Kerry Brown <kerry@kdbnospamsys-tems.c*a*m> wrote:
> Positive. I have seen it in action. Security was slightly relaxed as
> the user used the stationary features a lot. Until this exploit there
> had never been a problem with their setup. They had disabled Block
> images and other external content in HTML email.

Ah, that explains it! AFAIK, Block images is enabled by default in
(SP2) OE, at least it was for me. So for me it would mean a click.

> Not the most sensible
> thing to do but many users who use stationary do this. There are many
> newsgroups devoted to stationary. Microsoft even has one on their
> private news server.

Yeah, it's the old point: Is 'rich' ever going to be safe? Probably
not.

> I was wrong about the hardware DEP though. It
> looks like this works on some systems but not others.
>
> Kerry

> Frank Slootweg wrote:
[bottom-quote deleted]

Just great, so this means the death of Win98 SE??? M$ could release a patch if they wanted to
(and should, because this is a critical security issue), but they will use any tactic possible
to force eXPensive upgrades. Even people who are using XP and 2000 who pirated it get a better
update service and all critical updates like this!!!

If all 16-bit versions of Windows will be vulnerable (are you saying they won't release a patch
for Win ME that might work?), then this has HUGE implications for all machines that aren't fast
enough to run 2000. It's basically a death sentence towards ever going on the Internet.

Besides which, can't any of the security people here tell me the Windows files that are
specifically affected by this virus, so I can block them (would need to know how to do that as
well)???

Contrary to what Linus Torvalds said, Micro$oft IS EVIL!!!

Cool_X


Todd H. wrote:
> Cool_X <cool_x_usenetSPAM@shawSPAM.ca> writes:
>
>
>>Can anyone please tell me a suitable workaround for Windows 98 SE?
>>The M$ page only lists un-registering Shimgvw.dll on Windows XP
>>Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and
>>Windows Server 2003 Service Pack 1.
>>
>>Please let me know about this.
>>
>>Cool_X
>
>
> Quoted from http://isc.sans.org/diary.php?storyid=994
>
> "Note: If you're still running on Win98/ME, this is a watershed
> moment: we believe (untested) that your system is vulnerable and there
> will be no patch from MS. Your mitigation options are very
> limited. You really need to upgrade."
>
>
> Best Regards,

Larry,
I would consider doing this, but I don't know if Sunbelt's product is free, and worse, I
already own ZoneAlarm Pro, and I know that 2 firewalls won't work together. Even if they did,
ZoneAlarm slows down my boot time by a large amount.

Does anyone have any other suggestions, like what Windows files to block or unregister?

I think that if I don't have the DLL that the sites are asking me to unregister, then I'm
either not affected or the exploit targets different files. Could anyone clarify this one way
or another???

Cool_X


Larry Sabo wrote:
> comphelp@toddh.net (Todd H.) wrote:
>
>
>>Cool_X <cool_x_usenetSPAM@shawSPAM.ca> writes:
>>
>>
>>>Can anyone please tell me a suitable workaround for Windows 98 SE?
>>>The M$ page only lists un-registering Shimgvw.dll on Windows XP
>>>Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and
>>>Windows Server 2003 Service Pack 1.
>>>
>>>Please let me know about this.
>>>
>>>Cool_X
>>
>>Quoted from http://isc.sans.org/diary.php?storyid=994
>>
>>"Note: If you're still running on Win98/ME, this is a watershed
>>moment: we believe (untested) that your system is vulnerable and there
>>will be no patch from MS. Your mitigation options are very
>>limited. You really need to upgrade."
>>
>>
>>Best Regards,
>
>
>
> Install Sunbelt Kerio Personal Firewall and modify the filter rules
> per the article "Snort rules for WMF exploit updated" in
> http://sunbeltblog.blogspot.com/. That seems to work very well.
>
> Larry

Cool_X <cool_x_usenetSPAM@shawSPAM.ca> writes:

> I think that if I don't have the DLL that the sites are asking me to
> unregister, then I'm either not affected or the exploit targets
> different files. Could anyone clarify this one way or another???

You probably do have that dll.

Be sure to put the missing backslashes in the unregister command:

regsvr32 -u %windir%\system32\shimgvw.dll


--
Todd H.
http://www.toddh.net/

In article <fkDuf.128170$2k.48463@pd7tw1no>,
cool_x_usenetSPAM@shawSPAM.ca says...
> Just great, so this means the death of Win98 SE??? M$ could release a patch if they wanted to
> (and should, because this is a critical security issue), but they will use any tactic possible
> to force eXPensive upgrades. Even people who are using XP and 2000 who pirated it get a better
> update service and all critical updates like this!!!
>
> If all 16-bit versions of Windows will be vulnerable (are you saying they won't release a patch
> for Win ME that might work?), then this has HUGE implications for all machines that aren't fast
> enough to run 2000. It's basically a death sentence towards ever going on the Internet.

You have several options:

1) Having known that Windows 98 was no longer supported for many moons,
you've had plenty of time to get a replacement or to determine to live
with an Unsupported OS.

2) Develop a firewall/AV solution that works for your unsupported
platform that limits your exposure.

3) Upgrade to Windows 2000 or XP on your existing hardware and live with
the performance issues.

4) Get a new computer and newer OS - the OS could be Windows based or
Linux based if you didn't want a fee-based OS. Fedora Core 4 is stable
and works well on older as well as newer hardware.

--

spam999free@rrohio.com
remove 999 in order to email me

on 1/2/2006 9:42 PM Todd H. said the following:
> Cool_X <cool_x_usenetSPAM@shawSPAM.ca> writes:
>
>
>>Can anyone please tell me a suitable workaround for Windows 98 SE?
>>The M$ page only lists un-registering Shimgvw.dll on Windows XP
>>Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and
>>Windows Server 2003 Service Pack 1.
>>
>>Please let me know about this.
>>
>>Cool_X
>
>
> Quoted from http://isc.sans.org/diary.php?storyid=994
>
> "Note: If you're still running on Win98/ME, this is a watershed
> moment: we believe (untested) that your system is vulnerable and there
> will be no patch from MS. Your mitigation options are very
> limited. You really need to upgrade."
>
>
> Best Regards,

Turns out that this may not be true. Apparently the older versions of
windows don't have a default *.WMF handler. Technically they are
vulnerable, but for all practical purposes not. CAUTION: this will
depend on your configuration. Here is one article that I found:

http://blog.ziffdavis.com/seltzer/ar.../03/39684.aspx

JH

[top-post corrected below]

>Larry Sabo wrote:
[snip]
>> Install Sunbelt Kerio Personal Firewall and modify the filter rules
>> per the article "Snort rules for WMF exploit updated" in
>> http://sunbeltblog.blogspot.com/. That seems to work very well.
>>
>> Larry
Cool_X <cool_x_usenetSPAM@shawSPAM.ca> wrote:

>Larry,
>I would consider doing this, but I don't know if Sunbelt's product is free, and worse, I
>already own ZoneAlarm Pro, and I know that 2 firewalls won't work together. Even if they did,
>ZoneAlarm slows down my boot time by a large amount.
[snip]
>
>Cool_X

Sunbelt Kerio Perosonal Firewal is full-featured for 30 days, then
becomes a freeware version with fewer features, according to Sunbelt.
The full-featured version is available for $14.95 USD, and costs $9.95
USD to renew at the end of the year. For a table showing the
differences between the free and paid versions, see...

http://www.sunbelt-software.com/Kerio.cfm

I use to use Zone Alarm years ago but abandoned it when it became so
bloated that it slowed my system to a crawl, especially during
booting. During the short time I was checking it out, I think I notice
that SKPF slowed my system perceptibly, but I really didn't use it
long enough to be sure.

If I were using Win98, I'd use SKPF with the filters mentioned in the
link above. Since I use Win2K,I rely upon the WMFHotFix instead.

Larry

Todd,
No, I really don't think I have that DLL because I keep getting the error message:

"RegSvr32

LoadLibrary("%windir%\system32\shimgvw.dll") failed .
GetLastError returns 0x00000485."

What missing backslashes are you talking about, and what else can I do?

Cool_X


Todd H. wrote:
> Cool_X <cool_x_usenetSPAM@shawSPAM.ca> writes:
>
>
>>I think that if I don't have the DLL that the sites are asking me to
>>unregister, then I'm either not affected or the exploit targets
>>different files. Could anyone clarify this one way or another???
>
>
> You probably do have that dll.
>
> Be sure to put the missing backslashes in the unregister command:
>
> regsvr32 -u %windir%\system32\shimgvw.dll
>
>

Notan,
Why should Kerio be the only firewall that supports this? Won't other firewall makers follow
suit with updates to their products?

And won't Symantec release definitions updates that catch all of the variants, so once I
install them, I'll be immune to this virus just like any other?

Finally, why should I have to pay twice to get another firewall when I've already bought one
that was highly rated, and then not be able to use the one that I already bought?

There must be SOME alternative to this...

Cool_X

P.S. I'm still interested in discussing more about Usenet with you regarding your previous
posts on alt.comp.sys.laptops, but I don't want to stay OT there. Could you send me your
e-mail address (mine is already listed, you just have to remove the "SPAM")?

Notan wrote:
> Cool_X wrote:
>
>>Larry,
>>I would consider doing this, but I don't know if Sunbelt's product is free, and worse, I
>>already own ZoneAlarm Pro, and I know that 2 firewalls won't work together. Even if they did,
>>ZoneAlarm slows down my boot time by a large amount.
>>
>><snip>
>
>
> It's currently being offered for $14.95. (I paid $45.00. Damn! <g>)
>
> Have a look at http://www.sunbelt-software.com/kerio.cfm.
>
> Notan

Cool_X <cool_x_usenetSPAM@shawSPAM.ca> writes:

> Todd,
> No, I really don't think I have that DLL because I keep getting the error message:
>
> "RegSvr32
>
> LoadLibrary("%windir%\system32\shimgvw.dll") failed .
> GetLastError returns 0x00000485."
>
> What missing backslashes are you talking about, and what else can I
> do?

the missing backslashes I mentioned were from the sans.org diary
(their editor keeps eating them evidently), but accordingly to the
error message you have them.

Check c:\windows\system32 directory and see if shimgvw.dll is there.
Maybe the mapping of %windir% is goofed up on your system? Dunno.


--
Todd H.
http://www.toddh.net/