[OPLINTECH] UPDATE Still More Info Alert: Zero Day Exploit...no MS fix yet!

JKENZIG JKENZIG at cuyahoga.lib.oh.us
Fri Dec 30 13:52:30 EST 2005


 Been tracking this all day and even emailed back and forth with Larry
Seltzer at eweek... You just can't win the registry patch doesn't even
fix it all... See:
http://www.eweek.com/article2/0,1895,1907131,00.asp

Jim 

I received the following a bit ago from Larry...


It's pretty fluid. Here's some more stuff Symantec is reporting and I'll
try to work into the next story:
Microsoft has reported that Windows XP SP 2 includes software-enforced
Data execution prevention (DEP), which should be enabled to prevent
exploitation of this issue.  Symantec has found that this mitigation is
not effective against this vulnerability.  Furthermore, reports indicate
that hardware-enforced DEP may not be effective against this issue as
well.
 
It has been reported that 'shimgvw.dll' may be blocked using a Software
Restriction Policy.  This workaround may be more suitable for enterprise
networks as the Software Restriction Policy can be pushed out to
computers in the network eliminating the need for scripts that
unregister or register 'shimgvw.dll'.  It should be noted the Symantec
has not verified or tested this workaround.  More information about
Software Restriction Policies in Windows XP and Windows 2003 may be
found at the following locations:
 
http://support.microsoft.com/default.aspx?scid=kb;en-us;310791
 
http://support.microsoft.com/default.aspx?scid=kb;en-us;324036
 
Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.ziffdavis.com/seltzer
Contributing Editor, PC Magazine

-----Original Message-----
From: oplintech-bounces at oplin.org [mailto:oplintech-bounces at oplin.org]
On Behalf Of JKENZIG
Sent: Friday, December 30, 2005 1:34 PM
To: OPLINTECH at OPLIN.ORG
Subject: [OPLINTECH] More Info Alert: Zero Day Exploit...no MS fix yet!

Note more info has been found that the regsrvr fix previously posted
also disables Thumbnails which you may not want to have happen. There
has been another workaround just released that consists of two registry
files to fix and restore back the WMF vulnerability for Windows XP
systems. This will keep your thumbnail functionality intact They are at:
Several Antivirus vendors still have no fix.

To apply the fix highlight and right click on and copy the below link
and paste it into Internet Explorer on your Windows XP home system to
download the file. Once downloaded click on the WPFV_disable.reg file
that you downloaded to appy the fix.

https://www.securinfos.info/english/WPFV_disable.reg
<https://www.securinfos.info/english/WPFV_disable.reg> 

Download and click the above one to apply the patch. 

 

To remove the fix highlight and right click on and copy the below link
and paste it into Internet Explorer on your Windows XP home system.

https://www.securinfos.info/english/WPFV_enable.reg
<https://www.securinfos.info/english/WPFV_enable.reg> 

Download and click on the above one to take the patch off. 

 

See the story at:

http://www.eweek.com/article2/0,1895,1906211,00.asp
<http://www.eweek.com/article2/0,1895,1906211,00.asp> 

Jim Kenzig

Network Manager
Cuyahoga County Public Library

________________________________

From: oplintech-bounces at oplin.org [mailto:oplintech-bounces at oplin.org]
On Behalf Of JKENZIG
Sent: Friday, December 30, 2005 8:22 AM
To: OPLINTECH at OPLIN.ORG
Subject: Re: [OPLINTECH] Alert: Zero Day Exploit...no MS fix yet!


Microsoft's security advisory out on this attack:
http://www.microsoft.com/technet/security/advisory/912840.mspx
JK

________________________________

From: oplintech-bounces at oplin.org [mailto:org] On Behalf Of JKENZIG
Sent: Friday, December 30, 2005 8:01 AM
To: Subject: [OPLINTECH] Alert: Zero Day Exploit...no MS fix yet!



If you are running windows 2003 servers see the following article run
regserver temp fix and block the suggested sites below in your dns or
firewall asap! 

http://www.eweek.com/article2/0,1895,1906210,00.asp
<http://www.eweek.com/article2/0,1895,1906210,00.asp>
F-Secure also recommends filtering domains at corporate firewalls. These
sites should be listed as off-limits: 
toolbarbiz[dot]business
toolbarsite[dot]biz
toolbartraff[dot]biz
toolbarurl[dot]biz
buytoolbar[dot]biz
buytraff[dot]biz
iframebiz[dot]biz
iframecash[dot]biz
iframesite[dot]biz
iframetraff[dot]biz
iframeurl[dot]business 

Regards,
Jim Kenzig 



More information about the OPLINTECH mailing list