J
Jim
relic said:
If you expect a respone, you will need to be e more specific.
Jim
If you expect a respone, you will need to be e more specific.
Jim
N
no_name
jt3 said:
Apparently it does not, since I had already deregistered the DLL &
IrfanView can still display thumbnails.
Among IrfanView's other benefits are:
1. FREEWARE, and a damn good program.
2. Has plugin for my camera's RAW format files, which windows does not.
3. Small & fast.
G
Gazwad
"Beauregard T. Shagnasty" <[email protected]>, the weedy
riffraff and pudgy camp-queen who likes hostile bone smuggling with
manatees, and whose partner is a whoopee-wench with a generous fun
Well done, you didn't have to provide further evidence though, your
stupidity was already clear enough.
--
For my own part, I have never had a thought which I could not set down
in words with even more distinctness than that with which I conceived
it. There is, however, a class of fancies of exquisite delicacy which
are not thoughts, and to which as yet I have found it absolutely
impossible to adapt to language. These fancies arise in the soul, alas
how rarely. Only at epochs of most intense tranquillity, when the
bodily and mental health are in perfection. And at those weird points
of time, where the confines of the waking world blend with the world of
dreams. And so I captured this fancy, where all that we see, or seem,
is but a dream within a dream.
riffraff and pudgy camp-queen who likes hostile bone smuggling with
manatees, and whose partner is a whoopee-wench with a generous fun
hatch said:
Well done, you didn't have to provide further evidence though, your
stupidity was already clear enough.
--
For my own part, I have never had a thought which I could not set down
in words with even more distinctness than that with which I conceived
it. There is, however, a class of fancies of exquisite delicacy which
are not thoughts, and to which as yet I have found it absolutely
impossible to adapt to language. These fancies arise in the soul, alas
how rarely. Only at epochs of most intense tranquillity, when the
bodily and mental health are in perfection. And at those weird points
of time, where the confines of the waking world blend with the world of
dreams. And so I captured this fancy, where all that we see, or seem,
is but a dream within a dream.
K
Kadaitcha Man
Gazwad <[email protected]>, the {OldManAdjectiveSynonym} and
derelict botty-boy who likes adventurous anal-rape fantasies with
wombats, and whose partner is a charity girl with a dilapidated bunny
That's what makes it so funny, being so far from the truth and all.
Hace you uncovered a bug? The text you replied to has been wrapped. It
doesn't happen when I reply to it so what did you do?
derelict botty-boy who likes adventurous anal-rape fantasies with
wombats, and whose partner is a charity girl with a dilapidated bunny
tuft said:
That's what makes it so funny, being so far from the truth and all.
Hace you uncovered a bug? The text you replied to has been wrapped. It
doesn't happen when I reply to it so what did you do?
M
Michael Stevens
In
Tested on 3 systems, at one day intervals, no problems at all.
Not sure what the hubbub is all about when so many viable sources say it is
safe. I am sure some unscrupulous people are using the patch as a way to
spread the virus with redirected links, but the same people do this with
official MS patches. Stupid and usually uninformed users will always fall
for these scams.
MS will always have the official advisory to not apply any non-ms patch, but
does anyone think the leaked patch was leaked? LOL
BTW, I have beachfront property in Lawrence,Kansas for sale with great views
of Diamondhead. Bids start at $10.000. Look for it in the Windows COA only
eBays listings.
--
Michael Stevens MS-MVP XP
(e-mail address removed)
http://www.michaelstevenstech.com
For a better newsgroup experience. Setup a newsreader.
http://www.michaelstevenstech.com/outlookexpressnewreader.htm
Jim said:In case you have been living under a rock for the last week or so,
you may not have heard about the WMF Windows exploit.
For those rock dwellers, here's the scoop.....short and sweet. Reprinted
here without permission from SANS at
http://isc.sans.org/diary.php?storyid=994. Hope they don't mind....
.
---------------------------------------------
WMF FAQ (NEW)
Published: 2006-01-03,
Last Updated: 2006-01-03 08:55:06 UTC by Johannes Ullrich (Version:
3(click to highlight changes))
[a few users offered translations of this FAQ into various languages.
Obviously, we can not check the translation for accuracy, nor can we
update them. So use at your own risk: Deutsch and Deutsch (pdf),
Catalan , Español , Italiana and Italiana, Polski, Suomenkielinen,
Danish, Japanese, Slovenian, Chinese, Norwegian and Nederlands (in
progress) ]
a.. Why is this issue so important?
The WMF vulnerability uses images (WMF images) to execute arbitrary
code. It will execute just by viewing the image. In most cases, you
don't have click anything. Even images stored on your system may
cause the exploit to be triggered if it is indexed by some indexing
software. Viewing a directory in Explorer with 'Icon size' images
will cause the exploit to be triggered as well.
a.. Is it better to use Firefox or Internet Explorer?
Internet Explorer will view the image and trigger the exploit without
warning. New versions of Firefox will prompt you before opening the
image. However, in most environments this offers little protection
given that these are images and are thus considered 'safe'.
a.. What versions of Windows are affected?
All. Windows 2000, Windows XP, (SP1 and SP2), Windows 2003. All are
affected to some extent. Mac OS-X, Unix or BSD is not affected.
Note: If you're still running on Win98/ME, this is a watershed
moment: we believe (untested) that your system is vulnerable and
there will be no patch from MS. Your mitigation options are very
limited. You really need to upgrade.
a.. What can I do to protect myself?
1.. Microsoft has not yet released a patch. An unofficial patch was
made available by Ilfak Guilfanov. Our own Tom Liston reviewed the
patch and we tested it. The reviewed and tested version is available
here (now at v1.4, MD5: 15f0a36ea33f39c1bcf5a98e51d4f4f6), PGP
signature (signed with ISC key) here. THANKS to Ilfak Guilfanov for
providing the patch!! 2.. You can unregister the related DLL.
3.. Virus checkers provide some protection.
To unregister the DLL:
a.. Click Start, click Run, type "regsvr32 -u
%windir%system32shimgvw.dll" (without the quotation marks... our
editor keeps swallowing the backslashes... its
%windir%(backslash)system32(backslash)shimgvw.dll), and then click OK.
b.. A dialog box appears to confirm that the un-registration process
has succeeded. Click OK to close the dialog box.
Our current "best practice" recommendation is to both unregister the
DLL and to use the unofficial patch.
a.. How does the unofficial patch work?
The wmfhotfix.dll is injected into any process loading user32.dll. The DLL
then patches (in memory) gdi32.dll's Escape() function so
that it ignores any call using the SETABORTPROC (ie. 0x09) parameter.
This should allow Windows programs to display WMF files normally
while still blocking the exploit. The version of the patch located
here has been carefully checked against the source code provided as
well as tested against all known versions of the exploit. It should
work on WinXP (SP1 and SP2) and Win2K.
a.. Will unregistering the DLL (without using the unofficial patch)
protect me?
It might help. But it is not foolproof. We want to be very clear on
this: we have some very stong indications that simply unregistering
the shimgvw.dll isn't always successful. The .dll can be
re-registered by malicious processes or other installations, and
there may be issues where re-registering the .dll on a running system
that has had an exploit run against it allowing the exploit to
succeed. In addition it might be possible for there to be other
avenues of attack against the Escape() function in gdi32.dll. Until
there is a patch available from MS, we recommend using the unofficial
patch in addition to un-registering shimgvw.dll.
a.. Should I just delete the DLL?
It might not be a bad idea, but Windows File Protection will probably
replace it. You'll need to turn off Windows File Protection first.
Also, once an official patch is available you'll need to replace the
DLL. (renaming, rather than deleting is probably better so it will
still be handy).
a.. Should I just block all .WMF images?
This may help, but it is not sufficient. WMF files are recognized by a
special header and the extension is not needed. The files could
arrive using any extension, or embeded in Word or other documents.
a.. What is DEP (Data Execution Protection) and how does it help me?
With Windows XP SP2, Microsoft introduced DEP. It protects against a
wide range of exploits, by preventing the execution of 'data
segements'. However, to work well, it requires hardware support. Some
CPUs, like AMD's 64 Bit CPUs, will provide full DEP protection and
will prevent the exploit.
a.. How good are Anti Virus products to prevent the exploit?
At this point, we are aware of versions of the exploit that will not
be detected by antivirus engines. We hope they will catch up soon.
But it will be a hard battle to catch all versions of the exploit. Up
to date AV systems are necessary but likely not sufficient.
a.. How could a malicious WMF file enter my system?
There are too many methods to mention them all. E-mail attachments,
web sites, instant messaging are probably the most likely sources.
Don't forget P2P file sharing and other sources.
a.. Is it sufficient to tell my users not to visit untrusted web
sites? No. It helps, but its likely not sufficient. We had at least
one widely trusted web site (knoppix-std.org) which was compromissed.
As part of the compromise, a frame was added to the site redirecting
users to a corrupt WMF file. "Tursted" sites have been used like this
in the past.
a.. What is the actual problem with WMF images here?
WMF images are a bit different then most other images. Instead of just
containing simple 'this pixel has that color' information, WMF images
can call external procedures. One of these procedure calls can be
used to execute the code.
a.. Should I use something like "dropmyrights" to lower the impact
of an exploit.
By all means yes. Also, do not run as an administrator level users
for every day work. However, this will only limit the impact of the
exploit, and not prevent it. Also: Web browsing is only one way to
trigger the exploit. If the image is left behind on your system, and
later viewed by an administrator, you may get 'hit'.
a.. Are my servers vulnerable?
Maybe... do you allow the uploading of images? email? Are these images
indexed? Do you sometimes use a web browser on the server? In short:
If someone can get a image to your server, and if the vulnerable DLL
may look at it, your server may very well be vulnerable.
a.. What can I do at my perimeter / firewall to protect my network?
Not much. A proxy server that strips all images from web sites?
Probably wont go over well with your users. At least block .WMF
images (see above about extensions...). If your proxy has some kind
of virus checker, it may catch it. Same for mail servers. The less
you allow your users to initiate outbound connections, the better.
Close monitoring of user workstations may provide a hint if a work
station is infected.
a.. Can I use an IDS to detect the exploit?
Most IDS vendors are working on signatures. Contact your vendor for
details. Bleedingsnort.org is providing some continuosly improving
signatures for snort users.
a.. If I get hit by the exploit, what can I do?
Not much :-(. It very much depends on the exact exploit you are hit
with. Most of them will download additional components. It can be
very hard, or even impossible, to find all the pieces. Microsoft
offers free support for issues like that at 866-727-2389 (866 PC
SAFETY).
a.. Does Microsoft have information available?
http://www.microsoft.com/technet/security/advisory/912840.mspx
But there is no patch at the time of this writing.
a.. What does CERT have to say?
http://www.kb.cert.org/vuls/id/181038
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4560
-----------------------------------------
So run the patch, reboot and keep your fingers crossed!
Jim
Tested on 3 systems, at one day intervals, no problems at all.
Not sure what the hubbub is all about when so many viable sources say it is
safe. I am sure some unscrupulous people are using the patch as a way to
spread the virus with redirected links, but the same people do this with
official MS patches. Stupid and usually uninformed users will always fall
for these scams.
MS will always have the official advisory to not apply any non-ms patch, but
does anyone think the leaked patch was leaked? LOL
BTW, I have beachfront property in Lawrence,Kansas for sale with great views
of Diamondhead. Bids start at $10.000. Look for it in the Windows COA only
eBays listings.
--
Michael Stevens MS-MVP XP
(e-mail address removed)
http://www.michaelstevenstech.com
For a better newsgroup experience. Setup a newsreader.
http://www.michaelstevenstech.com/outlookexpressnewreader.htm
S
Shane
no_name said:
I still prefer Explorer's Thumbnail display, at least for .jpg files.
To refine the thought that Thumbnail View being okay for folders such as My
Pictures, but not for eg, \System32\ , I re-register shimgvw.dll for working
in folders containing pictures I've taken or otherwise trust, then
unregister it again when I've finished.
Shane
--
The Sugitive
Chapter One: http://tinyurl.com/bcevp
Chapter Two: http://tinyurl.com/ag92o
Chapter Three: Coming to an URL near you soon!
------------------------------------
M
Mitch
Michael Stevens said:
What are you implying?
It isn't clear at all which 'patch' you are writing about, but I see no
reason to imagine that Microsoft created ANY solution to this problem
yet -- only a lot of resistance from them to do anything about it.
Even if they did create a patch that got distributed before they
wanted, it doesn't alleviate any of the blame they deserve for not
getting the thing out and distributed to every user.
J
John Waller
Even if they did create a patch that got distributed before they
wanted, it doesn't alleviate any of the blame they deserve for not
getting the thing out and distributed to every user.
MS are damned if they do and damned if they don't.
The official word from online news outlets is that MS has written a patch.
The delay is in getting it thoroughly tested, esp on corporate networks.
MS says that customer feedback over the years has strongly indicated that
users want thoroughly tested patches distributed rather than urgent fixes
which may have problems later.
wanted, it doesn't alleviate any of the blame they deserve for not
getting the thing out and distributed to every user.
MS are damned if they do and damned if they don't.
The official word from online news outlets is that MS has written a patch.
The delay is in getting it thoroughly tested, esp on corporate networks.
MS says that customer feedback over the years has strongly indicated that
users want thoroughly tested patches distributed rather than urgent fixes
which may have problems later.
D
David Candy
When MS say customers they mean large corporations.
K
Kadaitcha Man
Michael Stevens <[email protected]>, the tubby guttersnipe and
active steve keith who likes rageful clown punchin' with dolphins, and
whose partner is a street-sister with a yawning foofy bird, wrote in
/M/ature
/I/n hole,
/C/rackers and
/H/esitantly
/A/bominable
/E/asy-pick-up,
/L/urid
/S/not sausage,
/T/ubby
/E/lephant,
/V/illainous and
/E/ccentrically
/N/osy
/S/parrow
active steve keith who likes rageful clown punchin' with dolphins, and
whose partner is a street-sister with a yawning foofy bird, wrote in
/M/ature
/I/n hole,
/C/rackers and
/H/esitantly
/A/bominable
/E/asy-pick-up,
/L/urid
/S/not sausage,
/T/ubby
/E/lephant,
/V/illainous and
/E/ccentrically
/N/osy
/S/parrow
M
Michael Stevens
In
Well you snipped the part of my post that explained what I was implying. I
was replying to the OP and giving feedback on my experience with the Ilfak
Guilfanov patch wmffix patch. I wasn't laying blame on Microsoft, I was just
giving my take on the situation. I do not think MS is the god of computing
and understand when they say something is not supported you should realize
it is only MS that does not support it and there are many reasons unrelated
to technical aspects that influences the MS advisory.
When an open source patch like this one, that has been securitized by a much
larger base of computer experts than the patch MS releases signs off on it,
I feel just as safe and secure as one I would get from a daily update from
Avaste, Trend, AVG, Norton, etc. Why should I place a higher value of trust
on MS for a patch that only they sign off on opposed to one that a much
larger testing base signed off on as safe and effective.
I agree about their policy on how they release patches, patches should be
released as soon as they effectively fix the problem. They should not be
released on a schedule. There is no excuse for intenti
onally letting an OS be venerable to attacks that could have been avoided.
--
Michael Stevens MS-MVP XP
(e-mail address removed)
http://www.michaelstevenstech.com
For a better newsgroup experience. Setup a newsreader.
http://www.michaelstevenstech.com/outlookexpressnewreader.htm
Mitch said:
Well you snipped the part of my post that explained what I was implying. I
was replying to the OP and giving feedback on my experience with the Ilfak
Guilfanov patch wmffix patch. I wasn't laying blame on Microsoft, I was just
giving my take on the situation. I do not think MS is the god of computing
and understand when they say something is not supported you should realize
it is only MS that does not support it and there are many reasons unrelated
to technical aspects that influences the MS advisory.
When an open source patch like this one, that has been securitized by a much
larger base of computer experts than the patch MS releases signs off on it,
I feel just as safe and secure as one I would get from a daily update from
Avaste, Trend, AVG, Norton, etc. Why should I place a higher value of trust
on MS for a patch that only they sign off on opposed to one that a much
larger testing base signed off on as safe and effective.
I agree about their policy on how they release patches, patches should be
released as soon as they effectively fix the problem. They should not be
released on a schedule. There is no excuse for intenti
onally letting an OS be venerable to attacks that could have been avoided.
--
Michael Stevens MS-MVP XP
(e-mail address removed)
http://www.michaelstevenstech.com
For a better newsgroup experience. Setup a newsreader.
http://www.michaelstevenstech.com/outlookexpressnewreader.htm
R
R. McCarty
If your read Ilfak's interview on the patch, he went out of his way to not
make any comments against Microsoft & it's policy on patches. He did
state several times that he posted the Source code so it's integrity could
be established by those that can do so. I really can't see what the issue
is with using an "interim" solution. When Tuesday comes around, I'll do
an uninstall on the WMFHotFix and use the official one from MS. To me
it's like using a "Spare" tire, until the normal use one is fixed.
make any comments against Microsoft & it's policy on patches. He did
state several times that he posted the Source code so it's integrity could
be established by those that can do so. I really can't see what the issue
is with using an "interim" solution. When Tuesday comes around, I'll do
an uninstall on the WMFHotFix and use the official one from MS. To me
it's like using a "Spare" tire, until the normal use one is fixed.
M
Michael Stevens
In
That should have read as........
I DISAGREE about their policy on how they release patches, patches
should be released as soon as they effectively fix the problem.
Michael Stevens said:
That should have read as........
I DISAGREE about their policy on how they release patches, patches
should be released as soon as they effectively fix the problem.
T
Tom Porterfield
Michael said:
This is a confusing statement since Microsoft's policy *is* to release
patches on a schedule, after they are thoroughly tested. They create
the patch, they make sure it is thoroughly tested, and then they release
on the next scheduled monthly patch release Tuesday.
--
Tom Porterfield
MS-MVP Windows
http://support.teloep.org
Please post all follow-ups to the newsgroup only.
T
Tom Porterfield
Michael said:
Ooops. OK, then ignore my other response.
--
Tom Porterfield
MS-MVP Windows
http://support.teloep.org
Please post all follow-ups to the newsgroup only.
M
Michael Stevens
Tom said:
Thanks Tom, seems like you and I are in the minority around this group.
I can't understand why though. I tested it on one of my computers and it was
flawless, even has a uninstall that works.
--
Michael Stevens MS-MVP XP
(e-mail address removed)
http://www.michaelstevenstech.com
For a better newsgroup experience. Setup a newsreader.
http://www.michaelstevenstech.com/outlookexpressnewreader.htm
M
Mitch
Michael Stevens said:
Did I? Sorry; missed it entirely.
A reasonable point -- the most obvious reason, even if it is valid,
isn't always the only reason or the most significant.
Another point -- yet since the vulnerability is one created by
Microsoft design, they have the opportunity to fix the original error,
rather than just patch over the hole. I suspect that is what people
would expect, anyway.
No, and yet I was hoping more users would have raised a (choose term
for big ole' higgledy-piggledy mess o' noise) by now, forcing Microsoft
to do something immediately.
It just stuns me that Microsoft so blatantly considers corporate sys
admins the most important part of the industry.
M
Mitch
Tom Porterfield said:
And you don't see the difference?
Create patch, test patch, release patch.
Create patch, test patch, release patch at the next release date, days
or weeks later.
We're talking about system vulnerabilities here -- immediate
availability is critical. If you had a venomous bite and had antivenin,
you wouldn't take it at the last minute it could be effective -- you'd
take it as soon as you got it.
A
Asher_N
Because in larger installations, patches need to be tested. It's far easier
to intall a series of patches once a month and test and deploy them, than
to have to go through that cycle several times a month. It also allows me
to have my users leave their computers on overnight only once a month.
J
Jim
The actual problem is not shimgvw.dll. Rather there is a flaw in the
GDI32.DLL that is enabling this exploit.
GDI32.DLL handles virtually ALL graphics calls in Windows, so disabling it
would not be advised.
Jim
GDI32.DLL that is enabling this exploit.
GDI32.DLL handles virtually ALL graphics calls in Windows, so disabling it
would not be advised.
Jim