On Mon, 02 Jan 2006 19:28:54 GMT, Leythos <void@nowhere.lan> wrote:

>As a "formal" request, for documentation reason, I request that you stop
>using my name to forge posts. You have been warned now.


Of course, you could just try posting with your real name.

In article <dd0jr1tvrk7urn18aseimrmsr7ccq05pra@4ax.com>,
mail@REMOVEwsblevins.com says...
> On Mon, 02 Jan 2006 19:28:54 GMT, Leythos <void@nowhere.lan> wrote:
>
> >As a "formal" request, for documentation reason, I request that you stop
> >using my name to forge posts. You have been warned now.
>
>
> Of course, you could just try posting with your real name.

This is the name I've posted with for over 10 years, longer than he's
been online.

--

spam999free@rrohio.com
remove 999 in order to email me

On Mon, 02 Jan 2006 19:55:51 GMT, Leythos <void@nowhere.lan> wrote:

>This is the name I've posted with for over 10 years, longer than he's
>been online.


Perhaps, but if I want to post using the name "Chair" and someone else
uses it at some point, there's not a lot one can do about it. Move on.

In article <ai1jr15a7578gsivp0ruujbsnr2j7lpiio@4ax.com>,
mail@REMOVEwsblevins.com says...
> On Mon, 02 Jan 2006 19:55:51 GMT, Leythos <void@nowhere.lan> wrote:
>
> >This is the name I've posted with for over 10 years, longer than he's
> >been online.
>
>
> Perhaps, but if I want to post using the name "Chair" and someone else
> uses it at some point, there's not a lot one can do about it. Move on.

Yes, I know, but, as with most people, some have Ethics and others
don't.


--

spam999free@rrohio.com
remove 999 in order to email me

On Mon, 2 Jan 2006 17:09:12 +0100, Gabriele Neukam
<Gabriele.Spamfighter.Neukam@t-online.de> wrote:

>
>http://www.f-secure.com/weblog/archi....html#00000752
>
>this *might* have been, how it happened.

Yup, I cleaned up a couple of machines in the last few days with that.

tim
--

tim

Can anyone please tell me a suitable workaround for Windows 98 SE? The M$ page only lists
un-registering Shimgvw.dll on Windows XP Service Pack 1; Windows XP Service Pack 2; Windows
Server 2003 and Windows Server 2003 Service Pack 1.

Please let me know about this.

Cool_X


tim wrote:
> On Mon, 2 Jan 2006 17:09:12 +0100, Gabriele Neukam
> <Gabriele.Spamfighter.Neukam@t-online.de> wrote:
>
>
>>http://www.f-secure.com/weblog/archi....html#00000752
>>
>>this *might* have been, how it happened.
>
>
> Yup, I cleaned up a couple of machines in the last few days with that.
>
> tim

Cool_X <cool_x_usenetSPAM@shawSPAM.ca> writes:

> Can anyone please tell me a suitable workaround for Windows 98 SE?
> The M$ page only lists un-registering Shimgvw.dll on Windows XP
> Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and
> Windows Server 2003 Service Pack 1.
>
> Please let me know about this.
>
> Cool_X

Quoted from http://isc.sans.org/diary.php?storyid=994

"Note: If you're still running on Win98/ME, this is a watershed
moment: we believe (untested) that your system is vulnerable and there
will be no patch from MS. Your mitigation options are very
limited. You really need to upgrade."


Best Regards,
--
Todd H.
http://www.toddh.net/

comphelp@toddh.net (Todd H.) wrote:

>Cool_X <cool_x_usenetSPAM@shawSPAM.ca> writes:
>
>> Can anyone please tell me a suitable workaround for Windows 98 SE?
>> The M$ page only lists un-registering Shimgvw.dll on Windows XP
>> Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and
>> Windows Server 2003 Service Pack 1.
>>
>> Please let me know about this.
>>
>> Cool_X
>
>Quoted from http://isc.sans.org/diary.php?storyid=994
>
>"Note: If you're still running on Win98/ME, this is a watershed
>moment: we believe (untested) that your system is vulnerable and there
>will be no patch from MS. Your mitigation options are very
>limited. You really need to upgrade."
>
>
>Best Regards,


Install Sunbelt Kerio Personal Firewall and modify the filter rules
per the article "Snort rules for WMF exploit updated" in
http://sunbeltblog.blogspot.com/. That seems to work very well.

Larry

Kerry Brown <kerry@kdbnospamsys-tems.c*a*m> wrote:
[deleted]
> I have seen it on three customer's computers in the last three days. They
> were all up to date with Windows updates, running an antivirus, one was
> running MS AntiSpyware. As near as I can tell they all came in via the .wmf
> exploit. One was in a spam email. They had the preview pane open and viewing
> the email installed the malware. Two were while surfing the net. Both times
> they clicked on a link in a google search and they were immediately
> infected. See the following link for details of the exploit.
>
> http://www.microsoft.com/technet/sec...ry/912840.mspx

Are you sure about that preview pane story? The Microsoft Security
Advisory claims that one at least has to *click* on something or *open*
an *attachment*:

[Start quote:]

Mitigating Factors:

* In an E-mail based attack involving the current exploit, customers
would have to be persuaded to click on a link within a malicious
e-mail or open an attachment that exploited the vulnerability. At this
point, no attachment has been identified in which a user can be
attacked simply by reading mail.

[End quote.]

[This is from the January 3 version of the Advisory. The earlier wording
was somewhat less specific.]

I also thought that a (OE) (pre-)view was enough, but I checked some
(innocent) JPEGs in an HTML message and they are displayed, *despite*
disabling (un-registering) the Windows Picture and Fax viewer
(Shimgvw.dll). So apparently JPEG in e-mail is rendered by some other
component than the Windows Picture and Fax viewer. Of course I didn't
check any malicious 'pictures', so I could be wrong.

Anyway, the good news is that if everything goes according to plan, we
will have a (MS) patch (security update) in a week (January 10).

> The only effective workaround right now is to enable hardware DEP for all
> programs (software DEP won't stop it) or disable the Windows picture and fax
> viewer. Both workarounds can cause problems. Hardware DEP may break some
> drivers and a lot of games won't run. Unregistering shimgvw.dll seems to be
> the best workaround but it may cause some minor problems with html email and
> some web sites.
>
> Kerry

Positive. I have seen it in action. Security was slightly relaxed as the
user used the stationary features a lot. Until this exploit there had never
been a problem with their setup. They had disabled Block images and other
external content in HTML email. Not the most sensible thing to do but many
users who use stationary do this. There are many newsgroups devoted to
stationary. Microsoft even has one on their private news server. I was wrong
about the hardware DEP though. It looks like this works on some systems but
not others.

Kerry

Frank Slootweg wrote:
> Kerry Brown <kerry@kdbnospamsys-tems.c*a*m> wrote:
> [deleted]
>> I have seen it on three customer's computers in the last three days.
>> They were all up to date with Windows updates, running an antivirus,
>> one was running MS AntiSpyware. As near as I can tell they all came
>> in via the .wmf exploit. One was in a spam email. They had the
>> preview pane open and viewing the email installed the malware. Two
>> were while surfing the net. Both times they clicked on a link in a
>> google search and they were immediately infected. See the following
>> link for details of the exploit.
>>
>> http://www.microsoft.com/technet/sec...ry/912840.mspx
>
> Are you sure about that preview pane story? The Microsoft Security
> Advisory claims that one at least has to *click* on something or
> *open* an *attachment*:
>
> [Start quote:]
>
> Mitigating Factors:
>
> * In an E-mail based attack involving the current exploit, customers
> would have to be persuaded to click on a link within a malicious
> e-mail or open an attachment that exploited the vulnerability. At
> this point, no attachment has been identified in which a user can be
> attacked simply by reading mail.
>
> [End quote.]
>
> [This is from the January 3 version of the Advisory. The earlier
> wording was somewhat less specific.]
>
> I also thought that a (OE) (pre-)view was enough, but I checked some
> (innocent) JPEGs in an HTML message and they are displayed, *despite*
> disabling (un-registering) the Windows Picture and Fax viewer
> (Shimgvw.dll). So apparently JPEG in e-mail is rendered by some other
> component than the Windows Picture and Fax viewer. Of course I didn't
> check any malicious 'pictures', so I could be wrong.
>
> Anyway, the good news is that if everything goes according to plan,
> we will have a (MS) patch (security update) in a week (January 10).
>
>> The only effective workaround right now is to enable hardware DEP
>> for all programs (software DEP won't stop it) or disable the Windows
>> picture and fax viewer. Both workarounds can cause problems.
>> Hardware DEP may break some drivers and a lot of games won't run.
>> Unregistering shimgvw.dll seems to be the best workaround but it may
>> cause some minor problems with html email and some web sites.
>>
>> Kerry