ADDRESSEE ONLY. ANY OTHER INTERCEPTION,
COPYING, ACCESSING, OR DISCLOSURE OF THIS MESSAGE IS PROHIBITED.
IF YOU HAVE RECEIVED THIS MESSAGE IN ERROR, PLEASE IMMEDIATELY
NOTIFY THE SENDER AND DELETE THIS MAIL AND ALL ATTACHMENTS. DO NOT
FORWARD THIS MESSAGE WITHOUT PERMISSION OF THE SENDER. 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: New IE zero day exploit in the wild

2009-07-08 Thread Carl Houseman 
Also, the FixIt works under Vista when run interactively.

 

From: Carl Houseman [mailto:c.house...@gmail.com] 
Sent: Wednesday, July 08, 2009 12:07 PM
To: NT System Admin Issues
Subject: RE: New IE zero day exploit in the wild

 

My mistake, I actually did the testing under XP, and David Lum just
confirmed in a separate post it doesn't work under XP.

 

Carl

 

From: Jon Harris [mailto:jk.har...@gmail.com] 
Sent: Wednesday, July 08, 2009 11:50 AM
To: NT System Admin Issues
Subject: Re: New IE zero day exploit in the wild

 

FixIt was only for XP and 2003 machines not Vista, or did you not read all
the way to the bottom of the article?  It is possible I missed something
though.

 

Jon

On Wed, Jul 8, 2009 at 11:13 AM, Carl Houseman  wrote:

It appears that's what we're left to do on our own.  Not sure why MS
couldn't just provide us the .reg file ready-to-use.  Or for that matter, a
.msi file that works with GP.  I tried assigning the msfixit .msi in a group
policy, but it didn't install (on Vista anyway, didn't test w/XP after that,
it worked under Vista when run interactively).

My other idea, a custom .adm file to push the settings out, fell flat
because a single policy can't affect multiple reg keys with a single
enable/disable choice.   If I'm wrong about that I'd love to hear how it's
done.

Carl


-Original Message-
From: Ziots, Edward [mailto:ezi...@lifespan.org]
Sent: Wednesday, July 08, 2009 10:57 AM
To: NT System Admin Issues
Subject: RE: New IE zero day exploit in the wild

Question,

According to the Microsoft article it looks like you need to add a whole a
lot of CSLID's that need the kill bit set, is this what everyone else is
doing? So basically adding each one of these CSLID's to a .reg file and then
scheduling a bat file to be run at the computer startup like the following?

(Call it MSVideofit.bat)
:BATFILE
Regedit -s MSactiveXVideoFix.reg

:MsActiveXVideoFix.reg
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{011B3619-FE63-4814-8A84-15A194CE9CE3}]
"Compatibility Flags"=dword:0400

ETC ETC (Down the list of CLSIDS below)

Then set a Group policy with the computer startup script at the root of your
domain, and let it rip. (So servers, workstations etc etc get the fix, you
can try it at a small OU level and reg query the registry after the system
is booted, to verify that it working

The following Class Identifiers relate to Microsoft Video ActiveX Control:

Class Identifier
{011B3619-FE63-4814-8A84-15A194CE9CE3}

{0149EEDF-D08F-4142-8D73-D23903D21E90}

{0369B4E5-45B6-11D3-B650-00C04F79498E}

{0369B4E6-45B6-11D3-B650-00C04F79498E}

{055CB2D7-2969-45CD-914B-76890722F112}

{0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}

{15D6504A-5494-499C-886C-973C9E53B9F1}

{1BE49F30-0E1B-11D3-9D8E-00C04F72D980}

{1C15D484-911D-11D2-B632-00C04F79498E}

{1DF7D126-4050-47F0-A7CF-4C4CA9241333}

{2C63E4EB-4CEA-41B8-919C-E947EA19A77C}

{334125C0-77E5-11D3-B653-00C04F79498E}

{37B0353C-A4C8-11D2-B634-00C04F79498E}

{37B03543-A4C8-11D2-B634-00C04F79498E}

{37B03544-A4C8-11D2-B634-00C04F79498E}

{418008F3-CF67-4668-9628-10DC52BE1D08}

{4A5869CF-929D-4040-AE03-FCAFC5B9CD42}

{577FAA18-4518-445E-8F70-1473F8CF4BA4}

{59DC47A8-116C-11D3-9D8E-00C04F72D980}

{7F9CB14D-48E4-43B6-9346-1AEBC39C64D3}

{823535A0-0318-11D3-9D8E-00C04F72D980}

{8872FF1B-98FA-4D7A-8D93-C9F1055F85BB}

{8A674B4C-1F63-11D3-B64C-00C04F79498E}

{8A674B4D-1F63-11D3-B64C-00C04F79498E}

{9CD64701-BDF3-4D14-8E03-F12983D86664}

{9E77AAC4-35E5-42A1-BDC2-8F3FF399847C}

{A1A2B1C4-0E3A-11D3-9D8E-00C04F72D980}

{A2E3074E-6C3D-11D3-B653-00C04F79498E}

{A2E30750-6C3D-11D3-B653-00C04F79498E}

{A8DCF3D5-0780-4EF4-8A83-2CFFAACB8ACE}

{AD8E510D-217F-409B-8076-29C5E73B98E8}

{B0EDF163-910A-11D2-B632-00C04F79498E}

{B64016F3-C9A2-4066-96F0-BD9563314726}

{BB530C63-D9DF-4B49-9439-63453962E598}

{C531D9FD-9685-4028-8B68-6E1232079F1E}

{C5702CCC-9B79-11D3-B654-00C04F79498E}

{C5702CCD-9B79-11D3-B654-00C04F79498E}

{C5702CCE-9B79-11D3-B654-00C04F79498E}

{C5702CCF-9B79-11D3-B654-00C04F79498E}

{C5702CD0-9B79-11D3-B654-00C04F79498E}

{C6B14B32-76AA-4A86-A7AC-5C79AAF58DA7}

{CAAFDD83-CEFC-4E3D-BA03-175F17A24F91}

{D02AAC50-027E-11D3-9D8E-00C04F72D980}

{F9769A06-7ACA-4E39-9CFB-97BB35F0E77E}

{FA7C375B-66A7-4280-879D-FD459C84BB02}


Note The Class Identifiers and corresponding files where the ActiveX objects
are contained are documented in the table above. Replace
{----} below with the Class Identifier found
in this table.

To set the kill bit for a CLSID with a value of
{----}, paste the following text in a text
editor such as Notepad. Then, save the file by using the .reg file name
extension.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{----}]
"Comp

RE: New IE zero day exploit in the wild

2009-07-08 Thread Carl Houseman 
My mistake, I actually did the testing under XP, and David Lum just
confirmed in a separate post it doesn't work under XP.

 

Carl

 

From: Jon Harris [mailto:jk.har...@gmail.com] 
Sent: Wednesday, July 08, 2009 11:50 AM
To: NT System Admin Issues
Subject: Re: New IE zero day exploit in the wild

 

FixIt was only for XP and 2003 machines not Vista, or did you not read all
the way to the bottom of the article?  It is possible I missed something
though.

 

Jon

On Wed, Jul 8, 2009 at 11:13 AM, Carl Houseman  wrote:

It appears that's what we're left to do on our own.  Not sure why MS
couldn't just provide us the .reg file ready-to-use.  Or for that matter, a
.msi file that works with GP.  I tried assigning the msfixit .msi in a group
policy, but it didn't install (on Vista anyway, didn't test w/XP after that,
it worked under Vista when run interactively).

My other idea, a custom .adm file to push the settings out, fell flat
because a single policy can't affect multiple reg keys with a single
enable/disable choice.   If I'm wrong about that I'd love to hear how it's
done.

Carl


-Original Message-
From: Ziots, Edward [mailto:ezi...@lifespan.org]
Sent: Wednesday, July 08, 2009 10:57 AM
To: NT System Admin Issues
Subject: RE: New IE zero day exploit in the wild

Question,

According to the Microsoft article it looks like you need to add a whole a
lot of CSLID's that need the kill bit set, is this what everyone else is
doing? So basically adding each one of these CSLID's to a .reg file and then
scheduling a bat file to be run at the computer startup like the following?

(Call it MSVideofit.bat)
:BATFILE
Regedit -s MSactiveXVideoFix.reg

:MsActiveXVideoFix.reg
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{011B3619-FE63-4814-8A84-15A194CE9CE3}]
"Compatibility Flags"=dword:0400

ETC ETC (Down the list of CLSIDS below)

Then set a Group policy with the computer startup script at the root of your
domain, and let it rip. (So servers, workstations etc etc get the fix, you
can try it at a small OU level and reg query the registry after the system
is booted, to verify that it working

The following Class Identifiers relate to Microsoft Video ActiveX Control:

Class Identifier
{011B3619-FE63-4814-8A84-15A194CE9CE3}

{0149EEDF-D08F-4142-8D73-D23903D21E90}

{0369B4E5-45B6-11D3-B650-00C04F79498E}

{0369B4E6-45B6-11D3-B650-00C04F79498E}

{055CB2D7-2969-45CD-914B-76890722F112}

{0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}

{15D6504A-5494-499C-886C-973C9E53B9F1}

{1BE49F30-0E1B-11D3-9D8E-00C04F72D980}

{1C15D484-911D-11D2-B632-00C04F79498E}

{1DF7D126-4050-47F0-A7CF-4C4CA9241333}

{2C63E4EB-4CEA-41B8-919C-E947EA19A77C}

{334125C0-77E5-11D3-B653-00C04F79498E}

{37B0353C-A4C8-11D2-B634-00C04F79498E}

{37B03543-A4C8-11D2-B634-00C04F79498E}

{37B03544-A4C8-11D2-B634-00C04F79498E}

{418008F3-CF67-4668-9628-10DC52BE1D08}

{4A5869CF-929D-4040-AE03-FCAFC5B9CD42}

{577FAA18-4518-445E-8F70-1473F8CF4BA4}

{59DC47A8-116C-11D3-9D8E-00C04F72D980}

{7F9CB14D-48E4-43B6-9346-1AEBC39C64D3}

{823535A0-0318-11D3-9D8E-00C04F72D980}

{8872FF1B-98FA-4D7A-8D93-C9F1055F85BB}

{8A674B4C-1F63-11D3-B64C-00C04F79498E}

{8A674B4D-1F63-11D3-B64C-00C04F79498E}

{9CD64701-BDF3-4D14-8E03-F12983D86664}

{9E77AAC4-35E5-42A1-BDC2-8F3FF399847C}

{A1A2B1C4-0E3A-11D3-9D8E-00C04F72D980}

{A2E3074E-6C3D-11D3-B653-00C04F79498E}

{A2E30750-6C3D-11D3-B653-00C04F79498E}

{A8DCF3D5-0780-4EF4-8A83-2CFFAACB8ACE}

{AD8E510D-217F-409B-8076-29C5E73B98E8}

{B0EDF163-910A-11D2-B632-00C04F79498E}

{B64016F3-C9A2-4066-96F0-BD9563314726}

{BB530C63-D9DF-4B49-9439-63453962E598}

{C531D9FD-9685-4028-8B68-6E1232079F1E}

{C5702CCC-9B79-11D3-B654-00C04F79498E}

{C5702CCD-9B79-11D3-B654-00C04F79498E}

{C5702CCE-9B79-11D3-B654-00C04F79498E}

{C5702CCF-9B79-11D3-B654-00C04F79498E}

{C5702CD0-9B79-11D3-B654-00C04F79498E}

{C6B14B32-76AA-4A86-A7AC-5C79AAF58DA7}

{CAAFDD83-CEFC-4E3D-BA03-175F17A24F91}

{D02AAC50-027E-11D3-9D8E-00C04F72D980}

{F9769A06-7ACA-4E39-9CFB-97BB35F0E77E}

{FA7C375B-66A7-4280-879D-FD459C84BB02}


Note The Class Identifiers and corresponding files where the ActiveX objects
are contained are documented in the table above. Replace
{----} below with the Class Identifier found
in this table.

To set the kill bit for a CLSID with a value of
{----}, paste the following text in a text
editor such as Notepad. Then, save the file by using the .reg file name
extension.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{----}]
"Compatibility Flags"=dword:0400

You can apply this .reg file to individual systems by double-clicking it.
You can also apply it across domains by using Group Policy. For more
information about Group Policy, visit the following Micro

RE: New IE zero day exploit in the wild

2009-07-08 Thread Carl Houseman 
I generally dump startup script components into \\dcname\netlogon.

When referencing that location in a path or script, use

\\domain.com\SysVol\domain.com\scripts

Carl

-Original Message-
From: Richard Stovall [mailto:richard.stov...@researchdata.com] 
Sent: Wednesday, July 08, 2009 11:47 AM
To: NT System Admin Issues
Subject: RE: New IE zero day exploit in the wild

Couple of questions about this:

Where does the slayocx.vbs (that gets called by your .cmd file) live?

Is it trivial to change the log location from "SystemDrive" to a network
share?  (LogFileName = WshEnv("SystemDrive") & "\SlayOCX.log")

Thanks,
RS

-Original Message-
From: Tim Evans [mailto:tev...@sparling.com] 
Sent: Wednesday, July 08, 2009 11:18 AM
To: NT System Admin Issues
Subject: RE: New IE zero day exploit in the wild

A while back, Jesper Johansson published a VBScript that helps with this.
http://msinfluentials.com/blogs/jesper/archive/2006/09/29/Set-KillBit-on-Arb
itrary-ActiveX-Controls-with-Group-Policy.aspx
It writes a log file in the root of the users C: drive that indicates
success or failure or not found. I've got a CMD file that consists of
nothing but a bunch of slayocx.vbs commands.

.Tim


> -Original Message-
> From: Ziots, Edward [mailto:ezi...@lifespan.org]
> Sent: Wednesday, July 08, 2009 7:57 AM
> To: NT System Admin Issues
> Subject: RE: New IE zero day exploit in the wild
> 
> Question,
> 
> According to the Microsoft article it looks like you need to add a whole
> a lot of CSLID's that need the kill bit set, is this what everyone else
> is doing? So basically adding each one of these CSLID's to a .reg file
> and then scheduling a bat file to be run at the computer startup like
> the following?
> 
> (Call it MSVideofit.bat)
> :BATFILE
> Regedit -s MSactiveXVideoFix.reg
> 
> :MsActiveXVideoFix.reg
> Windows Registry Editor Version 5.00
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
> Compatibility\{011B3619-FE63-4814-8A84-15A194CE9CE3}]
> "Compatibility Flags"=dword:0400
> 
> ETC ETC (Down the list of CLSIDS below)
> 
> Then set a Group policy with the computer startup script at the root of
> your domain, and let it rip. (So servers, workstations etc etc get the
> fix, you can try it at a small OU level and reg query the registry after
> the system is booted, to verify that it working
> 
> The following Class Identifiers relate to Microsoft Video ActiveX
> Control:
> 
> Class Identifier
> {011B3619-FE63-4814-8A84-15A194CE9CE3}
> 
> {0149EEDF-D08F-4142-8D73-D23903D21E90}
> 
> {0369B4E5-45B6-11D3-B650-00C04F79498E}
> 
> {0369B4E6-45B6-11D3-B650-00C04F79498E}
> 
> {055CB2D7-2969-45CD-914B-76890722F112}
> 
> {0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}
> 
> {15D6504A-5494-499C-886C-973C9E53B9F1}
> 
> {1BE49F30-0E1B-11D3-9D8E-00C04F72D980}
> 
> {1C15D484-911D-11D2-B632-00C04F79498E}
> 
> {1DF7D126-4050-47F0-A7CF-4C4CA9241333}
> 
> {2C63E4EB-4CEA-41B8-919C-E947EA19A77C}
> 
> {334125C0-77E5-11D3-B653-00C04F79498E}
> 
> {37B0353C-A4C8-11D2-B634-00C04F79498E}
> 
> {37B03543-A4C8-11D2-B634-00C04F79498E}
> 
> {37B03544-A4C8-11D2-B634-00C04F79498E}
> 
> {418008F3-CF67-4668-9628-10DC52BE1D08}
> 
> {4A5869CF-929D-4040-AE03-FCAFC5B9CD42}
> 
> {577FAA18-4518-445E-8F70-1473F8CF4BA4}
> 
> {59DC47A8-116C-11D3-9D8E-00C04F72D980}
> 
> {7F9CB14D-48E4-43B6-9346-1AEBC39C64D3}
> 
> {823535A0-0318-11D3-9D8E-00C04F72D980}
> 
> {8872FF1B-98FA-4D7A-8D93-C9F1055F85BB}
> 
> {8A674B4C-1F63-11D3-B64C-00C04F79498E}
> 
> {8A674B4D-1F63-11D3-B64C-00C04F79498E}
> 
> {9CD64701-BDF3-4D14-8E03-F12983D86664}
> 
> {9E77AAC4-35E5-42A1-BDC2-8F3FF399847C}
> 
> {A1A2B1C4-0E3A-11D3-9D8E-00C04F72D980}
> 
> {A2E3074E-6C3D-11D3-B653-00C04F79498E}
> 
> {A2E30750-6C3D-11D3-B653-00C04F79498E}
> 
> {A8DCF3D5-0780-4EF4-8A83-2CFFAACB8ACE}
> 
> {AD8E510D-217F-409B-8076-29C5E73B98E8}
> 
> {B0EDF163-910A-11D2-B632-00C04F79498E}
> 
> {B64016F3-C9A2-4066-96F0-BD9563314726}
> 
> {BB530C63-D9DF-4B49-9439-63453962E598}
> 
> {C531D9FD-9685-4028-8B68-6E1232079F1E}
> 
> {C5702CCC-9B79-11D3-B654-00C04F79498E}
> 
> {C5702CCD-9B79-11D3-B654-00C04F79498E}
> 
> {C5702CCE-9B79-11D3-B654-00C04F79498E}
> 
> {C5702CCF-9B79-11D3-B654-00C04F79498E}
> 
> {C5702CD0-9B79-11D3-B654-00C04F79498E}
> 
> {C6B14B32-76AA-4A86-A7AC-5C79AAF58DA7}
> 
> {CAAFDD83-CEFC-4E3D-BA03-175F17A24F91}
> 
> {D02AAC50-027E-11D3-9D8E-00C04F72D980}
> 
> {F9769A06-7ACA-4E39-9CFB-97BB35F0E77E}
> 
> {FA7C375B-66A7-4280-879D-FD459C84BB02}
> 
> 
> Note The Class Identifiers and corresponding files where the ActiveX
> objects are contained are

RE: New IE zero day exploit in the wild

2009-07-08 Thread Tim Evans 
I have it (and the cmd file that calls it) in the netlogon share on my DC's.
Here is a sample line form the CMD file:
%SystemRoot%\system32\cscript /nologo %logonserver%\netlogon\SlayOCX.vbs -k 
011B3619-FE63-4814-8A84-15A194CE9CE3 -l

I guess I forgot to mention the best part about this script is that you can 
undo the killbit by changing the -k parameter to -r so you have a simple way to 
undo it if you want.

.Tim


> -Original Message-
> From: Richard Stovall [mailto:richard.stov...@researchdata.com]
> Sent: Wednesday, July 08, 2009 8:47 AM
> To: NT System Admin Issues
> Subject: RE: New IE zero day exploit in the wild
> 
> Couple of questions about this:
> 
> Where does the slayocx.vbs (that gets called by your .cmd file) live?
> 
> Is it trivial to change the log location from "SystemDrive" to a network
> share?  (LogFileName = WshEnv("SystemDrive") & "\SlayOCX.log")
> 
> Thanks,
> RS
> 
> -Original Message-
> From: Tim Evans [mailto:tev...@sparling.com]
> Sent: Wednesday, July 08, 2009 11:18 AM
> To: NT System Admin Issues
> Subject: RE: New IE zero day exploit in the wild
> 
> A while back, Jesper Johansson published a VBScript that helps with
> this.
> http://msinfluentials.com/blogs/jesper/archive/2006/09/29/Set-KillBit-
> on-Arbitrary-ActiveX-Controls-with-Group-Policy.aspx
> It writes a log file in the root of the users C: drive that indicates
> success or failure or not found. I've got a CMD file that consists of
> nothing but a bunch of slayocx.vbs commands.
> 
> .Tim
> 
> 
> > -Original Message-----
> > From: Ziots, Edward [mailto:ezi...@lifespan.org]
> > Sent: Wednesday, July 08, 2009 7:57 AM
> > To: NT System Admin Issues
> > Subject: RE: New IE zero day exploit in the wild
> >
> > Question,
> >
> > According to the Microsoft article it looks like you need to add a
> whole
> > a lot of CSLID's that need the kill bit set, is this what everyone
> else
> > is doing? So basically adding each one of these CSLID's to a .reg file
> > and then scheduling a bat file to be run at the computer startup like
> > the following?
> >
> > (Call it MSVideofit.bat)
> > :BATFILE
> > Regedit -s MSactiveXVideoFix.reg
> >
> > :MsActiveXVideoFix.reg
> > Windows Registry Editor Version 5.00
> > [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
> > Compatibility\{011B3619-FE63-4814-8A84-15A194CE9CE3}]
> > "Compatibility Flags"=dword:0400
> >
> > ETC ETC (Down the list of CLSIDS below)
> >
> > Then set a Group policy with the computer startup script at the root
> of
> > your domain, and let it rip. (So servers, workstations etc etc get the
> > fix, you can try it at a small OU level and reg query the registry
> after
> > the system is booted, to verify that it working
> >
> > The following Class Identifiers relate to Microsoft Video ActiveX
> > Control:
> >
> > Class Identifier
> > {011B3619-FE63-4814-8A84-15A194CE9CE3}
> >
> > {0149EEDF-D08F-4142-8D73-D23903D21E90}
> >
> > {0369B4E5-45B6-11D3-B650-00C04F79498E}
> >
> > {0369B4E6-45B6-11D3-B650-00C04F79498E}
> >
> > {055CB2D7-2969-45CD-914B-76890722F112}
> >
> > {0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}
> >
> > {15D6504A-5494-499C-886C-973C9E53B9F1}
> >
> > {1BE49F30-0E1B-11D3-9D8E-00C04F72D980}
> >
> > {1C15D484-911D-11D2-B632-00C04F79498E}
> >
> > {1DF7D126-4050-47F0-A7CF-4C4CA9241333}
> >
> > {2C63E4EB-4CEA-41B8-919C-E947EA19A77C}
> >
> > {334125C0-77E5-11D3-B653-00C04F79498E}
> >
> > {37B0353C-A4C8-11D2-B634-00C04F79498E}
> >
> > {37B03543-A4C8-11D2-B634-00C04F79498E}
> >
> > {37B03544-A4C8-11D2-B634-00C04F79498E}
> >
> > {418008F3-CF67-4668-9628-10DC52BE1D08}
> >
> > {4A5869CF-929D-4040-AE03-FCAFC5B9CD42}
> >
> > {577FAA18-4518-445E-8F70-1473F8CF4BA4}
> >
> > {59DC47A8-116C-11D3-9D8E-00C04F72D980}
> >
> > {7F9CB14D-48E4-43B6-9346-1AEBC39C64D3}
> >
> > {823535A0-0318-11D3-9D8E-00C04F72D980}
> >
> > {8872FF1B-98FA-4D7A-8D93-C9F1055F85BB}
> >
> > {8A674B4C-1F63-11D3-B64C-00C04F79498E}
> >
> > {8A674B4D-1F63-11D3-B64C-00C04F79498E}
> >
> > {9CD64701-BDF3-4D14-8E03-F12983D86664}
> >
> > {9E77AAC4-35E5-42A1-BDC2-8F3FF399847C}
> >
> > {A1A2B1C4-0E3A-11D3-9D8E-00C04F72D980}
> >
> > {A2E3074E-6C3D-11D3-B653-00C04F79498E}
> >
> > {A2E30750-6C3D-11D3-B653-00C04F79498E}
> >
> > {A8DCF3D5-0780-4EF4-8A83-2CFFAA

Re: New IE zero day exploit in the wild

2009-07-08 Thread Jon Harris 
FixIt was only for XP and 2003 machines not Vista, or did you not read all
the way to the bottom of the article?  It is possible I missed something
though.

Jon

On Wed, Jul 8, 2009 at 11:13 AM, Carl Houseman  wrote:

> It appears that's what we're left to do on our own.  Not sure why MS
> couldn't just provide us the .reg file ready-to-use.  Or for that matter, a
> .msi file that works with GP.  I tried assigning the msfixit .msi in a
> group
> policy, but it didn't install (on Vista anyway, didn't test w/XP after
> that,
> it worked under Vista when run interactively).
>
> My other idea, a custom .adm file to push the settings out, fell flat
> because a single policy can't affect multiple reg keys with a single
> enable/disable choice.   If I'm wrong about that I'd love to hear how it's
> done.
>
> Carl
>
> -Original Message-
> From: Ziots, Edward [mailto:ezi...@lifespan.org]
> Sent: Wednesday, July 08, 2009 10:57 AM
> To: NT System Admin Issues
> Subject: RE: New IE zero day exploit in the wild
>
>  Question,
>
> According to the Microsoft article it looks like you need to add a whole a
> lot of CSLID's that need the kill bit set, is this what everyone else is
> doing? So basically adding each one of these CSLID's to a .reg file and
> then
> scheduling a bat file to be run at the computer startup like the following?
>
> (Call it MSVideofit.bat)
> :BATFILE
> Regedit -s MSactiveXVideoFix.reg
>
> :MsActiveXVideoFix.reg
> Windows Registry Editor Version 5.00
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
> Compatibility\{011B3619-FE63-4814-8A84-15A194CE9CE3}]
> "Compatibility Flags"=dword:0400
>
> ETC ETC (Down the list of CLSIDS below)
>
> Then set a Group policy with the computer startup script at the root of
> your
> domain, and let it rip. (So servers, workstations etc etc get the fix, you
> can try it at a small OU level and reg query the registry after the system
> is booted, to verify that it working
>
> The following Class Identifiers relate to Microsoft Video ActiveX Control:
>
> Class Identifier
> {011B3619-FE63-4814-8A84-15A194CE9CE3}
>
> {0149EEDF-D08F-4142-8D73-D23903D21E90}
>
> {0369B4E5-45B6-11D3-B650-00C04F79498E}
>
> {0369B4E6-45B6-11D3-B650-00C04F79498E}
>
> {055CB2D7-2969-45CD-914B-76890722F112}
>
> {0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}
>
> {15D6504A-5494-499C-886C-973C9E53B9F1}
>
> {1BE49F30-0E1B-11D3-9D8E-00C04F72D980}
>
> {1C15D484-911D-11D2-B632-00C04F79498E}
>
> {1DF7D126-4050-47F0-A7CF-4C4CA9241333}
>
> {2C63E4EB-4CEA-41B8-919C-E947EA19A77C}
>
> {334125C0-77E5-11D3-B653-00C04F79498E}
>
> {37B0353C-A4C8-11D2-B634-00C04F79498E}
>
> {37B03543-A4C8-11D2-B634-00C04F79498E}
>
> {37B03544-A4C8-11D2-B634-00C04F79498E}
>
> {418008F3-CF67-4668-9628-10DC52BE1D08}
>
> {4A5869CF-929D-4040-AE03-FCAFC5B9CD42}
>
> {577FAA18-4518-445E-8F70-1473F8CF4BA4}
>
> {59DC47A8-116C-11D3-9D8E-00C04F72D980}
>
> {7F9CB14D-48E4-43B6-9346-1AEBC39C64D3}
>
> {823535A0-0318-11D3-9D8E-00C04F72D980}
>
> {8872FF1B-98FA-4D7A-8D93-C9F1055F85BB}
>
> {8A674B4C-1F63-11D3-B64C-00C04F79498E}
>
> {8A674B4D-1F63-11D3-B64C-00C04F79498E}
>
> {9CD64701-BDF3-4D14-8E03-F12983D86664}
>
> {9E77AAC4-35E5-42A1-BDC2-8F3FF399847C}
>
> {A1A2B1C4-0E3A-11D3-9D8E-00C04F72D980}
>
> {A2E3074E-6C3D-11D3-B653-00C04F79498E}
>
> {A2E30750-6C3D-11D3-B653-00C04F79498E}
>
> {A8DCF3D5-0780-4EF4-8A83-2CFFAACB8ACE}
>
> {AD8E510D-217F-409B-8076-29C5E73B98E8}
>
> {B0EDF163-910A-11D2-B632-00C04F79498E}
>
> {B64016F3-C9A2-4066-96F0-BD9563314726}
>
> {BB530C63-D9DF-4B49-9439-63453962E598}
>
> {C531D9FD-9685-4028-8B68-6E1232079F1E}
>
> {C5702CCC-9B79-11D3-B654-00C04F79498E}
>
> {C5702CCD-9B79-11D3-B654-00C04F79498E}
>
> {C5702CCE-9B79-11D3-B654-00C04F79498E}
>
> {C5702CCF-9B79-11D3-B654-00C04F79498E}
>
> {C5702CD0-9B79-11D3-B654-00C04F79498E}
>
> {C6B14B32-76AA-4A86-A7AC-5C79AAF58DA7}
>
> {CAAFDD83-CEFC-4E3D-BA03-175F17A24F91}
>
> {D02AAC50-027E-11D3-9D8E-00C04F72D980}
>
> {F9769A06-7ACA-4E39-9CFB-97BB35F0E77E}
>
> {FA7C375B-66A7-4280-879D-FD459C84BB02}
>
>
> Note The Class Identifiers and corresponding files where the ActiveX
> objects
> are contained are documented in the table above. Replace
> {----} below with the Class Identifier
> found
> in this table.
>
> To set the kill bit for a CLSID with a value of
> {----}, paste the following text in a text
> editor such as Notepad. Then, save the file by using the .reg file name
> extension.
>

RE: New IE zero day exploit in the wild

2009-07-08 Thread Richard Stovall 
Couple of questions about this:

Where does the slayocx.vbs (that gets called by your .cmd file) live?

Is it trivial to change the log location from "SystemDrive" to a network share? 
 (LogFileName = WshEnv("SystemDrive") & "\SlayOCX.log")

Thanks,
RS

-Original Message-
From: Tim Evans [mailto:tev...@sparling.com] 
Sent: Wednesday, July 08, 2009 11:18 AM
To: NT System Admin Issues
Subject: RE: New IE zero day exploit in the wild

A while back, Jesper Johansson published a VBScript that helps with this.
http://msinfluentials.com/blogs/jesper/archive/2006/09/29/Set-KillBit-on-Arbitrary-ActiveX-Controls-with-Group-Policy.aspx
It writes a log file in the root of the users C: drive that indicates success 
or failure or not found. I've got a CMD file that consists of nothing but a 
bunch of slayocx.vbs commands.

.Tim


> -Original Message-
> From: Ziots, Edward [mailto:ezi...@lifespan.org]
> Sent: Wednesday, July 08, 2009 7:57 AM
> To: NT System Admin Issues
> Subject: RE: New IE zero day exploit in the wild
> 
> Question,
> 
> According to the Microsoft article it looks like you need to add a whole
> a lot of CSLID's that need the kill bit set, is this what everyone else
> is doing? So basically adding each one of these CSLID's to a .reg file
> and then scheduling a bat file to be run at the computer startup like
> the following?
> 
> (Call it MSVideofit.bat)
> :BATFILE
> Regedit -s MSactiveXVideoFix.reg
> 
> :MsActiveXVideoFix.reg
> Windows Registry Editor Version 5.00
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
> Compatibility\{011B3619-FE63-4814-8A84-15A194CE9CE3}]
> "Compatibility Flags"=dword:0400
> 
> ETC ETC (Down the list of CLSIDS below)
> 
> Then set a Group policy with the computer startup script at the root of
> your domain, and let it rip. (So servers, workstations etc etc get the
> fix, you can try it at a small OU level and reg query the registry after
> the system is booted, to verify that it working
> 
> The following Class Identifiers relate to Microsoft Video ActiveX
> Control:
> 
> Class Identifier
> {011B3619-FE63-4814-8A84-15A194CE9CE3}
> 
> {0149EEDF-D08F-4142-8D73-D23903D21E90}
> 
> {0369B4E5-45B6-11D3-B650-00C04F79498E}
> 
> {0369B4E6-45B6-11D3-B650-00C04F79498E}
> 
> {055CB2D7-2969-45CD-914B-76890722F112}
> 
> {0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}
> 
> {15D6504A-5494-499C-886C-973C9E53B9F1}
> 
> {1BE49F30-0E1B-11D3-9D8E-00C04F72D980}
> 
> {1C15D484-911D-11D2-B632-00C04F79498E}
> 
> {1DF7D126-4050-47F0-A7CF-4C4CA9241333}
> 
> {2C63E4EB-4CEA-41B8-919C-E947EA19A77C}
> 
> {334125C0-77E5-11D3-B653-00C04F79498E}
> 
> {37B0353C-A4C8-11D2-B634-00C04F79498E}
> 
> {37B03543-A4C8-11D2-B634-00C04F79498E}
> 
> {37B03544-A4C8-11D2-B634-00C04F79498E}
> 
> {418008F3-CF67-4668-9628-10DC52BE1D08}
> 
> {4A5869CF-929D-4040-AE03-FCAFC5B9CD42}
> 
> {577FAA18-4518-445E-8F70-1473F8CF4BA4}
> 
> {59DC47A8-116C-11D3-9D8E-00C04F72D980}
> 
> {7F9CB14D-48E4-43B6-9346-1AEBC39C64D3}
> 
> {823535A0-0318-11D3-9D8E-00C04F72D980}
> 
> {8872FF1B-98FA-4D7A-8D93-C9F1055F85BB}
> 
> {8A674B4C-1F63-11D3-B64C-00C04F79498E}
> 
> {8A674B4D-1F63-11D3-B64C-00C04F79498E}
> 
> {9CD64701-BDF3-4D14-8E03-F12983D86664}
> 
> {9E77AAC4-35E5-42A1-BDC2-8F3FF399847C}
> 
> {A1A2B1C4-0E3A-11D3-9D8E-00C04F72D980}
> 
> {A2E3074E-6C3D-11D3-B653-00C04F79498E}
> 
> {A2E30750-6C3D-11D3-B653-00C04F79498E}
> 
> {A8DCF3D5-0780-4EF4-8A83-2CFFAACB8ACE}
> 
> {AD8E510D-217F-409B-8076-29C5E73B98E8}
> 
> {B0EDF163-910A-11D2-B632-00C04F79498E}
> 
> {B64016F3-C9A2-4066-96F0-BD9563314726}
> 
> {BB530C63-D9DF-4B49-9439-63453962E598}
> 
> {C531D9FD-9685-4028-8B68-6E1232079F1E}
> 
> {C5702CCC-9B79-11D3-B654-00C04F79498E}
> 
> {C5702CCD-9B79-11D3-B654-00C04F79498E}
> 
> {C5702CCE-9B79-11D3-B654-00C04F79498E}
> 
> {C5702CCF-9B79-11D3-B654-00C04F79498E}
> 
> {C5702CD0-9B79-11D3-B654-00C04F79498E}
> 
> {C6B14B32-76AA-4A86-A7AC-5C79AAF58DA7}
> 
> {CAAFDD83-CEFC-4E3D-BA03-175F17A24F91}
> 
> {D02AAC50-027E-11D3-9D8E-00C04F72D980}
> 
> {F9769A06-7ACA-4E39-9CFB-97BB35F0E77E}
> 
> {FA7C375B-66A7-4280-879D-FD459C84BB02}
> 
> 
> Note The Class Identifiers and corresponding files where the ActiveX
> objects are contained are documented in the table above. Replace
> {----} below with the Class Identifier
> found in this table.
> 
> To set the kill bit for a CLSID with a value of {---
> -}, paste the following text in a text editor such as
> Notepad. Then, save the file by using the .reg file name extension.
&g

RE: New IE zero day exploit in the wild

2009-07-08 Thread David Lum 
+1, why MS didn't supply a ready-to-use .REG file (it's for HKLM after all) is 
beyond me.

So via GPO fail isn't just me! My .MSI push attempt via GPO to XP didn't work 
(none of my clients have SMS).  An SMS push (day job has SMS) the same .MSI 
worked fine.


Dave

-Original Message-
From: Carl Houseman [mailto:c.house...@gmail.com] 
Sent: Wednesday, July 08, 2009 8:14 AM
To: NT System Admin Issues
Subject: RE: New IE zero day exploit in the wild

It appears that's what we're left to do on our own.  Not sure why MS
couldn't just provide us the .reg file ready-to-use.  Or for that matter, a
.msi file that works with GP.  I tried assigning the msfixit .msi in a group
policy, but it didn't install (on Vista anyway, didn't test w/XP after that,
it worked under Vista when run interactively).

My other idea, a custom .adm file to push the settings out, fell flat
because a single policy can't affect multiple reg keys with a single
enable/disable choice.   If I'm wrong about that I'd love to hear how it's
done.

Carl

-Original Message-
From: Ziots, Edward [mailto:ezi...@lifespan.org] 
Sent: Wednesday, July 08, 2009 10:57 AM
To: NT System Admin Issues
Subject: RE: New IE zero day exploit in the wild

Question, 

According to the Microsoft article it looks like you need to add a whole a
lot of CSLID's that need the kill bit set, is this what everyone else is
doing? So basically adding each one of these CSLID's to a .reg file and then
scheduling a bat file to be run at the computer startup like the following? 

(Call it MSVideofit.bat)
:BATFILE
Regedit -s MSactiveXVideoFix.reg

:MsActiveXVideoFix.reg
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{011B3619-FE63-4814-8A84-15A194CE9CE3}]
"Compatibility Flags"=dword:0400

ETC ETC (Down the list of CLSIDS below) 

Then set a Group policy with the computer startup script at the root of your
domain, and let it rip. (So servers, workstations etc etc get the fix, you
can try it at a small OU level and reg query the registry after the system
is booted, to verify that it working

The following Class Identifiers relate to Microsoft Video ActiveX Control:

Class Identifier 
{011B3619-FE63-4814-8A84-15A194CE9CE3}
 
{0149EEDF-D08F-4142-8D73-D23903D21E90}
 
{0369B4E5-45B6-11D3-B650-00C04F79498E}
 
{0369B4E6-45B6-11D3-B650-00C04F79498E}
 
{055CB2D7-2969-45CD-914B-76890722F112}
 
{0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}
 
{15D6504A-5494-499C-886C-973C9E53B9F1}
 
{1BE49F30-0E1B-11D3-9D8E-00C04F72D980}
 
{1C15D484-911D-11D2-B632-00C04F79498E}
 
{1DF7D126-4050-47F0-A7CF-4C4CA9241333}
 
{2C63E4EB-4CEA-41B8-919C-E947EA19A77C}
 
{334125C0-77E5-11D3-B653-00C04F79498E}
 
{37B0353C-A4C8-11D2-B634-00C04F79498E}
 
{37B03543-A4C8-11D2-B634-00C04F79498E}
 
{37B03544-A4C8-11D2-B634-00C04F79498E}
 
{418008F3-CF67-4668-9628-10DC52BE1D08}
 
{4A5869CF-929D-4040-AE03-FCAFC5B9CD42}
 
{577FAA18-4518-445E-8F70-1473F8CF4BA4}
 
{59DC47A8-116C-11D3-9D8E-00C04F72D980}
 
{7F9CB14D-48E4-43B6-9346-1AEBC39C64D3}
 
{823535A0-0318-11D3-9D8E-00C04F72D980}
 
{8872FF1B-98FA-4D7A-8D93-C9F1055F85BB}
 
{8A674B4C-1F63-11D3-B64C-00C04F79498E}
 
{8A674B4D-1F63-11D3-B64C-00C04F79498E}
 
{9CD64701-BDF3-4D14-8E03-F12983D86664}
 
{9E77AAC4-35E5-42A1-BDC2-8F3FF399847C}
 
{A1A2B1C4-0E3A-11D3-9D8E-00C04F72D980}
 
{A2E3074E-6C3D-11D3-B653-00C04F79498E}
 
{A2E30750-6C3D-11D3-B653-00C04F79498E}
 
{A8DCF3D5-0780-4EF4-8A83-2CFFAACB8ACE}
 
{AD8E510D-217F-409B-8076-29C5E73B98E8}
 
{B0EDF163-910A-11D2-B632-00C04F79498E}
 
{B64016F3-C9A2-4066-96F0-BD9563314726}
 
{BB530C63-D9DF-4B49-9439-63453962E598}
 
{C531D9FD-9685-4028-8B68-6E1232079F1E}
 
{C5702CCC-9B79-11D3-B654-00C04F79498E}
 
{C5702CCD-9B79-11D3-B654-00C04F79498E}
 
{C5702CCE-9B79-11D3-B654-00C04F79498E}
 
{C5702CCF-9B79-11D3-B654-00C04F79498E}
 
{C5702CD0-9B79-11D3-B654-00C04F79498E}
 
{C6B14B32-76AA-4A86-A7AC-5C79AAF58DA7}
 
{CAAFDD83-CEFC-4E3D-BA03-175F17A24F91}
 
{D02AAC50-027E-11D3-9D8E-00C04F72D980}
 
{F9769A06-7ACA-4E39-9CFB-97BB35F0E77E}
 
{FA7C375B-66A7-4280-879D-FD459C84BB02}
 

Note The Class Identifiers and corresponding files where the ActiveX objects
are contained are documented in the table above. Replace
{----} below with the Class Identifier found
in this table.

To set the kill bit for a CLSID with a value of
{----}, paste the following text in a text
editor such as Notepad. Then, save the file by using the .reg file name
extension.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{----}]
"Compatibility Flags"=dword:0400

You can apply this .reg file to individual systems by double-clicking it.
You can also apply it across domains by using Group Policy. For more
information about Group Policy, visit the followin

Re: New IE zero day exploit in the wild

2009-07-08 Thread Eric Wittersheim 
Ed,

I used this page as a guide for what I did.
http://blogs.technet.com/askds/archive/2007/08/14/deploying-custom-registry-changes-through-group-policy.aspx

But basically you are right on target.

Eric

On Wed, Jul 8, 2009 at 10:18 AM, Ziots, Edward  wrote:

>  So basically you are just uploading the reg file to the computer startup
> script and the command you are invoking is regedit /s name_of_script ?  I
> thought you needed to put a batch file in the computer startup script area
> to get that to work.
>
>
>
> Z
>
>
>
> Edward Ziots
>
> Network Engineer
>
> Lifespan Organization
>
> MCSE,MCSA,MCP+I, ME, CCA, Security +, Network +
>
> ezi...@lifespan.org
>
> Phone:401-639-3505
>   --
>
> *From:* Eric Wittersheim [mailto:eric.wittersh...@gmail.com]
> *Sent:* Wednesday, July 08, 2009 11:03 AM
> *To:* NT System Admin Issues
> *Subject:* Re: New IE zero day exploit in the wild
>
>
>
> I didn't create a batch file I just created a reg file with all the lines
> like below.  Then I created a new GP and applied it to the OU.  In the GP I
> run the reg file in the computer start up script with the /s argument.
>
> Windows Registry Editor Version 5.00
>
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
> Compatibility\{011B3619-FE63-4814-8A84-15A194CE9CE3}]
> "Compatibility Flags"=dword:0400
>
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
> Compatibility\{0149EEDF-D08F-4142-8D73-D23903D21E90}]
> "Compatibility Flags"=dword:0400
>
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
> Compatibility\{0369B4E5-45B6-11D3-B650-00C04F79498E}]
> "Compatibility Flags"=dword:0400
>
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
> Compatibility\{0369B4E6-45B6-11D3-B650-00C04F79498E}]
> "Compatibility Flags"=dword:0400
>
> On Wed, Jul 8, 2009 at 9:56 AM, Ziots, Edward  wrote:
>
> Question,
>
> According to the Microsoft article it looks like you need to add a whole a
> lot of CSLID's that need the kill bit set, is this what everyone else is
> doing? So basically adding each one of these CSLID's to a .reg file and then
> scheduling a bat file to be run at the computer startup like the following?
>
> (Call it MSVideofit.bat)
> :BATFILE
> Regedit -s MSactiveXVideoFix.reg
>
> :MsActiveXVideoFix.reg
> Windows Registry Editor Version 5.00
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
> Compatibility\{011B3619-FE63-4814-8A84-15A194CE9CE3}]
> "Compatibility Flags"=dword:0400
>
> ETC ETC (Down the list of CLSIDS below)
>
> Then set a Group policy with the computer startup script at the root of
> your domain, and let it rip. (So servers, workstations etc etc get the fix,
> you can try it at a small OU level and reg query the registry after the
> system is booted, to verify that it working
>
> The following Class Identifiers relate to Microsoft Video ActiveX Control:
>
> Class Identifier
> {011B3619-FE63-4814-8A84-15A194CE9CE3}
>
> {0149EEDF-D08F-4142-8D73-D23903D21E90}
>
> {0369B4E5-45B6-11D3-B650-00C04F79498E}
>
> {0369B4E6-45B6-11D3-B650-00C04F79498E}
>
> {055CB2D7-2969-45CD-914B-76890722F112}
>
> {0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}
>
> {15D6504A-5494-499C-886C-973C9E53B9F1}
>
> {1BE49F30-0E1B-11D3-9D8E-00C04F72D980}
>
> {1C15D484-911D-11D2-B632-00C04F79498E}
>
> {1DF7D126-4050-47F0-A7CF-4C4CA9241333}
>
> {2C63E4EB-4CEA-41B8-919C-E947EA19A77C}
>
> {334125C0-77E5-11D3-B653-00C04F79498E}
>
> {37B0353C-A4C8-11D2-B634-00C04F79498E}
>
> {37B03543-A4C8-11D2-B634-00C04F79498E}
>
> {37B03544-A4C8-11D2-B634-00C04F79498E}
>
> {418008F3-CF67-4668-9628-10DC52BE1D08}
>
> {4A5869CF-929D-4040-AE03-FCAFC5B9CD42}
>
> {577FAA18-4518-445E-8F70-1473F8CF4BA4}
>
> {59DC47A8-116C-11D3-9D8E-00C04F72D980}
>
> {7F9CB14D-48E4-43B6-9346-1AEBC39C64D3}
>
> {823535A0-0318-11D3-9D8E-00C04F72D980}
>
> {8872FF1B-98FA-4D7A-8D93-C9F1055F85BB}
>
> {8A674B4C-1F63-11D3-B64C-00C04F79498E}
>
> {8A674B4D-1F63-11D3-B64C-00C04F79498E}
>
> {9CD64701-BDF3-4D14-8E03-F12983D86664}
>
> {9E77AAC4-35E5-42A1-BDC2-8F3FF399847C}
>
> {A1A2B1C4-0E3A-11D3-9D8E-00C04F72D980}
>
> {A2E3074E-6C3D-11D3-B653-00C04F79498E}
>
> {A2E30750-6C3D-11D3-B653-00C04F79498E}
>
> {A8DCF3D5-0780-4EF4-8A83-2CFFAACB8ACE}
>
> {AD8E510D-217F-409B-8076-29C5E73B98E8}
>
> {B0EDF163-910A-11D2-B632-00C04F79498E}
>
> {B64016F3-C9A2-4066-96F0-BD9563314726}
>
> {BB530C63-D9DF-4B49-9439-63453962E598}
>
> {C531D9FD-9685-4028-8B68-6E1232079F1E}
>
> {C57

RE: New IE zero day exploit in the wild

2009-07-08 Thread Ziots, Edward 
So basically you are just uploading the reg file to the computer startup
script and the command you are invoking is regedit /s name_of_script ?
I thought you needed to put a batch file in the computer startup script
area to get that to work. 

 

Z

 

Edward Ziots

Network Engineer

Lifespan Organization

MCSE,MCSA,MCP+I, ME, CCA, Security +, Network +

ezi...@lifespan.org

Phone:401-639-3505



From: Eric Wittersheim [mailto:eric.wittersh...@gmail.com] 
Sent: Wednesday, July 08, 2009 11:03 AM
To: NT System Admin Issues
Subject: Re: New IE zero day exploit in the wild

 

I didn't create a batch file I just created a reg file with all the
lines like below.  Then I created a new GP and applied it to the OU.  In
the GP I run the reg file in the computer start up script with the /s
argument.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{011B3619-FE63-4814-8A84-15A194CE9CE3}]
"Compatibility Flags"=dword:0400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{0149EEDF-D08F-4142-8D73-D23903D21E90}]
"Compatibility Flags"=dword:0400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{0369B4E5-45B6-11D3-B650-00C04F79498E}]
"Compatibility Flags"=dword:0400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{0369B4E6-45B6-11D3-B650-00C04F79498E}]
"Compatibility Flags"=dword:0400

On Wed, Jul 8, 2009 at 9:56 AM, Ziots, Edward 
wrote:

Question,

According to the Microsoft article it looks like you need to add a whole
a lot of CSLID's that need the kill bit set, is this what everyone else
is doing? So basically adding each one of these CSLID's to a .reg file
and then scheduling a bat file to be run at the computer startup like
the following?

(Call it MSVideofit.bat)
:BATFILE
Regedit -s MSactiveXVideoFix.reg

:MsActiveXVideoFix.reg
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{011B3619-FE63-4814-8A84-15A194CE9CE3}]
"Compatibility Flags"=dword:0400

ETC ETC (Down the list of CLSIDS below)

Then set a Group policy with the computer startup script at the root of
your domain, and let it rip. (So servers, workstations etc etc get the
fix, you can try it at a small OU level and reg query the registry after
the system is booted, to verify that it working

The following Class Identifiers relate to Microsoft Video ActiveX
Control:

Class Identifier
{011B3619-FE63-4814-8A84-15A194CE9CE3}

{0149EEDF-D08F-4142-8D73-D23903D21E90}

{0369B4E5-45B6-11D3-B650-00C04F79498E}

{0369B4E6-45B6-11D3-B650-00C04F79498E}

{055CB2D7-2969-45CD-914B-76890722F112}

{0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}

{15D6504A-5494-499C-886C-973C9E53B9F1}

{1BE49F30-0E1B-11D3-9D8E-00C04F72D980}

{1C15D484-911D-11D2-B632-00C04F79498E}

{1DF7D126-4050-47F0-A7CF-4C4CA9241333}

{2C63E4EB-4CEA-41B8-919C-E947EA19A77C}

{334125C0-77E5-11D3-B653-00C04F79498E}

{37B0353C-A4C8-11D2-B634-00C04F79498E}

{37B03543-A4C8-11D2-B634-00C04F79498E}

{37B03544-A4C8-11D2-B634-00C04F79498E}

{418008F3-CF67-4668-9628-10DC52BE1D08}

{4A5869CF-929D-4040-AE03-FCAFC5B9CD42}

{577FAA18-4518-445E-8F70-1473F8CF4BA4}

{59DC47A8-116C-11D3-9D8E-00C04F72D980}

{7F9CB14D-48E4-43B6-9346-1AEBC39C64D3}

{823535A0-0318-11D3-9D8E-00C04F72D980}

{8872FF1B-98FA-4D7A-8D93-C9F1055F85BB}

{8A674B4C-1F63-11D3-B64C-00C04F79498E}

{8A674B4D-1F63-11D3-B64C-00C04F79498E}

{9CD64701-BDF3-4D14-8E03-F12983D86664}

{9E77AAC4-35E5-42A1-BDC2-8F3FF399847C}

{A1A2B1C4-0E3A-11D3-9D8E-00C04F72D980}

{A2E3074E-6C3D-11D3-B653-00C04F79498E}

{A2E30750-6C3D-11D3-B653-00C04F79498E}

{A8DCF3D5-0780-4EF4-8A83-2CFFAACB8ACE}

{AD8E510D-217F-409B-8076-29C5E73B98E8}

{B0EDF163-910A-11D2-B632-00C04F79498E}

{B64016F3-C9A2-4066-96F0-BD9563314726}

{BB530C63-D9DF-4B49-9439-63453962E598}

{C531D9FD-9685-4028-8B68-6E1232079F1E}

{C5702CCC-9B79-11D3-B654-00C04F79498E}

{C5702CCD-9B79-11D3-B654-00C04F79498E}

{C5702CCE-9B79-11D3-B654-00C04F79498E}

{C5702CCF-9B79-11D3-B654-00C04F79498E}

{C5702CD0-9B79-11D3-B654-00C04F79498E}

{C6B14B32-76AA-4A86-A7AC-5C79AAF58DA7}

{CAAFDD83-CEFC-4E3D-BA03-175F17A24F91}

{D02AAC50-027E-11D3-9D8E-00C04F72D980}

{F9769A06-7ACA-4E39-9CFB-97BB35F0E77E}

{FA7C375B-66A7-4280-879D-FD459C84BB02}


Note The Class Identifiers and corresponding files where the ActiveX
objects are contained are documented in the table above. Replace
{----} below with the Class Identifier
found in this table.

To set the kill bit for a CLSID with a value of
{----}, paste the following text in a
text editor such as Notepad. Then, save the file by using the .reg file
name extension.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{----X

RE: New IE zero day exploit in the wild

2009-07-08 Thread Tim Evans 
A while back, Jesper Johansson published a VBScript that helps with this.
http://msinfluentials.com/blogs/jesper/archive/2006/09/29/Set-KillBit-on-Arbitrary-ActiveX-Controls-with-Group-Policy.aspx
It writes a log file in the root of the users C: drive that indicates success 
or failure or not found. I've got a CMD file that consists of nothing but a 
bunch of slayocx.vbs commands.

.Tim


> -Original Message-
> From: Ziots, Edward [mailto:ezi...@lifespan.org]
> Sent: Wednesday, July 08, 2009 7:57 AM
> To: NT System Admin Issues
> Subject: RE: New IE zero day exploit in the wild
> 
> Question,
> 
> According to the Microsoft article it looks like you need to add a whole
> a lot of CSLID's that need the kill bit set, is this what everyone else
> is doing? So basically adding each one of these CSLID's to a .reg file
> and then scheduling a bat file to be run at the computer startup like
> the following?
> 
> (Call it MSVideofit.bat)
> :BATFILE
> Regedit -s MSactiveXVideoFix.reg
> 
> :MsActiveXVideoFix.reg
> Windows Registry Editor Version 5.00
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
> Compatibility\{011B3619-FE63-4814-8A84-15A194CE9CE3}]
> "Compatibility Flags"=dword:0400
> 
> ETC ETC (Down the list of CLSIDS below)
> 
> Then set a Group policy with the computer startup script at the root of
> your domain, and let it rip. (So servers, workstations etc etc get the
> fix, you can try it at a small OU level and reg query the registry after
> the system is booted, to verify that it working
> 
> The following Class Identifiers relate to Microsoft Video ActiveX
> Control:
> 
> Class Identifier
> {011B3619-FE63-4814-8A84-15A194CE9CE3}
> 
> {0149EEDF-D08F-4142-8D73-D23903D21E90}
> 
> {0369B4E5-45B6-11D3-B650-00C04F79498E}
> 
> {0369B4E6-45B6-11D3-B650-00C04F79498E}
> 
> {055CB2D7-2969-45CD-914B-76890722F112}
> 
> {0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}
> 
> {15D6504A-5494-499C-886C-973C9E53B9F1}
> 
> {1BE49F30-0E1B-11D3-9D8E-00C04F72D980}
> 
> {1C15D484-911D-11D2-B632-00C04F79498E}
> 
> {1DF7D126-4050-47F0-A7CF-4C4CA9241333}
> 
> {2C63E4EB-4CEA-41B8-919C-E947EA19A77C}
> 
> {334125C0-77E5-11D3-B653-00C04F79498E}
> 
> {37B0353C-A4C8-11D2-B634-00C04F79498E}
> 
> {37B03543-A4C8-11D2-B634-00C04F79498E}
> 
> {37B03544-A4C8-11D2-B634-00C04F79498E}
> 
> {418008F3-CF67-4668-9628-10DC52BE1D08}
> 
> {4A5869CF-929D-4040-AE03-FCAFC5B9CD42}
> 
> {577FAA18-4518-445E-8F70-1473F8CF4BA4}
> 
> {59DC47A8-116C-11D3-9D8E-00C04F72D980}
> 
> {7F9CB14D-48E4-43B6-9346-1AEBC39C64D3}
> 
> {823535A0-0318-11D3-9D8E-00C04F72D980}
> 
> {8872FF1B-98FA-4D7A-8D93-C9F1055F85BB}
> 
> {8A674B4C-1F63-11D3-B64C-00C04F79498E}
> 
> {8A674B4D-1F63-11D3-B64C-00C04F79498E}
> 
> {9CD64701-BDF3-4D14-8E03-F12983D86664}
> 
> {9E77AAC4-35E5-42A1-BDC2-8F3FF399847C}
> 
> {A1A2B1C4-0E3A-11D3-9D8E-00C04F72D980}
> 
> {A2E3074E-6C3D-11D3-B653-00C04F79498E}
> 
> {A2E30750-6C3D-11D3-B653-00C04F79498E}
> 
> {A8DCF3D5-0780-4EF4-8A83-2CFFAACB8ACE}
> 
> {AD8E510D-217F-409B-8076-29C5E73B98E8}
> 
> {B0EDF163-910A-11D2-B632-00C04F79498E}
> 
> {B64016F3-C9A2-4066-96F0-BD9563314726}
> 
> {BB530C63-D9DF-4B49-9439-63453962E598}
> 
> {C531D9FD-9685-4028-8B68-6E1232079F1E}
> 
> {C5702CCC-9B79-11D3-B654-00C04F79498E}
> 
> {C5702CCD-9B79-11D3-B654-00C04F79498E}
> 
> {C5702CCE-9B79-11D3-B654-00C04F79498E}
> 
> {C5702CCF-9B79-11D3-B654-00C04F79498E}
> 
> {C5702CD0-9B79-11D3-B654-00C04F79498E}
> 
> {C6B14B32-76AA-4A86-A7AC-5C79AAF58DA7}
> 
> {CAAFDD83-CEFC-4E3D-BA03-175F17A24F91}
> 
> {D02AAC50-027E-11D3-9D8E-00C04F72D980}
> 
> {F9769A06-7ACA-4E39-9CFB-97BB35F0E77E}
> 
> {FA7C375B-66A7-4280-879D-FD459C84BB02}
> 
> 
> Note The Class Identifiers and corresponding files where the ActiveX
> objects are contained are documented in the table above. Replace
> {----} below with the Class Identifier
> found in this table.
> 
> To set the kill bit for a CLSID with a value of {---
> -}, paste the following text in a text editor such as
> Notepad. Then, save the file by using the .reg file name extension.
> 
> Windows Registry Editor Version 5.00
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
> Compatibility\{----}]
> "Compatibility Flags"=dword:0400
> 
> You can apply this .reg file to individual systems by double-clicking
> it. You can also apply it across domains by using Group Policy. For more
> information about Group Policy, visit the following Microsoft Web sites:
> 
> 
> Ple

RE: New IE zero day exploit in the wild

2009-07-08 Thread Carl Houseman 
It appears that's what we're left to do on our own.  Not sure why MS
couldn't just provide us the .reg file ready-to-use.  Or for that matter, a
.msi file that works with GP.  I tried assigning the msfixit .msi in a group
policy, but it didn't install (on Vista anyway, didn't test w/XP after that,
it worked under Vista when run interactively).

My other idea, a custom .adm file to push the settings out, fell flat
because a single policy can't affect multiple reg keys with a single
enable/disable choice.   If I'm wrong about that I'd love to hear how it's
done.

Carl

-Original Message-
From: Ziots, Edward [mailto:ezi...@lifespan.org] 
Sent: Wednesday, July 08, 2009 10:57 AM
To: NT System Admin Issues
Subject: RE: New IE zero day exploit in the wild

Question, 

According to the Microsoft article it looks like you need to add a whole a
lot of CSLID's that need the kill bit set, is this what everyone else is
doing? So basically adding each one of these CSLID's to a .reg file and then
scheduling a bat file to be run at the computer startup like the following? 

(Call it MSVideofit.bat)
:BATFILE
Regedit -s MSactiveXVideoFix.reg

:MsActiveXVideoFix.reg
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{011B3619-FE63-4814-8A84-15A194CE9CE3}]
"Compatibility Flags"=dword:0400

ETC ETC (Down the list of CLSIDS below) 

Then set a Group policy with the computer startup script at the root of your
domain, and let it rip. (So servers, workstations etc etc get the fix, you
can try it at a small OU level and reg query the registry after the system
is booted, to verify that it working

The following Class Identifiers relate to Microsoft Video ActiveX Control:

Class Identifier 
{011B3619-FE63-4814-8A84-15A194CE9CE3}
 
{0149EEDF-D08F-4142-8D73-D23903D21E90}
 
{0369B4E5-45B6-11D3-B650-00C04F79498E}
 
{0369B4E6-45B6-11D3-B650-00C04F79498E}
 
{055CB2D7-2969-45CD-914B-76890722F112}
 
{0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}
 
{15D6504A-5494-499C-886C-973C9E53B9F1}
 
{1BE49F30-0E1B-11D3-9D8E-00C04F72D980}
 
{1C15D484-911D-11D2-B632-00C04F79498E}
 
{1DF7D126-4050-47F0-A7CF-4C4CA9241333}
 
{2C63E4EB-4CEA-41B8-919C-E947EA19A77C}
 
{334125C0-77E5-11D3-B653-00C04F79498E}
 
{37B0353C-A4C8-11D2-B634-00C04F79498E}
 
{37B03543-A4C8-11D2-B634-00C04F79498E}
 
{37B03544-A4C8-11D2-B634-00C04F79498E}
 
{418008F3-CF67-4668-9628-10DC52BE1D08}
 
{4A5869CF-929D-4040-AE03-FCAFC5B9CD42}
 
{577FAA18-4518-445E-8F70-1473F8CF4BA4}
 
{59DC47A8-116C-11D3-9D8E-00C04F72D980}
 
{7F9CB14D-48E4-43B6-9346-1AEBC39C64D3}
 
{823535A0-0318-11D3-9D8E-00C04F72D980}
 
{8872FF1B-98FA-4D7A-8D93-C9F1055F85BB}
 
{8A674B4C-1F63-11D3-B64C-00C04F79498E}
 
{8A674B4D-1F63-11D3-B64C-00C04F79498E}
 
{9CD64701-BDF3-4D14-8E03-F12983D86664}
 
{9E77AAC4-35E5-42A1-BDC2-8F3FF399847C}
 
{A1A2B1C4-0E3A-11D3-9D8E-00C04F72D980}
 
{A2E3074E-6C3D-11D3-B653-00C04F79498E}
 
{A2E30750-6C3D-11D3-B653-00C04F79498E}
 
{A8DCF3D5-0780-4EF4-8A83-2CFFAACB8ACE}
 
{AD8E510D-217F-409B-8076-29C5E73B98E8}
 
{B0EDF163-910A-11D2-B632-00C04F79498E}
 
{B64016F3-C9A2-4066-96F0-BD9563314726}
 
{BB530C63-D9DF-4B49-9439-63453962E598}
 
{C531D9FD-9685-4028-8B68-6E1232079F1E}
 
{C5702CCC-9B79-11D3-B654-00C04F79498E}
 
{C5702CCD-9B79-11D3-B654-00C04F79498E}
 
{C5702CCE-9B79-11D3-B654-00C04F79498E}
 
{C5702CCF-9B79-11D3-B654-00C04F79498E}
 
{C5702CD0-9B79-11D3-B654-00C04F79498E}
 
{C6B14B32-76AA-4A86-A7AC-5C79AAF58DA7}
 
{CAAFDD83-CEFC-4E3D-BA03-175F17A24F91}
 
{D02AAC50-027E-11D3-9D8E-00C04F72D980}
 
{F9769A06-7ACA-4E39-9CFB-97BB35F0E77E}
 
{FA7C375B-66A7-4280-879D-FD459C84BB02}
 

Note The Class Identifiers and corresponding files where the ActiveX objects
are contained are documented in the table above. Replace
{----} below with the Class Identifier found
in this table.

To set the kill bit for a CLSID with a value of
{----}, paste the following text in a text
editor such as Notepad. Then, save the file by using the .reg file name
extension.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{----}]
"Compatibility Flags"=dword:0400

You can apply this .reg file to individual systems by double-clicking it.
You can also apply it across domains by using Group Policy. For more
information about Group Policy, visit the following Microsoft Web sites:


Please advise, going to be undertaking this shortly, and don't want to screw
it up. 

Z


Edward Ziots
Network Engineer
Lifespan Organization
MCSE,MCSA,MCP+I, ME, CCA, Security +, Network +
ezi...@lifespan.org
Phone:401-639-3505
-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com] 
Sent: Wednesday, July 08, 2009 10:48 AM
To: NT System Admin Issues
Subject: Re: New IE zero day exploit in the wild

Yes, unfortunately, all our users are

RE: New IE zero day exploit in the wild

2009-07-08 Thread David Lum 
Nothing really, was just seeing if someone knew about a tool that did this 
already before I created my script.

Dave

From: Carl Houseman [mailto:c.house...@gmail.com]
Sent: Wednesday, July 08, 2009 7:41 AM
To: NT System Admin Issues
Subject: RE: New IE zero day exploit in the wild

If you're comfortable writing in Kix, what's stopping you?   I'd do it with for 
/f + list-of-computers + psexec + reg query.

You don't have to look for all of the reg keys, the existence of just 1 means 
the workaround got installed.

Carl

From: David Lum [mailto:david@nwea.org]
Sent: Wednesday, July 08, 2009 10:24 AM
To: NT System Admin Issues
Subject: RE: New IE zero day exploit in the wild

You are correct of course, I stand corrected on my terminology.

However, like I said, I have 400 systems and I'd rather not manually look at 
400 registries to know I'm covered. The only thing that comes to mind is 
creating a KiX script that looks for the key values and sends output to a 
common .CSV file.

Dave

From: Carl Houseman [mailto:c.house...@gmail.com]
Sent: Tuesday, July 07, 2009 2:51 PM
To: NT System Admin Issues
Subject: RE: New IE zero day exploit in the wild

What patch?  Killbit workaround is not a patch.  Open the registry and look for 
the registry keys.

Carl

From: David Lum [mailto:david@nwea.org]
Sent: Tuesday, July 07, 2009 5:49 PM
To: NT System Admin Issues
Subject: RE: New IE zero day exploit in the wild

Anyone know how to confirm this patch is applied? Any tools around yet? I'd 
just as soon not manually check 4 or 5 machines sand assume all 400 are 
OK...and if I don't have to write my own script to check 'em, all the better...
David Lum // SYSTEMS ENGINEER
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764

















~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: New IE zero day exploit in the wild

2009-07-08 Thread David Lum 
I was going to, but instead I clicked the "fix it myself", and instead of 
running the .MSI file I downloaded it and pushed it out via SMS. Gotta love 
SMS...10 minutes of work and 400 systems have the workaround.

Yes, that was 46 CLSID's I counted that the .REG file needed. (Excel is your 
friend if you want to go manually creating a .REG file from their list).

Dave

-Original Message-
From: Ziots, Edward [mailto:ezi...@lifespan.org] 
Sent: Wednesday, July 08, 2009 7:57 AM
To: NT System Admin Issues
Subject: RE: New IE zero day exploit in the wild

Question, 

According to the Microsoft article it looks like you need to add a whole a lot 
of CSLID's that need the kill bit set, is this what everyone else is doing? So 
basically adding each one of these CSLID's to a .reg file and then scheduling a 
bat file to be run at the computer startup like the following? 

(Call it MSVideofit.bat)
:BATFILE
Regedit -s MSactiveXVideoFix.reg

:MsActiveXVideoFix.reg
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX 
Compatibility\{011B3619-FE63-4814-8A84-15A194CE9CE3}]
"Compatibility Flags"=dword:0400

ETC ETC (Down the list of CLSIDS below) 

Then set a Group policy with the computer startup script at the root of your 
domain, and let it rip. (So servers, workstations etc etc get the fix, you can 
try it at a small OU level and reg query the registry after the system is 
booted, to verify that it working

The following Class Identifiers relate to Microsoft Video ActiveX Control:

Class Identifier 
{011B3619-FE63-4814-8A84-15A194CE9CE3}
 
{0149EEDF-D08F-4142-8D73-D23903D21E90}
 
{0369B4E5-45B6-11D3-B650-00C04F79498E}
 
{0369B4E6-45B6-11D3-B650-00C04F79498E}
 
{055CB2D7-2969-45CD-914B-76890722F112}
 
{0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}
 
{15D6504A-5494-499C-886C-973C9E53B9F1}
 
{1BE49F30-0E1B-11D3-9D8E-00C04F72D980}
 
{1C15D484-911D-11D2-B632-00C04F79498E}
 
{1DF7D126-4050-47F0-A7CF-4C4CA9241333}
 
{2C63E4EB-4CEA-41B8-919C-E947EA19A77C}
 
{334125C0-77E5-11D3-B653-00C04F79498E}
 
{37B0353C-A4C8-11D2-B634-00C04F79498E}
 
{37B03543-A4C8-11D2-B634-00C04F79498E}
 
{37B03544-A4C8-11D2-B634-00C04F79498E}
 
{418008F3-CF67-4668-9628-10DC52BE1D08}
 
{4A5869CF-929D-4040-AE03-FCAFC5B9CD42}
 
{577FAA18-4518-445E-8F70-1473F8CF4BA4}
 
{59DC47A8-116C-11D3-9D8E-00C04F72D980}
 
{7F9CB14D-48E4-43B6-9346-1AEBC39C64D3}
 
{823535A0-0318-11D3-9D8E-00C04F72D980}
 
{8872FF1B-98FA-4D7A-8D93-C9F1055F85BB}
 
{8A674B4C-1F63-11D3-B64C-00C04F79498E}
 
{8A674B4D-1F63-11D3-B64C-00C04F79498E}
 
{9CD64701-BDF3-4D14-8E03-F12983D86664}
 
{9E77AAC4-35E5-42A1-BDC2-8F3FF399847C}
 
{A1A2B1C4-0E3A-11D3-9D8E-00C04F72D980}
 
{A2E3074E-6C3D-11D3-B653-00C04F79498E}
 
{A2E30750-6C3D-11D3-B653-00C04F79498E}
 
{A8DCF3D5-0780-4EF4-8A83-2CFFAACB8ACE}
 
{AD8E510D-217F-409B-8076-29C5E73B98E8}
 
{B0EDF163-910A-11D2-B632-00C04F79498E}
 
{B64016F3-C9A2-4066-96F0-BD9563314726}
 
{BB530C63-D9DF-4B49-9439-63453962E598}
 
{C531D9FD-9685-4028-8B68-6E1232079F1E}
 
{C5702CCC-9B79-11D3-B654-00C04F79498E}
 
{C5702CCD-9B79-11D3-B654-00C04F79498E}
 
{C5702CCE-9B79-11D3-B654-00C04F79498E}
 
{C5702CCF-9B79-11D3-B654-00C04F79498E}
 
{C5702CD0-9B79-11D3-B654-00C04F79498E}
 
{C6B14B32-76AA-4A86-A7AC-5C79AAF58DA7}
 
{CAAFDD83-CEFC-4E3D-BA03-175F17A24F91}
 
{D02AAC50-027E-11D3-9D8E-00C04F72D980}
 
{F9769A06-7ACA-4E39-9CFB-97BB35F0E77E}
 
{FA7C375B-66A7-4280-879D-FD459C84BB02}
 

Note The Class Identifiers and corresponding files where the ActiveX objects 
are contained are documented in the table above. Replace 
{----} below with the Class Identifier found in 
this table.

To set the kill bit for a CLSID with a value of 
{----}, paste the following text in a text 
editor such as Notepad. Then, save the file by using the .reg file name 
extension.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX 
Compatibility\{----}]
"Compatibility Flags"=dword:0400

You can apply this .reg file to individual systems by double-clicking it. You 
can also apply it across domains by using Group Policy. For more information 
about Group Policy, visit the following Microsoft Web sites:


Please advise, going to be undertaking this shortly, and don't want to screw it 
up. 

Z


Edward Ziots
Network Engineer
Lifespan Organization
MCSE,MCSA,MCP+I, ME, CCA, Security +, Network +
ezi...@lifespan.org
Phone:401-639-3505
-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com] 
Sent: Wednesday, July 08, 2009 10:48 AM
To: NT System Admin Issues
Subject: Re: New IE zero day exploit in the wild

Yes, unfortunately, all our users are admins. It sucks, but I use it
to my advantage when I can.

The reason we've not done a GP is because we haven't had the luxury of
studying to understand them. Our plates always seem to be full with
oth

Re: New IE zero day exploit in the wild

2009-07-08 Thread Eric Wittersheim 
gt; "Compatibility Flags"=dword:0400
>
> You can apply this .reg file to individual systems by double-clicking it.
> You can also apply it across domains by using Group Policy. For more
> information about Group Policy, visit the following Microsoft Web sites:
>
>
> Please advise, going to be undertaking this shortly, and don't want to
> screw it up.
>
> Z
>
>
> Edward Ziots
> Network Engineer
> Lifespan Organization
> MCSE,MCSA,MCP+I, ME, CCA, Security +, Network +
> ezi...@lifespan.org
> Phone:401-639-3505
> -Original Message-
> From: Kurt Buff [mailto:kurt.b...@gmail.com]
> Sent: Wednesday, July 08, 2009 10:48 AM
> To: NT System Admin Issues
> Subject: Re: New IE zero day exploit in the wild
>
> Yes, unfortunately, all our users are admins. It sucks, but I use it
> to my advantage when I can.
>
> The reason we've not done a GP is because we haven't had the luxury of
> studying to understand them. Our plates always seem to be full with
> other things.
>
> On Tue, Jul 7, 2009 at 19:04, Ken Schaefer wrote:
> > Are all your users admins? Otherwise, how is that logon script going to
> update HKLM?
> >
> > Machine-based startup script would be better idea, no?
> >
> > Cheers
> > Ken
> >
> > 
> > From: Kurt Buff [kurt.b...@gmail.com]
> > Sent: Wednesday, 8 July 2009 2:41 AM
> > To: NT System Admin Issues
> > Subject: Re: New IE zero day exploit in the wild
> >
> > I'm just pushing out the .reg file in the login script:
> >
> > regedit /s \\fileserver\public\patches\videokillbits.reg
> >
> > The file was easy to create, in a capable editor (not notepad or
> > wordpad) that allows metacharacter search and replace, such as '\n'
> > for CRLF and '\t' for tab. I used the ancient, no-longer-supported
> > PFE32. I really should switch to VIM, I suppose.
> >
> > On Tue, Jul 7, 2009 at 08:40, Eric
> > Wittersheim wrote:
> >> I'm pushing out the .reg via GP.  So far so good.
> >>
> >> On Tue, Jul 7, 2009 at 10:38 AM, David Lum  wrote:
> >>>
> >>> The "Microsoft fix-it" is an MSI that I am pushing via SMS and is
> pushing
> >>> fine (so far just a few test cases have it, but no issues). Beats
> trying to
> >>> push out a .REG or something...
> >>>
> >>>
> >>>
> >>> David Lum // SYSTEMS ENGINEER
> >>> NORTHWEST EVALUATION ASSOCIATION
> >>> (Desk) 971.222.1025 // (Cell) 503.267.9764
> >>>
> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
> >
> >
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: New IE zero day exploit in the wild

2009-07-08 Thread Ziots, Edward 
Question, 

According to the Microsoft article it looks like you need to add a whole a lot 
of CSLID's that need the kill bit set, is this what everyone else is doing? So 
basically adding each one of these CSLID's to a .reg file and then scheduling a 
bat file to be run at the computer startup like the following? 

(Call it MSVideofit.bat)
:BATFILE
Regedit -s MSactiveXVideoFix.reg

:MsActiveXVideoFix.reg
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX 
Compatibility\{011B3619-FE63-4814-8A84-15A194CE9CE3}]
"Compatibility Flags"=dword:0400

ETC ETC (Down the list of CLSIDS below) 

Then set a Group policy with the computer startup script at the root of your 
domain, and let it rip. (So servers, workstations etc etc get the fix, you can 
try it at a small OU level and reg query the registry after the system is 
booted, to verify that it working

The following Class Identifiers relate to Microsoft Video ActiveX Control:

Class Identifier 
{011B3619-FE63-4814-8A84-15A194CE9CE3}
 
{0149EEDF-D08F-4142-8D73-D23903D21E90}
 
{0369B4E5-45B6-11D3-B650-00C04F79498E}
 
{0369B4E6-45B6-11D3-B650-00C04F79498E}
 
{055CB2D7-2969-45CD-914B-76890722F112}
 
{0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}
 
{15D6504A-5494-499C-886C-973C9E53B9F1}
 
{1BE49F30-0E1B-11D3-9D8E-00C04F72D980}
 
{1C15D484-911D-11D2-B632-00C04F79498E}
 
{1DF7D126-4050-47F0-A7CF-4C4CA9241333}
 
{2C63E4EB-4CEA-41B8-919C-E947EA19A77C}
 
{334125C0-77E5-11D3-B653-00C04F79498E}
 
{37B0353C-A4C8-11D2-B634-00C04F79498E}
 
{37B03543-A4C8-11D2-B634-00C04F79498E}
 
{37B03544-A4C8-11D2-B634-00C04F79498E}
 
{418008F3-CF67-4668-9628-10DC52BE1D08}
 
{4A5869CF-929D-4040-AE03-FCAFC5B9CD42}
 
{577FAA18-4518-445E-8F70-1473F8CF4BA4}
 
{59DC47A8-116C-11D3-9D8E-00C04F72D980}
 
{7F9CB14D-48E4-43B6-9346-1AEBC39C64D3}
 
{823535A0-0318-11D3-9D8E-00C04F72D980}
 
{8872FF1B-98FA-4D7A-8D93-C9F1055F85BB}
 
{8A674B4C-1F63-11D3-B64C-00C04F79498E}
 
{8A674B4D-1F63-11D3-B64C-00C04F79498E}
 
{9CD64701-BDF3-4D14-8E03-F12983D86664}
 
{9E77AAC4-35E5-42A1-BDC2-8F3FF399847C}
 
{A1A2B1C4-0E3A-11D3-9D8E-00C04F72D980}
 
{A2E3074E-6C3D-11D3-B653-00C04F79498E}
 
{A2E30750-6C3D-11D3-B653-00C04F79498E}
 
{A8DCF3D5-0780-4EF4-8A83-2CFFAACB8ACE}
 
{AD8E510D-217F-409B-8076-29C5E73B98E8}
 
{B0EDF163-910A-11D2-B632-00C04F79498E}
 
{B64016F3-C9A2-4066-96F0-BD9563314726}
 
{BB530C63-D9DF-4B49-9439-63453962E598}
 
{C531D9FD-9685-4028-8B68-6E1232079F1E}
 
{C5702CCC-9B79-11D3-B654-00C04F79498E}
 
{C5702CCD-9B79-11D3-B654-00C04F79498E}
 
{C5702CCE-9B79-11D3-B654-00C04F79498E}
 
{C5702CCF-9B79-11D3-B654-00C04F79498E}
 
{C5702CD0-9B79-11D3-B654-00C04F79498E}
 
{C6B14B32-76AA-4A86-A7AC-5C79AAF58DA7}
 
{CAAFDD83-CEFC-4E3D-BA03-175F17A24F91}
 
{D02AAC50-027E-11D3-9D8E-00C04F72D980}
 
{F9769A06-7ACA-4E39-9CFB-97BB35F0E77E}
 
{FA7C375B-66A7-4280-879D-FD459C84BB02}
 

Note The Class Identifiers and corresponding files where the ActiveX objects 
are contained are documented in the table above. Replace 
{----} below with the Class Identifier found in 
this table.

To set the kill bit for a CLSID with a value of 
{----}, paste the following text in a text 
editor such as Notepad. Then, save the file by using the .reg file name 
extension.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX 
Compatibility\{----}]
"Compatibility Flags"=dword:0400

You can apply this .reg file to individual systems by double-clicking it. You 
can also apply it across domains by using Group Policy. For more information 
about Group Policy, visit the following Microsoft Web sites:


Please advise, going to be undertaking this shortly, and don't want to screw it 
up. 

Z


Edward Ziots
Network Engineer
Lifespan Organization
MCSE,MCSA,MCP+I, ME, CCA, Security +, Network +
ezi...@lifespan.org
Phone:401-639-3505
-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com] 
Sent: Wednesday, July 08, 2009 10:48 AM
To: NT System Admin Issues
Subject: Re: New IE zero day exploit in the wild

Yes, unfortunately, all our users are admins. It sucks, but I use it
to my advantage when I can.

The reason we've not done a GP is because we haven't had the luxury of
studying to understand them. Our plates always seem to be full with
other things.

On Tue, Jul 7, 2009 at 19:04, Ken Schaefer wrote:
> Are all your users admins? Otherwise, how is that logon script going to 
> update HKLM?
>
> Machine-based startup script would be better idea, no?
>
> Cheers
> Ken
>
> 
> From: Kurt Buff [kurt.b...@gmail.com]
> Sent: Wednesday, 8 July 2009 2:41 AM
> To: NT System Admin Issues
> Subject: Re: New IE zero day exploit in the wild
>
> I'm just pushing out the .reg file in the login script:
>
>     regedit /s \\fileserver\

Re: New IE zero day exploit in the wild

2009-07-08 Thread Jonathan Link 
After taking local admin rights away from users my plate is less full.
YMMV.

On Wed, Jul 8, 2009 at 10:47 AM, Kurt Buff  wrote:

> Yes, unfortunately, all our users are admins. It sucks, but I use it
> to my advantage when I can.
>
> The reason we've not done a GP is because we haven't had the luxury of
> studying to understand them. Our plates always seem to be full with
> other things.
>
> On Tue, Jul 7, 2009 at 19:04, Ken Schaefer wrote:
> > Are all your users admins? Otherwise, how is that logon script going to
> update HKLM?
> >
> > Machine-based startup script would be better idea, no?
> >
> > Cheers
> > Ken
> >
> > 
> > From: Kurt Buff [kurt.b...@gmail.com]
> > Sent: Wednesday, 8 July 2009 2:41 AM
> > To: NT System Admin Issues
> > Subject: Re: New IE zero day exploit in the wild
> >
> > I'm just pushing out the .reg file in the login script:
> >
> > regedit /s \\fileserver\public\patches\videokillbits.reg
> >
> > The file was easy to create, in a capable editor (not notepad or
> > wordpad) that allows metacharacter search and replace, such as '\n'
> > for CRLF and '\t' for tab. I used the ancient, no-longer-supported
> > PFE32. I really should switch to VIM, I suppose.
> >
> > On Tue, Jul 7, 2009 at 08:40, Eric
> > Wittersheim wrote:
> >> I'm pushing out the .reg via GP.  So far so good.
> >>
> >> On Tue, Jul 7, 2009 at 10:38 AM, David Lum  wrote:
> >>>
> >>> The “Microsoft fix-it” is an MSI that I am pushing via SMS and is
> pushing
> >>> fine (so far just a few test cases have it, but no issues). Beats
> trying to
> >>> push out a .REG or something…
> >>>
> >>>
> >>>
> >>> David Lum // SYSTEMS ENGINEER
> >>> NORTHWEST EVALUATION ASSOCIATION
> >>> (Desk) 971.222.1025 // (Cell) 503.267.9764
> >>>
>  > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
> >
> >
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: New IE zero day exploit in the wild

2009-07-08 Thread Kurt Buff 
Yes, unfortunately, all our users are admins. It sucks, but I use it
to my advantage when I can.

The reason we've not done a GP is because we haven't had the luxury of
studying to understand them. Our plates always seem to be full with
other things.

On Tue, Jul 7, 2009 at 19:04, Ken Schaefer wrote:
> Are all your users admins? Otherwise, how is that logon script going to 
> update HKLM?
>
> Machine-based startup script would be better idea, no?
>
> Cheers
> Ken
>
> 
> From: Kurt Buff [kurt.b...@gmail.com]
> Sent: Wednesday, 8 July 2009 2:41 AM
> To: NT System Admin Issues
> Subject: Re: New IE zero day exploit in the wild
>
> I'm just pushing out the .reg file in the login script:
>
>     regedit /s \\fileserver\public\patches\videokillbits.reg
>
> The file was easy to create, in a capable editor (not notepad or
> wordpad) that allows metacharacter search and replace, such as '\n'
> for CRLF and '\t' for tab. I used the ancient, no-longer-supported
> PFE32. I really should switch to VIM, I suppose.
>
> On Tue, Jul 7, 2009 at 08:40, Eric
> Wittersheim wrote:
>> I'm pushing out the .reg via GP.  So far so good.
>>
>> On Tue, Jul 7, 2009 at 10:38 AM, David Lum  wrote:
>>>
>>> The “Microsoft fix-it” is an MSI that I am pushing via SMS and is pushing
>>> fine (so far just a few test cases have it, but no issues). Beats trying to
>>> push out a .REG or something…
>>>
>>>
>>>
>>> David Lum // SYSTEMS ENGINEER
>>> NORTHWEST EVALUATION ASSOCIATION
>>> (Desk) 971.222.1025 // (Cell) 503.267.9764
>>>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: New IE zero day exploit in the wild

2009-07-08 Thread Jake Gardner 
I usually just do something like this when pushing something...
 
echo Done > \\server\publicshare\%computername%.txt
 
OR
 
echo %computername% >> \\server\share\listofpcsthatranthescript.txt
 
Thanks,
 
Jake Gardner
TTC Network Administrator
Ext. 246
 



From: Carl Houseman [mailto:c.house...@gmail.com] 
Sent: Wednesday, July 08, 2009 10:41 AM
To: NT System Admin Issues
Subject: RE: New IE zero day exploit in the wild



If you're comfortable writing in Kix, what's stopping you?   I'd do it
with for /f + list-of-computers + psexec + reg query.

 

You don't have to look for all of the reg keys, the existence of just 1
means the workaround got installed.

 

Carl

 

From: David Lum [mailto:david@nwea.org] 
Sent: Wednesday, July 08, 2009 10:24 AM
To: NT System Admin Issues
Subject: RE: New IE zero day exploit in the wild

 

You are correct of course, I stand corrected on my terminology. 

 

However, like I said, I have 400 systems and I'd rather not manually
look at 400 registries to know I'm covered. The only thing that comes to
mind is creating a KiX script that looks for the key values and sends
output to a common .CSV file.

 

Dave

 

From: Carl Houseman [mailto:c.house...@gmail.com] 
Sent: Tuesday, July 07, 2009 2:51 PM
To: NT System Admin Issues
Subject: RE: New IE zero day exploit in the wild

 

What patch?  Killbit workaround is not a patch.  Open the registry and
look for the registry keys.

 

Carl

 

From: David Lum [mailto:david@nwea.org] 
Sent: Tuesday, July 07, 2009 5:49 PM
To: NT System Admin Issues
Subject: RE: New IE zero day exploit in the wild

 

Anyone know how to confirm this patch is applied? Any tools around yet?
I'd just as soon not manually check 4 or 5 machines sand assume all 400
are OK...and if I don't have to write my own script to check 'em, all
the better...

David Lum // SYSTEMS ENGINEER 
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764

 

 

 

 

 

 

 

 


***Teletronics Technology Corporation*** 
This e-mail is confidential and may also be privileged.  If you are not the 
addressee or authorized by the addressee to receive this e-mail, you may not 
disclose, copy, distribute, or use this e-mail. If you have received this 
e-mail in error, please notify the sender immediately by reply e-mail or by 
telephone at 267-352-2020 and destroy this message and any copies.  

Thank you.

***



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: New IE zero day exploit in the wild

2009-07-08 Thread Carl Houseman 
If you're comfortable writing in Kix, what's stopping you?   I'd do it with
for /f + list-of-computers + psexec + reg query.

 

You don't have to look for all of the reg keys, the existence of just 1
means the workaround got installed.

 

Carl

 

From: David Lum [mailto:david@nwea.org] 
Sent: Wednesday, July 08, 2009 10:24 AM
To: NT System Admin Issues
Subject: RE: New IE zero day exploit in the wild

 

You are correct of course, I stand corrected on my terminology. 

 

However, like I said, I have 400 systems and I'd rather not manually look at
400 registries to know I'm covered. The only thing that comes to mind is
creating a KiX script that looks for the key values and sends output to a
common .CSV file.

 

Dave

 

From: Carl Houseman [mailto:c.house...@gmail.com] 
Sent: Tuesday, July 07, 2009 2:51 PM
To: NT System Admin Issues
Subject: RE: New IE zero day exploit in the wild

 

What patch?  Killbit workaround is not a patch.  Open the registry and look
for the registry keys.

 

Carl

 

From: David Lum [mailto:david@nwea.org] 
Sent: Tuesday, July 07, 2009 5:49 PM
To: NT System Admin Issues
Subject: RE: New IE zero day exploit in the wild

 

Anyone know how to confirm this patch is applied? Any tools around yet? I'd
just as soon not manually check 4 or 5 machines sand assume all 400 are
OK.and if I don't have to write my own script to check 'em, all the better.

David Lum // SYSTEMS ENGINEER 
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764

 

 

 

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: New IE zero day exploit in the wild

2009-07-08 Thread David Lum 
You are correct of course, I stand corrected on my terminology.

However, like I said, I have 400 systems and I'd rather not manually look at 
400 registries to know I'm covered. The only thing that comes to mind is 
creating a KiX script that looks for the key values and sends output to a 
common .CSV file.

Dave

From: Carl Houseman [mailto:c.house...@gmail.com]
Sent: Tuesday, July 07, 2009 2:51 PM
To: NT System Admin Issues
Subject: RE: New IE zero day exploit in the wild

What patch?  Killbit workaround is not a patch.  Open the registry and look for 
the registry keys.

Carl

From: David Lum [mailto:david@nwea.org]
Sent: Tuesday, July 07, 2009 5:49 PM
To: NT System Admin Issues
Subject: RE: New IE zero day exploit in the wild

Anyone know how to confirm this patch is applied? Any tools around yet? I'd 
just as soon not manually check 4 or 5 machines sand assume all 400 are 
OK...and if I don't have to write my own script to check 'em, all the better...
David Lum // SYSTEMS ENGINEER
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764









~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: New IE zero day exploit in the wild

2009-07-08 Thread Jake Gardner 
I use ConText for my script editing.   Built in file-compare,
color-coding, you can download all kinds of language definitions.
Unfortunately it hasn't been updated since 12/2006
 
http://www.contexteditor.org/
 
 
Thanks,
 
Jake Gardner
TTC Network Administrator
Ext. 246
 



From: tony patton [mailto:tony.pat...@quinn-insurance.com] 
Sent: Wednesday, July 08, 2009 3:18 AM
To: NT System Admin Issues
Subject: Re: New IE zero day exploit in the wild



PFE32 was a life saver in the day :-) 

think Notepad++ is now the most used app on my work PC, for text,
vbscript, logs & regfiles. 

Regards

Tony Patton
Desktop Operations Cavan
Ext 8078
Direct Dial 049 435 2878
email: tony.pat...@quinn-insurance.com 



Kurt Buff  

07/07/2009 17:41 
Please respond to
"NT System Admin Issues" 


To
"NT System Admin Issues"  
cc
Subject
Re: New IE zero day exploit in the wild






I'm just pushing out the .reg file in the login script:

regedit /s \\fileserver\public\patches\videokillbits.reg

The file was easy to create, in a capable editor (not notepad or
wordpad) that allows metacharacter search and replace, such as '\n'
for CRLF and '\t' for tab. I used the ancient, no-longer-supported
PFE32. I really should switch to VIM, I suppose.

On Tue, Jul 7, 2009 at 08:40, Eric
Wittersheim wrote:
> I'm pushing out the .reg via GP.  So far so good.
>
> On Tue, Jul 7, 2009 at 10:38 AM, David Lum  wrote:
>>
>> The "Microsoft fix-it" is an MSI that I am pushing via SMS and is
pushing
>> fine (so far just a few test cases have it, but no issues). Beats
trying to
>> push out a .REG or something...
>>
>>
>>
>> David Lum // SYSTEMS ENGINEER
>> NORTHWEST EVALUATION ASSOCIATION
>> (Desk) 971.222.1025 // (Cell) 503.267.9764
>>
>>
>>
>>
>>
>>
>>
>> From: J Kyo [mailto:jky...@gmail.com <mailto:jky...@gmail.com> ]
>> Sent: Tuesday, July 07, 2009 8:18 AM
>> To: NT System Admin Issues
>> Subject: Re: New IE zero day exploit in the wild
>>
>>
>>
>> Curious if anyone has used the "Microsoft Fix It" from:
>> http://support.microsoft.com/kb/972890
<http://support.microsoft.com/kb/972890> .
>>
>> On Mon, Jul 6, 2009 at 6:24 PM, Carl Houseman 
>> wrote:
>>
>> Recommendation from MS is to set the killbits everywhere.
>>
>>
>>
>> http://www.microsoft.com/technet/security/advisory/972890.mspx
<http://www.microsoft.com/technet/security/advisory/972890.mspx> 
>>
>>
>>
>> Carl
>>
>>
>>
>> From: Ken Schaefer [mailto:k...@adopenstatic.com
<mailto:k...@adopenstatic.com> ]
>> Sent: Monday, July 06, 2009 9:06 PM
>>
>> To: NT System Admin Issues
>>
>> Subject: RE: New IE zero day exploit in the wild
>>
>>
>>
>> Seems to be XP / Windows Server 2003 only?
>>
>> Cheers
>>
>> Ken
>>
>>
>>
>> 
>>
>> From: Alex Eckelberry [al...@sunbelt-software.com]
>> Sent: Tuesday, 7 July 2009 5:56 AM
>> To: NT System Admin Issues
>> Subject: New IE zero day exploit in the wild
>>
>> Our labs have confirmed this and it is quite nasty.  Best bet for now
is
>> to set the killbits. Or don't use IE.
>>
>>
>>
>> Some references:
>>
>>
>>
>> Microsoft:
>>
>>
>>
>> http://www.microsoft.com/technet/security/advisory/972890.mspx
<http://www.microsoft.com/technet/security/advisory/972890.mspx> 
>>
>>
>>
>> SANS:
>>
>>
>>
>> http://isc.sans.org/diary.html?storyid=6733
<http://isc.sans.org/diary.html?storyid=6733> 
>>
>>
>>
>> I would take this one quite seriously.
>>
>>
>>
>> Alex
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> >  ~




http://www.quinn-insurance.com

This e-mail is intended only for the addressee named above. The contents
should not be copied nor disclosed to any other person. Any views or
opinions expressed are solely those of the sender and
do not necessarily represent those of QUINN-Insurance, unless otherwise
specifically stated . As internet communications are not secure,
QUINN-Insu

Re: New IE zero day exploit in the wild

2009-07-08 Thread tony patton 
PFE32 was a life saver in the day :-)

think Notepad++ is now the most used app on my work PC, for text, 
vbscript, logs & regfiles.

Regards

Tony Patton
Desktop Operations Cavan
Ext 8078
Direct Dial 049 435 2878
email: tony.pat...@quinn-insurance.com



Kurt Buff  
07/07/2009 17:41
Please respond to
"NT System Admin Issues" 


To
"NT System Admin Issues" 
cc

Subject
Re: New IE zero day exploit in the wild






I'm just pushing out the .reg file in the login script:

 regedit /s \\fileserver\public\patches\videokillbits.reg

The file was easy to create, in a capable editor (not notepad or
wordpad) that allows metacharacter search and replace, such as '\n'
for CRLF and '\t' for tab. I used the ancient, no-longer-supported
PFE32. I really should switch to VIM, I suppose.

On Tue, Jul 7, 2009 at 08:40, Eric
Wittersheim wrote:
> I'm pushing out the .reg via GP.  So far so good.
>
> On Tue, Jul 7, 2009 at 10:38 AM, David Lum  wrote:
>>
>> The ?Microsoft fix-it? is an MSI that I am pushing via SMS and is 
pushing
>> fine (so far just a few test cases have it, but no issues). Beats 
trying to
>> push out a .REG or something?
>>
>>
>>
>> David Lum // SYSTEMS ENGINEER
>> NORTHWEST EVALUATION ASSOCIATION
>> (Desk) 971.222.1025 // (Cell) 503.267.9764
>>
>>
>>
>>
>>
>>
>>
>> From: J Kyo [mailto:jky...@gmail.com]
>> Sent: Tuesday, July 07, 2009 8:18 AM
>> To: NT System Admin Issues
>> Subject: Re: New IE zero day exploit in the wild
>>
>>
>>
>> Curious if anyone has used the "Microsoft Fix It" from:
>> http://support.microsoft.com/kb/972890.
>>
>> On Mon, Jul 6, 2009 at 6:24 PM, Carl Houseman 
>> wrote:
>>
>> Recommendation from MS is to set the killbits everywhere.
>>
>>
>>
>> http://www.microsoft.com/technet/security/advisory/972890.mspx
>>
>>
>>
>> Carl
>>
>>
>>
>> From: Ken Schaefer [mailto:k...@adopenstatic.com]
>> Sent: Monday, July 06, 2009 9:06 PM
>>
>> To: NT System Admin Issues
>>
>> Subject: RE: New IE zero day exploit in the wild
>>
>>
>>
>> Seems to be XP / Windows Server 2003 only?
>>
>> Cheers
>>
>> Ken
>>
>>
>>
>> 
>>
>> From: Alex Eckelberry [al...@sunbelt-software.com]
>> Sent: Tuesday, 7 July 2009 5:56 AM
>> To: NT System Admin Issues
>> Subject: New IE zero day exploit in the wild
>>
>> Our labs have confirmed this and it is quite nasty.  Best bet for now 
is
>> to set the killbits. Or don't use IE.
>>
>>
>>
>> Some references:
>>
>>
>>
>> Microsoft:
>>
>>
>>
>> http://www.microsoft.com/technet/security/advisory/972890.mspx
>>
>>
>>
>> SANS:
>>
>>
>>
>> http://isc.sans.org/diary.html?storyid=6733
>>
>>
>>
>> I would take this one quite seriously.
>>
>>
>>
>> Alex
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~



http://www.quinn-insurance.com

This e-mail is intended only for the addressee named above. The contents
should not be copied nor disclosed to any other person. Any views or
opinions expressed are solely those of the sender and
do not necessarily represent those of QUINN-Insurance, unless otherwise
specifically stated . As internet communications are not secure,
QUINN-Insurance is not responsible for the contents of this message nor
responsible for any change made to this message after it was sent by the
original sender. Although virus scanning is used on all inbound and
outbound e-mail, we advise you to carry out your own virus check before
opening any attachment. We cannot accept liability for any damage sustained
as a result of any software viruses.



QUINN-Life Direct Limited is regulated by the Financial Regulator.
QUINN-Insurance Limited is regulated by the Financial Regulator and
regulated by the Financial Services Authority for the conduct of UK
business.



QUINN-Life Direct Limited is registered in Ireland, registration number
292374 and is a private company limited by shares.
QUINN-Insurance Limited is registered in Ireland, registration number
240768 and is a private company limited by shares.
Both companies have their head office at Dublin Road, Cavan, Co. Cavan.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: New IE zero day exploit in the wild

2009-07-08 Thread tony patton 
Same here, we can't roll out IE7 to a specific dept here as the company is 
looking for 50K just to support it on IE7.

The best thing about it is, IE7 was released before we got the 
application, it'll work in ie7, but not supported.

I've had to decline IE7 in wsus just to make sure that it doesn't get 
installed accidentally.

Regards

Tony Patton
Desktop Operations Cavan
Ext 8078
Direct Dial 049 435 2878
email: tony.pat...@quinn-insurance.com



Sherry Abercrombie  
07/07/2009 17:22
Please respond to
"NT System Admin Issues" 


To
"NT System Admin Issues" 
cc

Subject
Re: New IE zero day exploit in the wild






LOL, but isn't it the computer if it's a Macseriously, I do 
understand.  I'm still stuck at IE6 because of two stupid enterprise 
applications that haven't been officially sanctioned by the mfg to run in 
IE7 or above.  

On Tue, Jul 7, 2009 at 11:12 AM, paul chinnery  
wrote:
I know, Sherry.  But try to teach that to all the users.  I still have a 
few who think the monitor IS the computer.  

Date: Tue, 7 Jul 2009 10:54:41 -0500

Subject: Re: New IE zero day exploit in the wild
From: saber...@gmail.com

To: ntsysadmin@lyris.sunbelt-software.com

IE Tabs will work for just about everything IE in FF.

On Tue, Jul 7, 2009 at 10:51 AM, paul chinnery  
wrote:
Same here.  (I so wish we could use FF but a couple of our apps won't run 
if we do so I have to be content with using it myself.)

Date: Tue, 7 Jul 2009 11:29:13 -0400

Subject: Re: New IE zero day exploit in the wild
From: lee.doug...@gmail.com
To: ntsysadmin@lyris.sunbelt-software.com


Yes, on several XP machines. So far nothing is broken, at least. 


On Tue, Jul 7, 2009 at 11:17 AM, J Kyo  wrote:
Curious if anyone has used the "Microsoft Fix It" from: 
http://support.microsoft.com/kb/972890.

On Mon, Jul 6, 2009 at 6:24 PM, Carl Houseman  
wrote:
Recommendation from MS is to set the killbits everywhere.
 
http://www.microsoft.com/technet/security/advisory/972890.mspx
 
Carl
 
From: Ken Schaefer [mailto:k...@adopenstatic.com] 
Sent: Monday, July 06, 2009 9:06 PM 

To: NT System Admin Issues
Subject: RE: New IE zero day exploit in the wild 

 
Seems to be XP / Windows Server 2003 only?
Cheers
Ken
 

From: Alex Eckelberry [al...@sunbelt-software.com]
Sent: Tuesday, 7 July 2009 5:56 AM
To: NT System Admin Issues
Subject: New IE zero day exploit in the wild
Our labs have confirmed this and it is quite nasty.  Best bet for now is 
to set the killbits. Or don't use IE. 
 
Some references:
 
Microsoft: 
 
http://www.microsoft.com/technet/security/advisory/972890.mspx
 
SANS: 
 
http://isc.sans.org/diary.html?storyid=6733
 
I would take this one quite seriously.  
 
Alex
 
 
 
 

 


 

 

 

 


Windows Live?: Keep your life in sync. Check it out.  

 



-- 
Sherry Abercrombie

"Any sufficiently advanced technology is indistinguishable from magic." 
Arthur C. Clarke
 

 


Lauren found her dream laptop. Find the PC that?s right for you. 
 
 



-- 
Sherry Abercrombie

"Any sufficiently advanced technology is indistinguishable from magic." 
Arthur C. Clarke
 
 

http://www.quinn-insurance.com

This e-mail is intended only for the addressee named above. The contents
should not be copied nor disclosed to any other person. Any views or
opinions expressed are solely those of the sender and
do not necessarily represent those of QUINN-Insurance, unless otherwise
specifically stated . As internet communications are not secure,
QUINN-Insurance is not responsible for the contents of this message nor
responsible for any change made to this message after it was sent by the
original sender. Although virus scanning is used on all inbound and
outbound e-mail, we advise you to carry out your own virus check before
opening any attachment. We cannot accept liability for any damage sustained
as a result of any software viruses.



QUINN-Life Direct Limited is regulated by the Financial Regulator.
QUINN-Insurance Limited is regulated by the Financial Regulator and
regulated by the Financial Services Authority for the conduct of UK
business.



QUINN-Life Direct Limited is registered in Ireland, registration number
292374 and is a private company limited by shares.
QUINN-Insurance Limited is registered in Ireland, registration number
240768 and is a private company limited by shares.
Both companies have their head office at Dublin Road, Cavan, Co. Cavan.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: New IE zero day exploit in the wild

2009-07-07 Thread Ken Schaefer 
Are all your users admins? Otherwise, how is that logon script going to update 
HKLM?

Machine-based startup script would be better idea, no?

Cheers
Ken


From: Kurt Buff [kurt.b...@gmail.com]
Sent: Wednesday, 8 July 2009 2:41 AM
To: NT System Admin Issues
Subject: Re: New IE zero day exploit in the wild

I'm just pushing out the .reg file in the login script:

 regedit /s \\fileserver\public\patches\videokillbits.reg

The file was easy to create, in a capable editor (not notepad or
wordpad) that allows metacharacter search and replace, such as '\n'
for CRLF and '\t' for tab. I used the ancient, no-longer-supported
PFE32. I really should switch to VIM, I suppose.

On Tue, Jul 7, 2009 at 08:40, Eric
Wittersheim wrote:
> I'm pushing out the .reg via GP.  So far so good.
>
> On Tue, Jul 7, 2009 at 10:38 AM, David Lum  wrote:
>>
>> The “Microsoft fix-it” is an MSI that I am pushing via SMS and is pushing
>> fine (so far just a few test cases have it, but no issues). Beats trying to
>> push out a .REG or something…
>>
>>
>>
>> David Lum // SYSTEMS ENGINEER
>> NORTHWEST EVALUATION ASSOCIATION
>> (Desk) 971.222.1025 // (Cell) 503.267.9764
>>
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: New IE zero day exploit in the wild

2009-07-07 Thread Carl Houseman 
What patch?  Killbit workaround is not a patch.  Open the registry and look
for the registry keys.

 

Carl

 

From: David Lum [mailto:david@nwea.org] 
Sent: Tuesday, July 07, 2009 5:49 PM
To: NT System Admin Issues
Subject: RE: New IE zero day exploit in the wild

 

Anyone know how to confirm this patch is applied? Any tools around yet? I'd
just as soon not manually check 4 or 5 machines sand assume all 400 are
OK.and if I don't have to write my own script to check 'em, all the better.

David Lum // SYSTEMS ENGINEER 
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: New IE zero day exploit in the wild

2009-07-07 Thread David Lum 
Anyone know how to confirm this patch is applied? Any tools around yet? I'd 
just as soon not manually check 4 or 5 machines sand assume all 400 are 
OK...and if I don't have to write my own script to check 'em, all the better...
David Lum // SYSTEMS ENGINEER
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: New IE zero day exploit in the wild

2009-07-07 Thread Ziots, Edward 
TY

Z

 

Edward Ziots

Network Engineer

Lifespan Organization

MCSE,MCSA,MCP+I, ME, CCA, Security +, Network +

ezi...@lifespan.org

Phone:401-639-3505



From: Eric Wittersheim [mailto:eric.wittersh...@gmail.com] 
Sent: Tuesday, July 07, 2009 1:57 PM
To: NT System Admin Issues
Subject: Re: New IE zero day exploit in the wild

 

yes

On Tue, Jul 7, 2009 at 12:49 PM, Ziots, Edward 
wrote:

Are you doing it in a Startup script via the GP? 

 

Z

 

Edward Ziots

Network Engineer

Lifespan Organization

MCSE,MCSA,MCP+I, ME, CCA, Security +, Network +

ezi...@lifespan.org

Phone:401-639-3505



From: Eric Wittersheim [mailto:eric.wittersh...@gmail.com] 
Sent: Tuesday, July 07, 2009 11:41 AM


To: NT System Admin Issues
Subject: Re: New IE zero day exploit in the wild

 

I'm pushing out the .reg via GP.  So far so good.

On Tue, Jul 7, 2009 at 10:38 AM, David Lum  wrote:

The "Microsoft fix-it" is an MSI that I am pushing via SMS and is
pushing fine (so far just a few test cases have it, but no issues).
Beats trying to push out a .REG or something...

 

David Lum // SYSTEMS ENGINEER 
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764

 

 

 

From: J Kyo [mailto:jky...@gmail.com] 
Sent: Tuesday, July 07, 2009 8:18 AM


To: NT System Admin Issues

Subject: Re: New IE zero day exploit in the wild

 

Curious if anyone has used the "Microsoft Fix It" from:
http://support.microsoft.com/kb/972890.

On Mon, Jul 6, 2009 at 6:24 PM, Carl Houseman 
wrote:

Recommendation from MS is to set the killbits everywhere.

 

http://www.microsoft.com/technet/security/advisory/972890.mspx

 

Carl

 

From: Ken Schaefer [mailto:k...@adopenstatic.com] 
Sent: Monday, July 06, 2009 9:06 PM 


To: NT System Admin Issues

Subject: RE: New IE zero day exploit in the wild 

 

Seems to be XP / Windows Server 2003 only?

Cheers

Ken

 



From: Alex Eckelberry [al...@sunbelt-software.com]
Sent: Tuesday, 7 July 2009 5:56 AM
To: NT System Admin Issues
Subject: New IE zero day exploit in the wild

Our labs have confirmed this and it is quite nasty.  Best bet for now is
to set the killbits. Or don't use IE. 

 

Some references:

 

Microsoft: 

 

http://www.microsoft.com/technet/security/advisory/972890.mspx

 

SANS: 

 

http://isc.sans.org/diary.html?storyid=6733

 

I would take this one quite seriously.  

 

Alex

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: New IE zero day exploit in the wild

2009-07-07 Thread Kurt Buff 
How lucky for you. Heh.

Still on Win2k3 here, and likely to be so for quite a while.

On Tue, Jul 7, 2009 at 12:14, James Rankin wrote:
> I'm pushing it out via Group Policy Preferences. 2008 rocks
>
> 2009/7/7 Kurt Buff 
>>
>> I'm just pushing out the .reg file in the login script:
>>
>>     regedit /s \\fileserver\public\patches\videokillbits.reg
>>
>> The file was easy to create, in a capable editor (not notepad or
>> wordpad) that allows metacharacter search and replace, such as '\n'
>> for CRLF and '\t' for tab. I used the ancient, no-longer-supported
>> PFE32. I really should switch to VIM, I suppose.
>>
>> On Tue, Jul 7, 2009 at 08:40, Eric
>> Wittersheim wrote:
>> > I'm pushing out the .reg via GP.  So far so good.
>> >
>> > On Tue, Jul 7, 2009 at 10:38 AM, David Lum  wrote:
>> >>
>> >> The “Microsoft fix-it” is an MSI that I am pushing via SMS and is
>> >> pushing
>> >> fine (so far just a few test cases have it, but no issues). Beats
>> >> trying to
>> >> push out a .REG or something…
>> >>
>> >>
>> >>
>> >> David Lum // SYSTEMS ENGINEER
>> >> NORTHWEST EVALUATION ASSOCIATION
>> >> (Desk) 971.222.1025 // (Cell) 503.267.9764
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> From: J Kyo [mailto:jky...@gmail.com]
>> >> Sent: Tuesday, July 07, 2009 8:18 AM
>> >> To: NT System Admin Issues
>> >> Subject: Re: New IE zero day exploit in the wild
>> >>
>> >>
>> >>
>> >> Curious if anyone has used the "Microsoft Fix It" from:
>> >> http://support.microsoft.com/kb/972890.
>> >>
>> >> On Mon, Jul 6, 2009 at 6:24 PM, Carl Houseman 
>> >> wrote:
>> >>
>> >> Recommendation from MS is to set the killbits everywhere.
>> >>
>> >>
>> >>
>> >> http://www.microsoft.com/technet/security/advisory/972890.mspx
>> >>
>> >>
>> >>
>> >> Carl
>> >>
>> >>
>> >>
>> >> From: Ken Schaefer [mailto:k...@adopenstatic.com]
>> >> Sent: Monday, July 06, 2009 9:06 PM
>> >>
>> >> To: NT System Admin Issues
>> >>
>> >> Subject: RE: New IE zero day exploit in the wild
>> >>
>> >>
>> >>
>> >> Seems to be XP / Windows Server 2003 only?
>> >>
>> >> Cheers
>> >>
>> >> Ken
>> >>
>> >>
>> >>
>> >> 
>> >>
>> >> From: Alex Eckelberry [al...@sunbelt-software.com]
>> >> Sent: Tuesday, 7 July 2009 5:56 AM
>> >> To: NT System Admin Issues
>> >> Subject: New IE zero day exploit in the wild
>> >>
>> >> Our labs have confirmed this and it is quite nasty.  Best bet for now
>> >> is
>> >> to set the killbits. Or don't use IE.
>> >>
>> >>
>> >>
>> >> Some references:
>> >>
>> >>
>> >>
>> >> Microsoft:
>> >>
>> >>
>> >>
>> >> http://www.microsoft.com/technet/security/advisory/972890.mspx
>> >>
>> >>
>> >>
>> >> SANS:
>> >>
>> >>
>> >>
>> >> http://isc.sans.org/diary.html?storyid=6733
>> >>
>> >>
>> >>
>> >> I would take this one quite seriously.
>> >>
>> >>
>> >>
>> >> Alex
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >
>> >
>> >
>> >
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>>
>
>
>
> --
> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
> the machine wrong figures, will the right answers come out?' I am not able
> rightly to apprehend the kind of confusion of ideas that could provoke such
> a question."
>
> http://raythestray.blogspot.com
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: New IE zero day exploit in the wild

2009-07-07 Thread James Rankin 
I'm pushing it out via Group Policy Preferences. 2008 rocks

2009/7/7 Kurt Buff 

> I'm just pushing out the .reg file in the login script:
>
> regedit /s \\fileserver\public\patches\videokillbits.reg
>
> The file was easy to create, in a capable editor (not notepad or
> wordpad) that allows metacharacter search and replace, such as '\n'
> for CRLF and '\t' for tab. I used the ancient, no-longer-supported
> PFE32. I really should switch to VIM, I suppose.
>
> On Tue, Jul 7, 2009 at 08:40, Eric
> Wittersheim wrote:
> > I'm pushing out the .reg via GP.  So far so good.
> >
> > On Tue, Jul 7, 2009 at 10:38 AM, David Lum  wrote:
> >>
> >> The “Microsoft fix-it” is an MSI that I am pushing via SMS and is
> pushing
> >> fine (so far just a few test cases have it, but no issues). Beats trying
> to
> >> push out a .REG or something…
> >>
> >>
> >>
> >> David Lum // SYSTEMS ENGINEER
> >> NORTHWEST EVALUATION ASSOCIATION
> >> (Desk) 971.222.1025 // (Cell) 503.267.9764
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> From: J Kyo [mailto:jky...@gmail.com]
> >> Sent: Tuesday, July 07, 2009 8:18 AM
> >> To: NT System Admin Issues
> >> Subject: Re: New IE zero day exploit in the wild
> >>
> >>
> >>
> >> Curious if anyone has used the "Microsoft Fix It" from:
> >> http://support.microsoft.com/kb/972890.
> >>
> >> On Mon, Jul 6, 2009 at 6:24 PM, Carl Houseman 
> >> wrote:
> >>
> >> Recommendation from MS is to set the killbits everywhere.
> >>
> >>
> >>
> >> http://www.microsoft.com/technet/security/advisory/972890.mspx
> >>
> >>
> >>
> >> Carl
> >>
> >>
> >>
> >> From: Ken Schaefer [mailto:k...@adopenstatic.com]
> >> Sent: Monday, July 06, 2009 9:06 PM
> >>
> >> To: NT System Admin Issues
> >>
> >> Subject: RE: New IE zero day exploit in the wild
> >>
> >>
> >>
> >> Seems to be XP / Windows Server 2003 only?
> >>
> >> Cheers
> >>
> >> Ken
> >>
> >>
> >>
> >> 
> >>
> >> From: Alex Eckelberry [al...@sunbelt-software.com]
> >> Sent: Tuesday, 7 July 2009 5:56 AM
> >> To: NT System Admin Issues
> >> Subject: New IE zero day exploit in the wild
> >>
> >> Our labs have confirmed this and it is quite nasty.  Best bet for now is
> >> to set the killbits. Or don't use IE.
> >>
> >>
> >>
> >> Some references:
> >>
> >>
> >>
> >> Microsoft:
> >>
> >>
> >>
> >> http://www.microsoft.com/technet/security/advisory/972890.mspx
> >>
> >>
> >>
> >> SANS:
> >>
> >>
> >>
> >> http://isc.sans.org/diary.html?storyid=6733
> >>
> >>
> >>
> >> I would take this one quite seriously.
> >>
> >>
> >>
> >> Alex
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >
> >
> >
> >
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
>


-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
the machine wrong figures, will the right answers come out?' I am not able
rightly to apprehend the kind of confusion of ideas that could provoke such
a question."

http://raythestray.blogspot.com

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: New IE zero day exploit in the wild

2009-07-07 Thread James Rankin 
Just about ALL my users think the monitor is the computer...bloody chip PCs

2009/7/7 paul chinnery 

>  I know, Sherry.  But try to teach that to all the users.  I still have a
> few who think the monitor IS the computer.
>
> --
> Date: Tue, 7 Jul 2009 10:54:41 -0500
> Subject: Re: New IE zero day exploit in the wild
> From: saber...@gmail.com
>
> To: ntsysadmin@lyris.sunbelt-software.com
>
> IE Tabs will work for just about everything IE in FF.
>
> On Tue, Jul 7, 2009 at 10:51 AM, paul chinnery wrote:
>
>  Same here.  (I so wish we could use FF but a couple of our apps won't run
> if we do so I have to be content with using it myself.)
>
> ------
> Date: Tue, 7 Jul 2009 11:29:13 -0400
> Subject: Re: New IE zero day exploit in the wild
> From: lee.doug...@gmail.com
> To: ntsysadmin@lyris.sunbelt-software.com
>
> Yes, on several XP machines. So far nothing is broken, at least.
>
>
> On Tue, Jul 7, 2009 at 11:17 AM, J Kyo  wrote:
>
> Curious if anyone has used the "Microsoft Fix It" from:
> http://support.microsoft.com/kb/972890.
>
> On Mon, Jul 6, 2009 at 6:24 PM, Carl Houseman wrote:
>
>  Recommendation from MS is to set the killbits everywhere.
>
> http://www.microsoft.com/technet/security/advisory/972890.mspx
>
> Carl
>
>  *From:* Ken Schaefer [mailto:k...@adopenstatic.com]
> *Sent:* Monday, July 06, 2009 9:06 PM
> *To:* NT System Admin Issues
> *Subject:* RE: New IE zero day exploit in the wild
>
>
>  Seems to be XP / Windows Server 2003 only?
>  Cheers
>  Ken
>
>  ------------------
>
> *From:* Alex Eckelberry [al...@sunbelt-software.com]
> *Sent:* Tuesday, 7 July 2009 5:56 AM
> *To:* NT System Admin Issues
> *Subject:* New IE zero day exploit in the wild
>   Our labs have confirmed this and it is quite nasty.  Best bet for now is
> to set the killbits. Or don't use IE.
>
> Some references:
>
> Microsoft:
>
> http://www.microsoft.com/technet/security/advisory/972890.mspx
>
> SANS:
>
> http://isc.sans.org/diary.html?storyid=6733
>
> I would take this one quite seriously.
>
> Alex
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> --
> Windows Live™: Keep your life in sync. Check it 
> out.<http://windowslive.com/explore?ocid=TXT_TAGLM_WL_BR_life_in_synch_062009>
>
>
>
>
>
>
> --
> Sherry Abercrombie
>
> "Any sufficiently advanced technology is indistinguishable from magic."
> Arthur C. Clarke
>
>
>
>
>
>
> --
> Lauren found her dream laptop. Find the PC that’s right for 
> you.<http://www.microsoft.com/windows/choosepc/?ocid=ftp_val_wl_290>
>
>
>
>
>
>


-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
the machine wrong figures, will the right answers come out?' I am not able
rightly to apprehend the kind of confusion of ideas that could provoke such
a question."

http://raythestray.blogspot.com

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: New IE zero day exploit in the wild

2009-07-07 Thread Eric Wittersheim 
yes

On Tue, Jul 7, 2009 at 12:49 PM, Ziots, Edward  wrote:

>  Are you doing it in a Startup script via the GP?
>
>
>
> Z
>
>
>
> Edward Ziots
>
> Network Engineer
>
> Lifespan Organization
>
> MCSE,MCSA,MCP+I, ME, CCA, Security +, Network +
>
> ezi...@lifespan.org
>
> Phone:401-639-3505
>   --
>
> *From:* Eric Wittersheim [mailto:eric.wittersh...@gmail.com]
> *Sent:* Tuesday, July 07, 2009 11:41 AM
>
> *To:* NT System Admin Issues
> *Subject:* Re: New IE zero day exploit in the wild
>
>
>
> I'm pushing out the .reg via GP.  So far so good.
>
> On Tue, Jul 7, 2009 at 10:38 AM, David Lum  wrote:
>
> The “Microsoft fix-it” is an MSI that I am pushing via SMS and is pushing
> fine (so far just a few test cases have it, but no issues). Beats trying to
> push out a .REG or something…
>
>
>
> *David Lum** **// *SYSTEMS ENGINEER
> NORTHWEST EVALUATION ASSOCIATION
> (Desk) 971.222.1025 *// *(Cell) 503.267.9764
>
>
>
>
>
>
>
> *From:* J Kyo [mailto:jky...@gmail.com]
> *Sent:* Tuesday, July 07, 2009 8:18 AM
>
>
> *To:* NT System Admin Issues
>
> *Subject:* Re: New IE zero day exploit in the wild
>
>
>
> Curious if anyone has used the "Microsoft Fix It" from:
> http://support.microsoft.com/kb/972890.
>
> On Mon, Jul 6, 2009 at 6:24 PM, Carl Houseman 
> wrote:
>
> Recommendation from MS is to set the killbits everywhere.
>
>
>
> http://www.microsoft.com/technet/security/advisory/972890.mspx
>
>
>
> Carl
>
>
>
> *From:* Ken Schaefer [mailto:k...@adopenstatic.com]
> *Sent:* Monday, July 06, 2009 9:06 PM
>
>
> *To:* NT System Admin Issues
>
> *Subject:* RE: New IE zero day exploit in the wild
>
>
>
> Seems to be XP / Windows Server 2003 only?
>
> Cheers
>
> Ken
>
>
>   --
>
> *From:* Alex Eckelberry [al...@sunbelt-software.com]
> *Sent:* Tuesday, 7 July 2009 5:56 AM
> *To:* NT System Admin Issues
> *Subject:* New IE zero day exploit in the wild
>
> Our labs have confirmed this and it is quite nasty.  Best bet for now is to
> set the killbits. Or don't use IE.
>
>
>
> Some references:
>
>
>
> Microsoft:
>
>
>
> http://www.microsoft.com/technet/security/advisory/972890.mspx
>
>
>
> SANS:
>
>
>
> http://isc.sans.org/diary.html?storyid=6733
>
>
>
> I would take this one quite seriously.
>
>
>
> Alex
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: New IE zero day exploit in the wild

2009-07-07 Thread Ziots, Edward 
Are you doing it in a Startup script via the GP? 

 

Z

 

Edward Ziots

Network Engineer

Lifespan Organization

MCSE,MCSA,MCP+I, ME, CCA, Security +, Network +

ezi...@lifespan.org

Phone:401-639-3505



From: Eric Wittersheim [mailto:eric.wittersh...@gmail.com] 
Sent: Tuesday, July 07, 2009 11:41 AM
To: NT System Admin Issues
Subject: Re: New IE zero day exploit in the wild

 

I'm pushing out the .reg via GP.  So far so good.

On Tue, Jul 7, 2009 at 10:38 AM, David Lum  wrote:

The "Microsoft fix-it" is an MSI that I am pushing via SMS and is
pushing fine (so far just a few test cases have it, but no issues).
Beats trying to push out a .REG or something...

 

David Lum // SYSTEMS ENGINEER 
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764

 

 

 

From: J Kyo [mailto:jky...@gmail.com] 
Sent: Tuesday, July 07, 2009 8:18 AM


To: NT System Admin Issues

Subject: Re: New IE zero day exploit in the wild

 

Curious if anyone has used the "Microsoft Fix It" from:
http://support.microsoft.com/kb/972890.

On Mon, Jul 6, 2009 at 6:24 PM, Carl Houseman 
wrote:

Recommendation from MS is to set the killbits everywhere.

 

http://www.microsoft.com/technet/security/advisory/972890.mspx

 

Carl

 

From: Ken Schaefer [mailto:k...@adopenstatic.com] 
Sent: Monday, July 06, 2009 9:06 PM 


To: NT System Admin Issues

Subject: RE: New IE zero day exploit in the wild 

 

Seems to be XP / Windows Server 2003 only?

Cheers

Ken

 



From: Alex Eckelberry [al...@sunbelt-software.com]
Sent: Tuesday, 7 July 2009 5:56 AM
To: NT System Admin Issues
Subject: New IE zero day exploit in the wild

Our labs have confirmed this and it is quite nasty.  Best bet for now is
to set the killbits. Or don't use IE. 

 

Some references:

 

Microsoft: 

 

http://www.microsoft.com/technet/security/advisory/972890.mspx

 

SANS: 

 

http://isc.sans.org/diary.html?storyid=6733

 

I would take this one quite seriously.  

 

Alex

 

 

 

 

 

 

 

 

 

 

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: New IE zero day exploit in the wild

2009-07-07 Thread Ben Scott 
On Tue, Jul 7, 2009 at 11:54 AM, Sherry Abercrombie wrote:
> IE Tabs will work for just about everything IE in FF.

  That wouldn't help the IE security issue that kicked off this
thread.  (Well, assuming the luser went and invoked an IE tab to get
the ActiveX control that wouldn't run, to run.  And let's face it,
that's what lusers do.)

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: New IE zero day exploit in the wild

2009-07-07 Thread Kurt Buff 
I'm just pushing out the .reg file in the login script:

 regedit /s \\fileserver\public\patches\videokillbits.reg

The file was easy to create, in a capable editor (not notepad or
wordpad) that allows metacharacter search and replace, such as '\n'
for CRLF and '\t' for tab. I used the ancient, no-longer-supported
PFE32. I really should switch to VIM, I suppose.

On Tue, Jul 7, 2009 at 08:40, Eric
Wittersheim wrote:
> I'm pushing out the .reg via GP.  So far so good.
>
> On Tue, Jul 7, 2009 at 10:38 AM, David Lum  wrote:
>>
>> The “Microsoft fix-it” is an MSI that I am pushing via SMS and is pushing
>> fine (so far just a few test cases have it, but no issues). Beats trying to
>> push out a .REG or something…
>>
>>
>>
>> David Lum // SYSTEMS ENGINEER
>> NORTHWEST EVALUATION ASSOCIATION
>> (Desk) 971.222.1025 // (Cell) 503.267.9764
>>
>>
>>
>>
>>
>>
>>
>> From: J Kyo [mailto:jky...@gmail.com]
>> Sent: Tuesday, July 07, 2009 8:18 AM
>> To: NT System Admin Issues
>> Subject: Re: New IE zero day exploit in the wild
>>
>>
>>
>> Curious if anyone has used the "Microsoft Fix It" from:
>> http://support.microsoft.com/kb/972890.
>>
>> On Mon, Jul 6, 2009 at 6:24 PM, Carl Houseman 
>> wrote:
>>
>> Recommendation from MS is to set the killbits everywhere.
>>
>>
>>
>> http://www.microsoft.com/technet/security/advisory/972890.mspx
>>
>>
>>
>> Carl
>>
>>
>>
>> From: Ken Schaefer [mailto:k...@adopenstatic.com]
>> Sent: Monday, July 06, 2009 9:06 PM
>>
>> To: NT System Admin Issues
>>
>> Subject: RE: New IE zero day exploit in the wild
>>
>>
>>
>> Seems to be XP / Windows Server 2003 only?
>>
>> Cheers
>>
>> Ken
>>
>>
>>
>> 
>>
>> From: Alex Eckelberry [al...@sunbelt-software.com]
>> Sent: Tuesday, 7 July 2009 5:56 AM
>> To: NT System Admin Issues
>> Subject: New IE zero day exploit in the wild
>>
>> Our labs have confirmed this and it is quite nasty.  Best bet for now is
>> to set the killbits. Or don't use IE.
>>
>>
>>
>> Some references:
>>
>>
>>
>> Microsoft:
>>
>>
>>
>> http://www.microsoft.com/technet/security/advisory/972890.mspx
>>
>>
>>
>> SANS:
>>
>>
>>
>> http://isc.sans.org/diary.html?storyid=6733
>>
>>
>>
>> I would take this one quite seriously.
>>
>>
>>
>> Alex
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: New IE zero day exploit in the wild

2009-07-07 Thread Reimer, Mark 
I understand and can set up GP to push out the msi file. I think it is
best in the "Computer Configuration | Software Settings | Software
Installation" (correct?).

 

My understanding is that the msi file will be run every time the
computer is turned on. Is this correct, or a misunderstanding on my
part? If it is correct, how does one prevent that from happening (i.e.
have the msi (or reg file) execute only once)?

 

Thanks.

 

Mark

 

From: Eric Wittersheim [mailto:eric.wittersh...@gmail.com] 
Sent: Tuesday, July 07, 2009 9:41 AM
To: NT System Admin Issues
Subject: Re: New IE zero day exploit in the wild

 

I'm pushing out the .reg via GP.  So far so good.

On Tue, Jul 7, 2009 at 10:38 AM, David Lum  wrote:

The "Microsoft fix-it" is an MSI that I am pushing via SMS and is
pushing fine (so far just a few test cases have it, but no issues).
Beats trying to push out a .REG or something...

 

David Lum // SYSTEMS ENGINEER 
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764

 

 

 

From: J Kyo [mailto:jky...@gmail.com] 
Sent: Tuesday, July 07, 2009 8:18 AM


To: NT System Admin Issues

Subject: Re: New IE zero day exploit in the wild

 

Curious if anyone has used the "Microsoft Fix It" from:
http://support.microsoft.com/kb/972890.

On Mon, Jul 6, 2009 at 6:24 PM, Carl Houseman 
wrote:

Recommendation from MS is to set the killbits everywhere.

 

http://www.microsoft.com/technet/security/advisory/972890.mspx

 

Carl

 

From: Ken Schaefer [mailto:k...@adopenstatic.com] 
Sent: Monday, July 06, 2009 9:06 PM 


To: NT System Admin Issues

Subject: RE: New IE zero day exploit in the wild 

 

Seems to be XP / Windows Server 2003 only?

Cheers

Ken

 



From: Alex Eckelberry [al...@sunbelt-software.com]
Sent: Tuesday, 7 July 2009 5:56 AM
To: NT System Admin Issues
Subject: New IE zero day exploit in the wild

Our labs have confirmed this and it is quite nasty.  Best bet for now is
to set the killbits. Or don't use IE. 

 

Some references:

 

Microsoft: 

 

http://www.microsoft.com/technet/security/advisory/972890.mspx

 

SANS: 

 

http://isc.sans.org/diary.html?storyid=6733

 

I would take this one quite seriously.  

 

Alex

 

 

 

 

 

 

 

 

 

 

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: New IE zero day exploit in the wild

2009-07-07 Thread John Aldrich 
ROFL! Yeah. I have that problem too!

 

John-AldrichTile-Tools

 

From: paul chinnery [mailto:pdw1...@hotmail.com] 
Sent: Tuesday, July 07, 2009 12:12 PM
To: NT System Admin Issues
Subject: RE: New IE zero day exploit in the wild

 

I know, Sherry.  But try to teach that to all the users.  I still have a few
who think the monitor IS the computer.  

  _  

Date: Tue, 7 Jul 2009 10:54:41 -0500
Subject: Re: New IE zero day exploit in the wild
From: saber...@gmail.com
To: ntsysadmin@lyris.sunbelt-software.com

IE Tabs will work for just about everything IE in FF.

On Tue, Jul 7, 2009 at 10:51 AM, paul chinnery  wrote:

Same here.  (I so wish we could use FF but a couple of our apps won't run if
we do so I have to be content with using it myself.)

  _  

Date: Tue, 7 Jul 2009 11:29:13 -0400


Subject: Re: New IE zero day exploit in the wild

From: lee.doug...@gmail.com
To: ntsysadmin@lyris.sunbelt-software.com



Yes, on several XP machines. So far nothing is broken, at least. 



On Tue, Jul 7, 2009 at 11:17 AM, J Kyo  wrote:

Curious if anyone has used the "Microsoft Fix It" from:
http://support.microsoft.com/kb/972890.

On Mon, Jul 6, 2009 at 6:24 PM, Carl Houseman  wrote:

Recommendation from MS is to set the killbits everywhere.

 
http://www.microsoft.com/technet/security/advisory/972890.mspx
 

Carl
 

From: Ken Schaefer [mailto:k...@adopenstatic.com] 
Sent: Monday, July 06, 2009 9:06 PM 


To: NT System Admin Issues

Subject: RE: New IE zero day exploit in the wild 

 

Seems to be XP / Windows Server 2003 only?

Cheers

Ken

 

  _  

From: Alex Eckelberry [al...@sunbelt-software.com]
Sent: Tuesday, 7 July 2009 5:56 AM
To: NT System Admin Issues
Subject: New IE zero day exploit in the wild

Our labs have confirmed this and it is quite nasty.  Best bet for now is to
set the killbits. Or don't use IE. 
 
Some references:
 
Microsoft: 
 
http://www.microsoft.com/technet/security/advisory/972890.mspx
 
SANS: 
 
http://isc.sans.org/diary.html?storyid=6733
 
I would take this one quite seriously.  
 
Alex

 

 

 

 

 

 


 

 


 

 

 

  _  

Windows LiveT: Keep your life in sync. Check
<http://windowslive.com/explore?ocid=TXT_TAGLM_WL_BR_life_in_synch_062009>
it out.  

 




-- 
Sherry Abercrombie

"Any sufficiently advanced technology is indistinguishable from magic." 
Arthur C. Clarke
 

 

 

  _  

Lauren found her dream laptop. Find the PC that
<http://www.microsoft.com/windows/choosepc/?ocid=ftp_val_wl_290> 's right
for you. 

 

 

Checked by AVG - www.avg.com
Version: 8.5.387 / Virus Database: 270.13.7/ - Release Date: 07/07/09
05:53:00


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~<><>

Re: New IE zero day exploit in the wild

2009-07-07 Thread Sherry Abercrombie 
LOL, but isn't it the computer if it's a Macseriously, I do understand.
I'm still stuck at IE6 because of two stupid enterprise applications that
haven't been officially sanctioned by the mfg to run in IE7 or above.

On Tue, Jul 7, 2009 at 11:12 AM, paul chinnery  wrote:

>  I know, Sherry.  But try to teach that to all the users.  I still have a
> few who think the monitor IS the computer.
>
> --
> Date: Tue, 7 Jul 2009 10:54:41 -0500
> Subject: Re: New IE zero day exploit in the wild
> From: saber...@gmail.com
>
> To: ntsysadmin@lyris.sunbelt-software.com
>
> IE Tabs will work for just about everything IE in FF.
>
> On Tue, Jul 7, 2009 at 10:51 AM, paul chinnery wrote:
>
>  Same here.  (I so wish we could use FF but a couple of our apps won't run
> if we do so I have to be content with using it myself.)
>
> ------------------
> Date: Tue, 7 Jul 2009 11:29:13 -0400
> Subject: Re: New IE zero day exploit in the wild
> From: lee.doug...@gmail.com
> To: ntsysadmin@lyris.sunbelt-software.com
>
> Yes, on several XP machines. So far nothing is broken, at least.
>
>
> On Tue, Jul 7, 2009 at 11:17 AM, J Kyo  wrote:
>
> Curious if anyone has used the "Microsoft Fix It" from:
> http://support.microsoft.com/kb/972890.
>
> On Mon, Jul 6, 2009 at 6:24 PM, Carl Houseman wrote:
>
>  Recommendation from MS is to set the killbits everywhere.
>
> http://www.microsoft.com/technet/security/advisory/972890.mspx
>
> Carl
>
>  *From:* Ken Schaefer [mailto:k...@adopenstatic.com]
> *Sent:* Monday, July 06, 2009 9:06 PM
> *To:* NT System Admin Issues
> *Subject:* RE: New IE zero day exploit in the wild
>
>
>  Seems to be XP / Windows Server 2003 only?
>  Cheers
>  Ken
>
>  --------------
>
> *From:* Alex Eckelberry [al...@sunbelt-software.com]
> *Sent:* Tuesday, 7 July 2009 5:56 AM
> *To:* NT System Admin Issues
> *Subject:* New IE zero day exploit in the wild
>   Our labs have confirmed this and it is quite nasty.  Best bet for now is
> to set the killbits. Or don't use IE.
>
> Some references:
>
> Microsoft:
>
> http://www.microsoft.com/technet/security/advisory/972890.mspx
>
> SANS:
>
> http://isc.sans.org/diary.html?storyid=6733
>
> I would take this one quite seriously.
>
> Alex
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> --
> Windows Live™: Keep your life in sync. Check it 
> out.<http://windowslive.com/explore?ocid=TXT_TAGLM_WL_BR_life_in_synch_062009>
>
>
>
>
>
>
> --
> Sherry Abercrombie
>
> "Any sufficiently advanced technology is indistinguishable from magic."
> Arthur C. Clarke
>
>
>
>
>
>
> --
> Lauren found her dream laptop. Find the PC that’s right for 
> you.<http://www.microsoft.com/windows/choosepc/?ocid=ftp_val_wl_290>
>
>
>
>
>
>


-- 
Sherry Abercrombie

"Any sufficiently advanced technology is indistinguishable from magic."
Arthur C. Clarke

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: New IE zero day exploit in the wild

2009-07-07 Thread paul chinnery 

I know, Sherry.  But try to teach that to all the users.  I still have a few 
who think the monitor IS the computer.  

Date: Tue, 7 Jul 2009 10:54:41 -0500
Subject: Re: New IE zero day exploit in the wild
From: saber...@gmail.com
To: ntsysadmin@lyris.sunbelt-software.com

IE Tabs will work for just about everything IE in FF.

On Tue, Jul 7, 2009 at 10:51 AM, paul chinnery  wrote:






Same here.  (I so wish we could use FF but a couple of our apps won't run if we 
do so I have to be content with using it myself.)

Date: Tue, 7 Jul 2009 11:29:13 -0400
Subject: Re: New IE zero day exploit in the wild

From: lee.doug...@gmail.com
To: ntsysadmin@lyris.sunbelt-software.com


Yes, on several XP machines. So far nothing is broken, at least. 


On Tue, Jul 7, 2009 at 11:17 AM, J Kyo  wrote:

Curious if anyone has used the "Microsoft Fix It" from: 
http://support.microsoft.com/kb/972890.



On Mon, Jul 6, 2009 at 6:24 PM, Carl Houseman  wrote:




Recommendation from MS is to set the killbits everywhere.


 

http://www.microsoft.com/technet/security/advisory/972890.mspx

 

Carl

 



From: Ken Schaefer [mailto:k...@adopenstatic.com] 
Sent: Monday, July 06, 2009 9:06 PM 

To: NT System Admin Issues
Subject: RE: New IE zero day exploit in the wild 






 


Seems to be XP / Windows Server 2003 only?


Cheers


Ken


 





From: Alex Eckelberry [al...@sunbelt-software.com]


Sent: Tuesday, 7 July 2009 5:56 AM
To: NT System Admin Issues
Subject: New IE zero day exploit in the wild





Our labs have confirmed this and it is quite nasty.  Best bet for now is to set 
the killbits. Or don't use IE. 

 

Some references:

 

Microsoft: 

 

http://www.microsoft.com/technet/security/advisory/972890.mspx

 

SANS: 

 

http://isc.sans.org/diary.html?storyid=6733

 

I would take this one quite seriously.  

 

Alex
 
 
 
 


 




 



 



 



 


Windows Live™: Keep your life in sync. Check it out.
 



 




-- 
Sherry Abercrombie

"Any sufficiently advanced technology is indistinguishable from magic." 
Arthur C. Clarke


 



 


_
Lauren found her dream laptop. Find the PC that’s right for you.
http://www.microsoft.com/windows/choosepc/?ocid=ftp_val_wl_290
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: New IE zero day exploit in the wild

2009-07-07 Thread Sherry Abercrombie 
IE Tabs will work for just about everything IE in FF.

On Tue, Jul 7, 2009 at 10:51 AM, paul chinnery  wrote:

>  Same here.  (I so wish we could use FF but a couple of our apps won't run
> if we do so I have to be content with using it myself.)
>
> --
> Date: Tue, 7 Jul 2009 11:29:13 -0400
> Subject: Re: New IE zero day exploit in the wild
> From: lee.doug...@gmail.com
> To: ntsysadmin@lyris.sunbelt-software.com
>
> Yes, on several XP machines. So far nothing is broken, at least.
>
>
> On Tue, Jul 7, 2009 at 11:17 AM, J Kyo  wrote:
>
> Curious if anyone has used the "Microsoft Fix It" from:
> http://support.microsoft.com/kb/972890.
>
> On Mon, Jul 6, 2009 at 6:24 PM, Carl Houseman wrote:
>
>  Recommendation from MS is to set the killbits everywhere.
>
> http://www.microsoft.com/technet/security/advisory/972890.mspx
>
> Carl
>
>  *From:* Ken Schaefer [mailto:k...@adopenstatic.com]
> *Sent:* Monday, July 06, 2009 9:06 PM
> *To:* NT System Admin Issues
> *Subject:* RE: New IE zero day exploit in the wild
>
>
>  Seems to be XP / Windows Server 2003 only?
>  Cheers
>  Ken
>
>  --
>
> *From:* Alex Eckelberry [al...@sunbelt-software.com]
> *Sent:* Tuesday, 7 July 2009 5:56 AM
> *To:* NT System Admin Issues
> *Subject:* New IE zero day exploit in the wild
>   Our labs have confirmed this and it is quite nasty.  Best bet for now is
> to set the killbits. Or don't use IE.
>
> Some references:
>
> Microsoft:
>
> http://www.microsoft.com/technet/security/advisory/972890.mspx
>
> SANS:
>
> http://isc.sans.org/diary.html?storyid=6733
>
> I would take this one quite seriously.
>
> Alex
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> --
> Windows Live™: Keep your life in sync. Check it 
> out.<http://windowslive.com/explore?ocid=TXT_TAGLM_WL_BR_life_in_synch_062009>
>
>
>
>
>
>


-- 
Sherry Abercrombie

"Any sufficiently advanced technology is indistinguishable from magic."
Arthur C. Clarke

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: New IE zero day exploit in the wild

2009-07-07 Thread paul chinnery 

Same here.  (I so wish we could use FF but a couple of our apps won't run if we 
do so I have to be content with using it myself.)

Date: Tue, 7 Jul 2009 11:29:13 -0400
Subject: Re: New IE zero day exploit in the wild
From: lee.doug...@gmail.com
To: ntsysadmin@lyris.sunbelt-software.com

Yes, on several XP machines. So far nothing is broken, at least. 


On Tue, Jul 7, 2009 at 11:17 AM, J Kyo  wrote:

Curious if anyone has used the "Microsoft Fix It" from: 
http://support.microsoft.com/kb/972890.



On Mon, Jul 6, 2009 at 6:24 PM, Carl Houseman  wrote:




Recommendation from MS is to set the killbits everywhere.


 

http://www.microsoft.com/technet/security/advisory/972890.mspx

 

Carl

 



From: Ken Schaefer [mailto:k...@adopenstatic.com] 
Sent: Monday, July 06, 2009 9:06 PM 

To: NT System Admin Issues
Subject: RE: New IE zero day exploit in the wild 






 


Seems to be XP / Windows Server 2003 only?


Cheers


Ken


 





From: Alex Eckelberry [al...@sunbelt-software.com]


Sent: Tuesday, 7 July 2009 5:56 AM
To: NT System Admin Issues
Subject: New IE zero day exploit in the wild




Our labs have confirmed this and it is quite nasty.  Best bet for now is to set 
the killbits. Or don't use IE. 

 

Some references:

 

Microsoft: 

 

http://www.microsoft.com/technet/security/advisory/972890.mspx

 

SANS: 

 

http://isc.sans.org/diary.html?storyid=6733

 

I would take this one quite seriously.  

 

Alex
 
 
 
 


 




 



 



 



 


_
Windows Live™: Keep your life in sync. 
http://windowslive.com/explore?ocid=TXT_TAGLM_WL_BR_life_in_synch_062009
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: New IE zero day exploit in the wild

2009-07-07 Thread Steven M. Caesare 
I did, but can't say I feel good about myself for doing it.

 

-sc

 

From: J Kyo [mailto:jky...@gmail.com] 
Sent: Tuesday, July 07, 2009 11:18 AM
To: NT System Admin Issues
Subject: Re: New IE zero day exploit in the wild

 

Curious if anyone has used the "Microsoft Fix It" from:
http://support.microsoft.com/kb/972890.

On Mon, Jul 6, 2009 at 6:24 PM, Carl Houseman 
wrote:

Recommendation from MS is to set the killbits everywhere.

 

http://www.microsoft.com/technet/security/advisory/972890.mspx

 

Carl

 

From: Ken Schaefer [mailto:k...@adopenstatic.com] 
Sent: Monday, July 06, 2009 9:06 PM 


To: NT System Admin Issues

Subject: RE: New IE zero day exploit in the wild 

 

Seems to be XP / Windows Server 2003 only?

Cheers

Ken

 



From: Alex Eckelberry [al...@sunbelt-software.com]
Sent: Tuesday, 7 July 2009 5:56 AM
To: NT System Admin Issues
Subject: New IE zero day exploit in the wild

Our labs have confirmed this and it is quite nasty.  Best bet for now is
to set the killbits. Or don't use IE. 

 

Some references:

 

Microsoft: 

 

http://www.microsoft.com/technet/security/advisory/972890.mspx

 

SANS: 

 

http://isc.sans.org/diary.html?storyid=6733

 

I would take this one quite seriously.  

 

Alex

 

 

 

 

 

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: New IE zero day exploit in the wild

2009-07-07 Thread Eric Wittersheim 
I'm pushing out the .reg via GP.  So far so good.

On Tue, Jul 7, 2009 at 10:38 AM, David Lum  wrote:

>  The “Microsoft fix-it” is an MSI that I am pushing via SMS and is pushing
> fine (so far just a few test cases have it, but no issues). Beats trying to
> push out a .REG or something…
>
>
>
> *David Lum** **// *SYSTEMS ENGINEER
> NORTHWEST EVALUATION ASSOCIATION
> (Desk) 971.222.1025 *// *(Cell) 503.267.9764
>
>
>
>
>
>
>
> *From:* J Kyo [mailto:jky...@gmail.com]
> *Sent:* Tuesday, July 07, 2009 8:18 AM
> *To:* NT System Admin Issues
> *Subject:* Re: New IE zero day exploit in the wild
>
>
>
> Curious if anyone has used the "Microsoft Fix It" from:
> http://support.microsoft.com/kb/972890.
>
> On Mon, Jul 6, 2009 at 6:24 PM, Carl Houseman 
> wrote:
>
> Recommendation from MS is to set the killbits everywhere.
>
>
>
> http://www.microsoft.com/technet/security/advisory/972890.mspx
>
>
>
> Carl
>
>
>
> *From:* Ken Schaefer [mailto:k...@adopenstatic.com]
> *Sent:* Monday, July 06, 2009 9:06 PM
>
>
> *To:* NT System Admin Issues
>
> *Subject:* RE: New IE zero day exploit in the wild
>
>
>
> Seems to be XP / Windows Server 2003 only?
>
> Cheers
>
> Ken
>
>
>   ----------
>
> *From:* Alex Eckelberry [al...@sunbelt-software.com]
> *Sent:* Tuesday, 7 July 2009 5:56 AM
> *To:* NT System Admin Issues
> *Subject:* New IE zero day exploit in the wild
>
> Our labs have confirmed this and it is quite nasty.  Best bet for now is to
> set the killbits. Or don't use IE.
>
>
>
> Some references:
>
>
>
> Microsoft:
>
>
>
> http://www.microsoft.com/technet/security/advisory/972890.mspx
>
>
>
> SANS:
>
>
>
> http://isc.sans.org/diary.html?storyid=6733
>
>
>
> I would take this one quite seriously.
>
>
>
> Alex
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: New IE zero day exploit in the wild

2009-07-07 Thread David Lum 
The "Microsoft fix-it" is an MSI that I am pushing via SMS and is pushing fine 
(so far just a few test cases have it, but no issues). Beats trying to push out 
a .REG or something...

David Lum // SYSTEMS ENGINEER
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764



From: J Kyo [mailto:jky...@gmail.com]
Sent: Tuesday, July 07, 2009 8:18 AM
To: NT System Admin Issues
Subject: Re: New IE zero day exploit in the wild

Curious if anyone has used the "Microsoft Fix It" from: 
http://support.microsoft.com/kb/972890.
On Mon, Jul 6, 2009 at 6:24 PM, Carl Houseman 
mailto:c.house...@gmail.com>> wrote:

Recommendation from MS is to set the killbits everywhere.



http://www.microsoft.com/technet/security/advisory/972890.mspx



Carl



From: Ken Schaefer [mailto:k...@adopenstatic.com<mailto:k...@adopenstatic.com>]
Sent: Monday, July 06, 2009 9:06 PM

To: NT System Admin Issues
Subject: RE: New IE zero day exploit in the wild



Seems to be XP / Windows Server 2003 only?

Cheers

Ken





From: Alex Eckelberry 
[al...@sunbelt-software.com<mailto:al...@sunbelt-software.com>]
Sent: Tuesday, 7 July 2009 5:56 AM
To: NT System Admin Issues
Subject: New IE zero day exploit in the wild

Our labs have confirmed this and it is quite nasty.  Best bet for now is to set 
the killbits. Or don't use IE.



Some references:



Microsoft:



http://www.microsoft.com/technet/security/advisory/972890.mspx



SANS:



http://isc.sans.org/diary.html?storyid=6733



I would take this one quite seriously.



Alex
















~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: New IE zero day exploit in the wild

2009-07-07 Thread John Aldrich 
I just installed it in most of my organization.

 

John-AldrichTile-Tools

 

From: J Kyo [mailto:jky...@gmail.com] 
Sent: Tuesday, July 07, 2009 11:18 AM
To: NT System Admin Issues
Subject: Re: New IE zero day exploit in the wild

 

Curious if anyone has used the "Microsoft Fix It" from:
http://support.microsoft.com/kb/972890.

On Mon, Jul 6, 2009 at 6:24 PM, Carl Houseman  wrote:

Recommendation from MS is to set the killbits everywhere.

 

http://www.microsoft.com/technet/security/advisory/972890.mspx

 

Carl

 

From: Ken Schaefer [mailto:k...@adopenstatic.com] 
Sent: Monday, July 06, 2009 9:06 PM 


To: NT System Admin Issues

Subject: RE: New IE zero day exploit in the wild 

 

Seems to be XP / Windows Server 2003 only?

Cheers

Ken

 

  _  

From: Alex Eckelberry [al...@sunbelt-software.com]
Sent: Tuesday, 7 July 2009 5:56 AM
To: NT System Admin Issues
Subject: New IE zero day exploit in the wild

Our labs have confirmed this and it is quite nasty.  Best bet for now is to
set the killbits. Or don't use IE. 

 

Some references:

 

Microsoft: 

 

http://www.microsoft.com/technet/security/advisory/972890.mspx

 

SANS: 

 

http://isc.sans.org/diary.html?storyid=6733

 

I would take this one quite seriously.  

 

Alex

 

 

 

 

 

 

 

 

Checked by AVG - www.avg.com
Version: 8.5.387 / Virus Database: 270.13.7/ - Release Date: 07/07/09
05:53:00


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~<><>

Re: New IE zero day exploit in the wild

2009-07-07 Thread Lee Douglas 
Yes, on several XP machines. So far nothing is broken, at least.


On Tue, Jul 7, 2009 at 11:17 AM, J Kyo  wrote:

> Curious if anyone has used the "Microsoft Fix It" from:
> http://support.microsoft.com/kb/972890.
>
> On Mon, Jul 6, 2009 at 6:24 PM, Carl Houseman wrote:
>
>>  Recommendation from MS is to set the killbits everywhere.
>>
>>
>>
>> http://www.microsoft.com/technet/security/advisory/972890.mspx
>>
>>
>>
>> Carl
>>
>>
>>
>> *From:* Ken Schaefer [mailto:k...@adopenstatic.com]
>> *Sent:* Monday, July 06, 2009 9:06 PM
>> *To:* NT System Admin Issues
>> *Subject:* RE: New IE zero day exploit in the wild
>>
>>
>>
>> Seems to be XP / Windows Server 2003 only?
>>
>> Cheers
>>
>> Ken
>>
>>
>>  ------------------
>>
>> *From:* Alex Eckelberry [al...@sunbelt-software.com]
>> *Sent:* Tuesday, 7 July 2009 5:56 AM
>> *To:* NT System Admin Issues
>> *Subject:* New IE zero day exploit in the wild
>>
>> Our labs have confirmed this and it is quite nasty.  Best bet for now is
>> to set the killbits. Or don't use IE.
>>
>>
>>
>> Some references:
>>
>>
>>
>> Microsoft:
>>
>>
>>
>> http://www.microsoft.com/technet/security/advisory/972890.mspx
>>
>>
>>
>> SANS:
>>
>>
>>
>> http://isc.sans.org/diary.html?storyid=6733
>>
>>
>>
>> I would take this one quite seriously.
>>
>>
>>
>> Alex
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: New IE zero day exploit in the wild

2009-07-07 Thread Andy Ognenoff 
I used it on my personal machine.  I also created a reg file with all the
recommended kill bits set from the advisory. The Fix It tool should do the
same thing but I can pass the reg file along if anyone wants it too.

 - Andy O. 

From: J Kyo [mailto:jky...@gmail.com] 
Sent: Tuesday, July 07, 2009 10:18 AM
To: NT System Admin Issues
Subject: Re: New IE zero day exploit in the wild

Curious if anyone has used the "Microsoft Fix It" from:
http://support.microsoft.com/kb/972890.
On Mon, Jul 6, 2009 at 6:24 PM, Carl Houseman  wrote:
Recommendation from MS is to set the killbits everywhere.
 
http://www.microsoft.com/technet/security/advisory/972890.mspx
 
Carl
 
From: Ken Schaefer [mailto:k...@adopenstatic.com] 
Sent: Monday, July 06, 2009 9:06 PM 

To: NT System Admin Issues
Subject: RE: New IE zero day exploit in the wild 
 
Seems to be XP / Windows Server 2003 only?
Cheers
Ken
 

From: Alex Eckelberry [al...@sunbelt-software.com]
Sent: Tuesday, 7 July 2009 5:56 AM
To: NT System Admin Issues
Subject: New IE zero day exploit in the wild
Our labs have confirmed this and it is quite nasty.  Best bet for now is to
set the killbits. Or don't use IE. 
 
Some references:
 
Microsoft: 
 
http://www.microsoft.com/technet/security/advisory/972890.mspx
 
SANS: 
 
http://isc.sans.org/diary.html?storyid=6733
 
I would take this one quite seriously.  
 
Alex
 
 
 
 
 

 
 


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: New IE zero day exploit in the wild

2009-07-07 Thread J Kyo 
Curious if anyone has used the "Microsoft Fix It" from:
http://support.microsoft.com/kb/972890.

On Mon, Jul 6, 2009 at 6:24 PM, Carl Houseman  wrote:

>  Recommendation from MS is to set the killbits everywhere.
>
>
>
> http://www.microsoft.com/technet/security/advisory/972890.mspx
>
>
>
> Carl
>
>
>
> *From:* Ken Schaefer [mailto:k...@adopenstatic.com]
> *Sent:* Monday, July 06, 2009 9:06 PM
> *To:* NT System Admin Issues
> *Subject:* RE: New IE zero day exploit in the wild
>
>
>
> Seems to be XP / Windows Server 2003 only?
>
> Cheers
>
> Ken
>
>
>  --
>
> *From:* Alex Eckelberry [al...@sunbelt-software.com]
> *Sent:* Tuesday, 7 July 2009 5:56 AM
> *To:* NT System Admin Issues
> *Subject:* New IE zero day exploit in the wild
>
> Our labs have confirmed this and it is quite nasty.  Best bet for now is to
> set the killbits. Or don't use IE.
>
>
>
> Some references:
>
>
>
> Microsoft:
>
>
>
> http://www.microsoft.com/technet/security/advisory/972890.mspx
>
>
>
> SANS:
>
>
>
> http://isc.sans.org/diary.html?storyid=6733
>
>
>
> I would take this one quite seriously.
>
>
>
> Alex
>
>
>
>
>
>
>
>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: New IE zero day exploit in the wild

2009-07-06 Thread Carl Houseman 
Recommendation from MS is to set the killbits everywhere.

 

http://www.microsoft.com/technet/security/advisory/972890.mspx

 

Carl

 

From: Ken Schaefer [mailto:k...@adopenstatic.com] 
Sent: Monday, July 06, 2009 9:06 PM
To: NT System Admin Issues
Subject: RE: New IE zero day exploit in the wild

 

Seems to be XP / Windows Server 2003 only?

Cheers

Ken

 

  _  

From: Alex Eckelberry [al...@sunbelt-software.com]
Sent: Tuesday, 7 July 2009 5:56 AM
To: NT System Admin Issues
Subject: New IE zero day exploit in the wild

Our labs have confirmed this and it is quite nasty.  Best bet for now is to
set the killbits. Or don't use IE. 

 

Some references:

 

Microsoft: 

 

http://www.microsoft.com/technet/security/advisory/972890.mspx

 

SANS: 

 

http://isc.sans.org/diary.html?storyid=6733

 

I would take this one quite seriously.  

 

Alex

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: New IE zero day exploit in the wild

2009-07-06 Thread Ken Schaefer 
Seems to be XP / Windows Server 2003 only?
Cheers
Ken


From: Alex Eckelberry [al...@sunbelt-software.com]
Sent: Tuesday, 7 July 2009 5:56 AM
To: NT System Admin Issues
Subject: New IE zero day exploit in the wild

Our labs have confirmed this and it is quite nasty.  Best bet for now is to set 
the killbits. Or don't use IE.

Some references:

Microsoft:

http://www.microsoft.com/technet/security/advisory/972890.mspx

SANS:

http://isc.sans.org/diary.html?storyid=6733

I would take this one quite seriously.

Alex



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

New IE zero day exploit in the wild

2009-07-06 Thread Alex Eckelberry 
Our labs have confirmed this and it is quite nasty.  Best bet for now is
to set the killbits. Or don't use IE. 

 

Some references:

 

Microsoft: 

 

http://www.microsoft.com/technet/security/advisory/972890.mspx

 

SANS: 

 

http://isc.sans.org/diary.html?storyid=6733

 

I would take this one quite seriously.  

 

Alex

 

Alex Eckelberry, CEO 
Sunbelt Software
33 N. Garden Avenue, Clearwater, FL 33755 p: 727-562-0101 x220 
e: a...@sunbeltsoftware.com   MSN:
alex...@hotmail.com   
w: www.sunbeltsoftware.com   b:
www.sunbeltblog.com  

 

 

 


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~