In case you have been living under a rock for the last week or so, you may
not have heard about the WMF Windows exploit.

For those rock dwellers, here's the scoop.....short and sweet. Reprinted
here without permission from SANS at
http://isc.sans.org/diary.php?storyid=994. Hope they don't mind.... .

---------------------------------------------

WMF FAQ (NEW)
Published: 2006-01-03,
Last Updated: 2006-01-03 08:55:06 UTC by Johannes Ullrich (Version: 3(click
to highlight changes))

[a few users offered translations of this FAQ into various languages.
Obviously, we can not check the translation for accuracy, nor can we update
them. So use at your own risk: Deutsch and Deutsch (pdf), Catalan , Español
, Italiana and Italiana, Polski, Suomenkielinen, Danish, Japanese,
Slovenian, Chinese, Norwegian and Nederlands (in progress) ]


a.. Why is this issue so important?
The WMF vulnerability uses images (WMF images) to execute arbitrary code. It
will execute just by viewing the image. In most cases, you don't have click
anything. Even images stored on your system may cause the exploit to be
triggered if it is indexed by some indexing software. Viewing a directory in
Explorer with 'Icon size' images will cause the exploit to be triggered as
well.

a.. Is it better to use Firefox or Internet Explorer?
Internet Explorer will view the image and trigger the exploit without
warning. New versions of Firefox will prompt you before opening the image.
However, in most environments this offers little protection given that these
are images and are thus considered 'safe'.

a.. What versions of Windows are affected?
All. Windows 2000, Windows XP, (SP1 and SP2), Windows 2003. All are affected
to some extent. Mac OS-X, Unix or BSD is not affected.

Note: If you're still running on Win98/ME, this is a watershed moment: we
believe (untested) that your system is vulnerable and there will be no patch
from MS. Your mitigation options are very limited. You really need to
upgrade.

a.. What can I do to protect myself?
1.. Microsoft has not yet released a patch. An unofficial patch was made
available by Ilfak Guilfanov. Our own Tom Liston reviewed the patch and we
tested it. The reviewed and tested version is available here (now at v1.4,
MD5: 15f0a36ea33f39c1bcf5a98e51d4f4f6), PGP signature (signed with ISC key)
here. THANKS to Ilfak Guilfanov for providing the patch!!
2.. You can unregister the related DLL.
3.. Virus checkers provide some protection.
To unregister the DLL:

a.. Click Start, click Run, type "regsvr32 -u %windir%system32shimgvw.dll"
(without the quotation marks... our editor keeps swallowing the
backslashes... its %windir%(backslash)system32(backslash)shimgvw.dll) , and
then click OK.
b.. A dialog box appears to confirm that the un-registration process has
succeeded. Click OK to close the dialog box.
Our current "best practice" recommendation is to both unregister the DLL and
to use the unofficial patch.

a.. How does the unofficial patch work?
The wmfhotfix.dll is injected into any process loading user32.dll. The DLL
then patches (in memory) gdi32.dll's Escape() function so that it ignores
any call using the SETABORTPROC (ie. 0x09) parameter. This should allow
Windows programs to display WMF files normally while still blocking the
exploit. The version of the patch located here has been carefully checked
against the source code provided as well as tested against all known
versions of the exploit. It should work on WinXP (SP1 and SP2) and Win2K.

a.. Will unregistering the DLL (without using the unofficial patch)
protect me?
It might help. But it is not foolproof. We want to be very clear on this: we
have some very stong indications that simply unregistering the shimgvw.dll
isn't always successful. The .dll can be re-registered by malicious
processes or other installations, and there may be issues where
re-registering the .dll on a running system that has had an exploit run
against it allowing the exploit to succeed. In addition it might be
possible for there to be other avenues of attack against the Escape()
function in gdi32.dll. Until there is a patch available from MS, we
recommend using the unofficial patch in addition to un-registering
shimgvw.dll.
a.. Should I just delete the DLL?
It might not be a bad idea, but Windows File Protection will probably
replace it. You'll need to turn off Windows File Protection first. Also,
once an official patch is available you'll need to replace the DLL.
(renaming, rather than deleting is probably better so it will still be
handy).

a.. Should I just block all .WMF images?
This may help, but it is not sufficient. WMF files are recognized by a
special header and the extension is not needed. The files could arrive using
any extension, or embeded in Word or other documents.

a.. What is DEP (Data Execution Protection) and how does it help me?
With Windows XP SP2, Microsoft introduced DEP. It protects against a wide
range of exploits, by preventing the execution of 'data segements'. However,
to work well, it requires hardware support. Some CPUs, like AMD's 64 Bit
CPUs, will provide full DEP protection and will prevent the exploit.

a.. How good are Anti Virus products to prevent the exploit?
At this point, we are aware of versions of the exploit that will not be
detected by antivirus engines. We hope they will catch up soon. But it will
be a hard battle to catch all versions of the exploit. Up to date AV systems
are necessary but likely not sufficient.

a.. How could a malicious WMF file enter my system?
There are too many methods to mention them all. E-mail attachments, web
sites, instant messaging are probably the most likely sources. Don't forget
P2P file sharing and other sources.

a.. Is it sufficient to tell my users not to visit untrusted web sites?
No. It helps, but its likely not sufficient. We had at least one widely
trusted web site (knoppix-std.org) which was compromissed. As part of the
compromise, a frame was added to the site redirecting users to a corrupt WMF
file. "Tursted" sites have been used like this in the past.

a.. What is the actual problem with WMF images here?
WMF images are a bit different then most other images. Instead of just
containing simple 'this pixel has that color' information, WMF images can
call external procedures. One of these procedure calls can be used to
execute the code.

a.. Should I use something like "dropmyrights" to lower the impact of an
exploit.
By all means yes. Also, do not run as an administrator level users for every
day work. However, this will only limit the impact of the exploit, and not
prevent it. Also: Web browsing is only one way to trigger the exploit. If
the image is left behind on your system, and later viewed by an
administrator, you may get 'hit'.

a.. Are my servers vulnerable?
Maybe... do you allow the uploading of images? email? Are these images
indexed? Do you sometimes use a web browser on the server? In short: If
someone can get a image to your server, and if the vulnerable DLL may look
at it, your server may very well be vulnerable.

a.. What can I do at my perimeter / firewall to protect my network?
Not much. A proxy server that strips all images from web sites? Probably
wont go over well with your users. At least block .WMF images (see above
about extensions...). If your proxy has some kind of virus checker, it may
catch it. Same for mail servers. The less you allow your users to initiate
outbound connections, the better. Close monitoring of user workstations may
provide a hint if a work station is infected.

a.. Can I use an IDS to detect the exploit?
Most IDS vendors are working on signatures. Contact your vendor for details.
Bleedingsnort.org is providing some continuosly improving signatures for
snort users.

a.. If I get hit by the exploit, what can I do?
Not much :-(. It very much depends on the exact exploit you are hit with.
Most of them will download additional components. It can be very hard, or
even impossible, to find all the pieces. Microsoft offers free support for
issues like that at 866-727-2389 (866 PC SAFETY).

a.. Does Microsoft have information available?
http://www.microsoft.com/technet/sec...ry/912840.mspx
But there is no patch at the time of this writing.


a.. What does CERT have to say?
http://www.kb.cert.org/vuls/id/181038
http://www.cve.mitre.org/cgi-bin/cve...=CVE-2005-4560


-----------------------------------------

So run the patch, reboot and keep your fingers crossed!

Jim

Direct link to patch......
http://handlers.sans.org/tliston/wmffix_hexblog14.exe

Will disabling the file extension's default program to open wmf files, to
none do the job, along with deinstalling windows media player?

--
Jonny
"Jim" <reply@groups.please> wrote in message
news:EKtuf.37300$Lb1.23573@bignews3.bellsouth.net. ..
> In case you have been living under a rock for the last week or so, you may
> not have heard about the WMF Windows exploit.
>
> For those rock dwellers, here's the scoop.....short and sweet. Reprinted
> here without permission from SANS at
> http://isc.sans.org/diary.php?storyid=994. Hope they don't mind.... .
>
> ---------------------------------------------
>
> WMF FAQ (NEW)
> Published: 2006-01-03,
> Last Updated: 2006-01-03 08:55:06 UTC by Johannes Ullrich (Version:
3(click
> to highlight changes))
>
> [a few users offered translations of this FAQ into various languages.
> Obviously, we can not check the translation for accuracy, nor can we
update
> them. So use at your own risk: Deutsch and Deutsch (pdf), Catalan ,
Español
> , Italiana and Italiana, Polski, Suomenkielinen, Danish, Japanese,
> Slovenian, Chinese, Norwegian and Nederlands (in progress) ]
>
>
> a.. Why is this issue so important?
> The WMF vulnerability uses images (WMF images) to execute arbitrary code.
It
> will execute just by viewing the image. In most cases, you don't have
click
> anything. Even images stored on your system may cause the exploit to be
> triggered if it is indexed by some indexing software. Viewing a directory
in
> Explorer with 'Icon size' images will cause the exploit to be triggered as
> well.
>
> a.. Is it better to use Firefox or Internet Explorer?
> Internet Explorer will view the image and trigger the exploit without
> warning. New versions of Firefox will prompt you before opening the image.
> However, in most environments this offers little protection given that
these
> are images and are thus considered 'safe'.
>
> a.. What versions of Windows are affected?
> All. Windows 2000, Windows XP, (SP1 and SP2), Windows 2003. All are
affected
> to some extent. Mac OS-X, Unix or BSD is not affected.
>
> Note: If you're still running on Win98/ME, this is a watershed moment: we
> believe (untested) that your system is vulnerable and there will be no
patch
> from MS. Your mitigation options are very limited. You really need to
> upgrade.
>
> a.. What can I do to protect myself?
> 1.. Microsoft has not yet released a patch. An unofficial patch was made
> available by Ilfak Guilfanov. Our own Tom Liston reviewed the patch and we
> tested it. The reviewed and tested version is available here (now at v1.4,
> MD5: 15f0a36ea33f39c1bcf5a98e51d4f4f6), PGP signature (signed with ISC
key)
> here. THANKS to Ilfak Guilfanov for providing the patch!!
> 2.. You can unregister the related DLL.
> 3.. Virus checkers provide some protection.
> To unregister the DLL:
>
> a.. Click Start, click Run, type "regsvr32 -u
%windir%system32shimgvw.dll"
> (without the quotation marks... our editor keeps swallowing the
> backslashes... its %windir%(backslash)system32(backslash)shimgvw.dll) , and
> then click OK.
> b.. A dialog box appears to confirm that the un-registration process has
> succeeded. Click OK to close the dialog box.
> Our current "best practice" recommendation is to both unregister the DLL
and
> to use the unofficial patch.
>
> a.. How does the unofficial patch work?
> The wmfhotfix.dll is injected into any process loading user32.dll. The
DLL
> then patches (in memory) gdi32.dll's Escape() function so that it ignores
> any call using the SETABORTPROC (ie. 0x09) parameter. This should allow
> Windows programs to display WMF files normally while still blocking the
> exploit. The version of the patch located here has been carefully checked
> against the source code provided as well as tested against all known
> versions of the exploit. It should work on WinXP (SP1 and SP2) and Win2K.
>
> a.. Will unregistering the DLL (without using the unofficial patch)
> protect me?
> It might help. But it is not foolproof. We want to be very clear on this:
we
> have some very stong indications that simply unregistering the shimgvw.dll
> isn't always successful. The .dll can be re-registered by malicious
> processes or other installations, and there may be issues where
> re-registering the .dll on a running system that has had an exploit run
> against it allowing the exploit to succeed. In addition it might be
> possible for there to be other avenues of attack against the Escape()
> function in gdi32.dll. Until there is a patch available from MS, we
> recommend using the unofficial patch in addition to un-registering
> shimgvw.dll.
> a.. Should I just delete the DLL?
> It might not be a bad idea, but Windows File Protection will probably
> replace it. You'll need to turn off Windows File Protection first. Also,
> once an official patch is available you'll need to replace the DLL.
> (renaming, rather than deleting is probably better so it will still be
> handy).
>
> a.. Should I just block all .WMF images?
> This may help, but it is not sufficient. WMF files are recognized by a
> special header and the extension is not needed. The files could arrive
using
> any extension, or embeded in Word or other documents.
>
> a.. What is DEP (Data Execution Protection) and how does it help me?
> With Windows XP SP2, Microsoft introduced DEP. It protects against a wide
> range of exploits, by preventing the execution of 'data segements'.
However,
> to work well, it requires hardware support. Some CPUs, like AMD's 64 Bit
> CPUs, will provide full DEP protection and will prevent the exploit.
>
> a.. How good are Anti Virus products to prevent the exploit?
> At this point, we are aware of versions of the exploit that will not be
> detected by antivirus engines. We hope they will catch up soon. But it
will
> be a hard battle to catch all versions of the exploit. Up to date AV
systems
> are necessary but likely not sufficient.
>
> a.. How could a malicious WMF file enter my system?
> There are too many methods to mention them all. E-mail attachments, web
> sites, instant messaging are probably the most likely sources. Don't
forget
> P2P file sharing and other sources.
>
> a.. Is it sufficient to tell my users not to visit untrusted web sites?
> No. It helps, but its likely not sufficient. We had at least one widely
> trusted web site (knoppix-std.org) which was compromissed. As part of the
> compromise, a frame was added to the site redirecting users to a corrupt
WMF
> file. "Tursted" sites have been used like this in the past.
>
> a.. What is the actual problem with WMF images here?
> WMF images are a bit different then most other images. Instead of just
> containing simple 'this pixel has that color' information, WMF images can
> call external procedures. One of these procedure calls can be used to
> execute the code.
>
> a.. Should I use something like "dropmyrights" to lower the impact of an
> exploit.
> By all means yes. Also, do not run as an administrator level users for
every
> day work. However, this will only limit the impact of the exploit, and not
> prevent it. Also: Web browsing is only one way to trigger the exploit. If
> the image is left behind on your system, and later viewed by an
> administrator, you may get 'hit'.
>
> a.. Are my servers vulnerable?
> Maybe... do you allow the uploading of images? email? Are these images
> indexed? Do you sometimes use a web browser on the server? In short: If
> someone can get a image to your server, and if the vulnerable DLL may look
> at it, your server may very well be vulnerable.
>
> a.. What can I do at my perimeter / firewall to protect my network?
> Not much. A proxy server that strips all images from web sites? Probably
> wont go over well with your users. At least block .WMF images (see above
> about extensions...). If your proxy has some kind of virus checker, it may
> catch it. Same for mail servers. The less you allow your users to initiate
> outbound connections, the better. Close monitoring of user workstations
may
> provide a hint if a work station is infected.
>
> a.. Can I use an IDS to detect the exploit?
> Most IDS vendors are working on signatures. Contact your vendor for
details.
> Bleedingsnort.org is providing some continuosly improving signatures for
> snort users.
>
> a.. If I get hit by the exploit, what can I do?
> Not much :-(. It very much depends on the exact exploit you are hit with.
> Most of them will download additional components. It can be very hard, or
> even impossible, to find all the pieces. Microsoft offers free support for
> issues like that at 866-727-2389 (866 PC SAFETY).
>
> a.. Does Microsoft have information available?
> http://www.microsoft.com/technet/sec...ry/912840.mspx
> But there is no patch at the time of this writing.
>
>
> a.. What does CERT have to say?
> http://www.kb.cert.org/vuls/id/181038
> http://www.cve.mitre.org/cgi-bin/cve...=CVE-2005-4560
>
>
> -----------------------------------------
>
> So run the patch, reboot and keep your fingers crossed!
>
> Jim
>
>

No. The file type is launched by its internal header. The file extension
really doesn't matter.

Windows media player is only one app that can display the files. There are
many more.

The only way to minimize your risk is to run the patch.

Jim

"Jonny" <billgates@scampublic.net> wrote in message
news:OJBgLMGEGHA.1032@TK2MSFTNGP11.phx.gbl...
> Will disabling the file extension's default program to open wmf files, to
> none do the job, along with deinstalling windows media player?
>
> --
> Jonny
> "Jim" <reply@groups.please> wrote in message
> news:EKtuf.37300$Lb1.23573@bignews3.bellsouth.net. ..
>> In case you have been living under a rock for the last week or so, you
>> may
>> not have heard about the WMF Windows exploit.
>>
>> For those rock dwellers, here's the scoop.....short and sweet. Reprinted
>> here without permission from SANS at
>> http://isc.sans.org/diary.php?storyid=994. Hope they don't mind.... .
>>
>> ---------------------------------------------
>>
>> WMF FAQ (NEW)
>> Published: 2006-01-03,
>> Last Updated: 2006-01-03 08:55:06 UTC by Johannes Ullrich (Version:
> 3(click
>> to highlight changes))
>>
>> [a few users offered translations of this FAQ into various languages.
>> Obviously, we can not check the translation for accuracy, nor can we
> update
>> them. So use at your own risk: Deutsch and Deutsch (pdf), Catalan ,
> Español
>> , Italiana and Italiana, Polski, Suomenkielinen, Danish, Japanese,
>> Slovenian, Chinese, Norwegian and Nederlands (in progress) ]
>>
>>
>> a.. Why is this issue so important?
>> The WMF vulnerability uses images (WMF images) to execute arbitrary code.
> It
>> will execute just by viewing the image. In most cases, you don't have
> click
>> anything. Even images stored on your system may cause the exploit to be
>> triggered if it is indexed by some indexing software. Viewing a directory
> in
>> Explorer with 'Icon size' images will cause the exploit to be triggered
>> as
>> well.
>>
>> a.. Is it better to use Firefox or Internet Explorer?
>> Internet Explorer will view the image and trigger the exploit without
>> warning. New versions of Firefox will prompt you before opening the
>> image.
>> However, in most environments this offers little protection given that
> these
>> are images and are thus considered 'safe'.
>>
>> a.. What versions of Windows are affected?
>> All. Windows 2000, Windows XP, (SP1 and SP2), Windows 2003. All are
> affected
>> to some extent. Mac OS-X, Unix or BSD is not affected.
>>
>> Note: If you're still running on Win98/ME, this is a watershed moment: we
>> believe (untested) that your system is vulnerable and there will be no
> patch
>> from MS. Your mitigation options are very limited. You really need to
>> upgrade.
>>
>> a.. What can I do to protect myself?
>> 1.. Microsoft has not yet released a patch. An unofficial patch was
>> made
>> available by Ilfak Guilfanov. Our own Tom Liston reviewed the patch and
>> we
>> tested it. The reviewed and tested version is available here (now at
>> v1.4,
>> MD5: 15f0a36ea33f39c1bcf5a98e51d4f4f6), PGP signature (signed with ISC
> key)
>> here. THANKS to Ilfak Guilfanov for providing the patch!!
>> 2.. You can unregister the related DLL.
>> 3.. Virus checkers provide some protection.
>> To unregister the DLL:
>>
>> a.. Click Start, click Run, type "regsvr32 -u
> %windir%system32shimgvw.dll"
>> (without the quotation marks... our editor keeps swallowing the
>> backslashes... its %windir%(backslash)system32(backslash)shimgvw.dll) ,
>> and
>> then click OK.
>> b.. A dialog box appears to confirm that the un-registration process
>> has
>> succeeded. Click OK to close the dialog box.
>> Our current "best practice" recommendation is to both unregister the DLL
> and
>> to use the unofficial patch.
>>
>> a.. How does the unofficial patch work?
>> The wmfhotfix.dll is injected into any process loading user32.dll. The
> DLL
>> then patches (in memory) gdi32.dll's Escape() function so that it ignores
>> any call using the SETABORTPROC (ie. 0x09) parameter. This should allow
>> Windows programs to display WMF files normally while still blocking the
>> exploit. The version of the patch located here has been carefully
>> checked
>> against the source code provided as well as tested against all known
>> versions of the exploit. It should work on WinXP (SP1 and SP2) and
>> Win2K.
>>
>> a.. Will unregistering the DLL (without using the unofficial patch)
>> protect me?
>> It might help. But it is not foolproof. We want to be very clear on this:
> we
>> have some very stong indications that simply unregistering the
>> shimgvw.dll
>> isn't always successful. The .dll can be re-registered by malicious
>> processes or other installations, and there may be issues where
>> re-registering the .dll on a running system that has had an exploit run
>> against it allowing the exploit to succeed. In addition it might be
>> possible for there to be other avenues of attack against the Escape()
>> function in gdi32.dll. Until there is a patch available from MS, we
>> recommend using the unofficial patch in addition to un-registering
>> shimgvw.dll.
>> a.. Should I just delete the DLL?
>> It might not be a bad idea, but Windows File Protection will probably
>> replace it. You'll need to turn off Windows File Protection first. Also,
>> once an official patch is available you'll need to replace the DLL.
>> (renaming, rather than deleting is probably better so it will still be
>> handy).
>>
>> a.. Should I just block all .WMF images?
>> This may help, but it is not sufficient. WMF files are recognized by a
>> special header and the extension is not needed. The files could arrive
> using
>> any extension, or embeded in Word or other documents.
>>
>> a.. What is DEP (Data Execution Protection) and how does it help me?
>> With Windows XP SP2, Microsoft introduced DEP. It protects against a wide
>> range of exploits, by preventing the execution of 'data segements'.
> However,
>> to work well, it requires hardware support. Some CPUs, like AMD's 64 Bit
>> CPUs, will provide full DEP protection and will prevent the exploit.
>>
>> a.. How good are Anti Virus products to prevent the exploit?
>> At this point, we are aware of versions of the exploit that will not be
>> detected by antivirus engines. We hope they will catch up soon. But it
> will
>> be a hard battle to catch all versions of the exploit. Up to date AV
> systems
>> are necessary but likely not sufficient.
>>
>> a.. How could a malicious WMF file enter my system?
>> There are too many methods to mention them all. E-mail attachments, web
>> sites, instant messaging are probably the most likely sources. Don't
> forget
>> P2P file sharing and other sources.
>>
>> a.. Is it sufficient to tell my users not to visit untrusted web sites?
>> No. It helps, but its likely not sufficient. We had at least one widely
>> trusted web site (knoppix-std.org) which was compromissed. As part of the
>> compromise, a frame was added to the site redirecting users to a corrupt
> WMF
>> file. "Tursted" sites have been used like this in the past.
>>
>> a.. What is the actual problem with WMF images here?
>> WMF images are a bit different then most other images. Instead of just
>> containing simple 'this pixel has that color' information, WMF images can
>> call external procedures. One of these procedure calls can be used to
>> execute the code.
>>
>> a.. Should I use something like "dropmyrights" to lower the impact of
>> an
>> exploit.
>> By all means yes. Also, do not run as an administrator level users for
> every
>> day work. However, this will only limit the impact of the exploit, and
>> not
>> prevent it. Also: Web browsing is only one way to trigger the exploit. If
>> the image is left behind on your system, and later viewed by an
>> administrator, you may get 'hit'.
>>
>> a.. Are my servers vulnerable?
>> Maybe... do you allow the uploading of images? email? Are these images
>> indexed? Do you sometimes use a web browser on the server? In short: If
>> someone can get a image to your server, and if the vulnerable DLL may
>> look
>> at it, your server may very well be vulnerable.
>>
>> a.. What can I do at my perimeter / firewall to protect my network?
>> Not much. A proxy server that strips all images from web sites? Probably
>> wont go over well with your users. At least block .WMF images (see above
>> about extensions...). If your proxy has some kind of virus checker, it
>> may
>> catch it. Same for mail servers. The less you allow your users to
>> initiate
>> outbound connections, the better. Close monitoring of user workstations
> may
>> provide a hint if a work station is infected.
>>
>> a.. Can I use an IDS to detect the exploit?
>> Most IDS vendors are working on signatures. Contact your vendor for
> details.
>> Bleedingsnort.org is providing some continuosly improving signatures for
>> snort users.
>>
>> a.. If I get hit by the exploit, what can I do?
>> Not much :-(. It very much depends on the exact exploit you are hit with.
>> Most of them will download additional components. It can be very hard, or
>> even impossible, to find all the pieces. Microsoft offers free support
>> for
>> issues like that at 866-727-2389 (866 PC SAFETY).
>>
>> a.. Does Microsoft have information available?
>> http://www.microsoft.com/technet/sec...ry/912840.mspx
>> But there is no patch at the time of this writing.
>>
>>
>> a.. What does CERT have to say?
>> http://www.kb.cert.org/vuls/id/181038
>> http://www.cve.mitre.org/cgi-bin/cve...=CVE-2005-4560
>>
>>
>> -----------------------------------------
>>
>> So run the patch, reboot and keep your fingers crossed!
>>
>> Jim
>>
>>
>
>

> The only way to minimize your risk is to run the patch.

What guarantees come with a non-Microsoft patch?

Won't crash my system or affect anything etc

Or is it caveat emptor?

--
Regards

John Waller

No guarantees.....except that the SANS institute has tested it. I have
tested the original app and have made it a self-installing exe that doesn't
show any UI.

Mine is primarily for sys admins though....it reboots your system after
installing without asking....so all apps should be closed.

Let me know if you want my link.

The one thing that is guaranteed is that you are worse off without it than
with it.

Direct link to SANS-tested patch......
http://handlers.sans.org/tliston/wmffix_hexblog14.exe

Jim


"John Waller" <johnw@REMOVETHISpinnacleweb.com.au> wrote in message
news:eaQfjVGEGHA.2708@TK2MSFTNGP11.phx.gbl...
>> The only way to minimize your risk is to run the patch.
>
> What guarantees come with a non-Microsoft patch?
>
> Won't crash my system or affect anything etc
>
> Or is it caveat emptor?
>
> --
> Regards
>
> John Waller
>

"Jonny" <billgates@scampublic.net> wrote:

|>Will disabling the file extension's default program to open wmf files, to
|>none do the job, along with deinstalling windows media player?

No, just update your virus checker most will catch it now, I use NOD32
and it does (I've seen it work)

Not running I.E. helps as FireFox and Opera ask if you want to
download the WMF file.

And my favorite http://www.annoyances.org/exec/show/article03-201
but I don't really know if this works as I've always stop'd the WMF
from executing (NOD32)

|>Jonny
|>"Jim" <reply@groups.please> wrote in message
|>news:EKtuf.37300$Lb1.23573@bignews3.bellsouth.ne t...
|>> In case you have been living under a rock for the last week or so, you may
|>> not have heard about the WMF Windows exploit.


--
Time Wasting Sites on the Net
http://freebies.about.com/od/710/tp/timewasting.htm

Not everybody's antivirus is up to the task....
http://www.eweek.com/article2/0,1895,1907102,00.asp

I didn't see NOD on the list......so I'll defer to your experience.

Jim


"Trax" <Pennywise@DerryMaine.Gov> wrote in message
news:4g9lr11sd00uqjefp7rsls0ei6hrb8rjr3@4ax.com...
> "Jonny" <billgates@scampublic.net> wrote:
>
> |>Will disabling the file extension's default program to open wmf files,
> to
> |>none do the job, along with deinstalling windows media player?
>
> No, just update your virus checker most will catch it now, I use NOD32
> and it does (I've seen it work)
>
> Not running I.E. helps as FireFox and Opera ask if you want to
> download the WMF file.
>
> And my favorite http://www.annoyances.org/exec/show/article03-201
> but I don't really know if this works as I've always stop'd the WMF
> from executing (NOD32)
>
> |>Jonny
> |>"Jim" <reply@groups.please> wrote in message
> |>news:EKtuf.37300$Lb1.23573@bignews3.bellsouth.ne t...
> |>> In case you have been living under a rock for the last week or so, you
> may
> |>> not have heard about the WMF Windows exploit.
>
>
> --
> Time Wasting Sites on the Net
> http://freebies.about.com/od/710/tp/timewasting.htm

In article <qtyuf.37570$Lb1.7468@bignews3.bellsouth.net>,
reply@groups.please says...
> Not everybody's antivirus is up to the task....
> http://www.eweek.com/article2/0,1895,1907102,00.asp
>
> I didn't see NOD on the list......so I'll defer to your experience.

Note, that article was dated: December 31, 2005

--

spam999free@rrohio.com
remove 999 in order to email me

Leythos <void@nowhere.lan> wrote:

|>In article <qtyuf.37570$Lb1.7468@bignews3.bellsouth.net>,
|>reply@groups.please says...
|>> Not everybody's antivirus is up to the task....
|>> http://www.eweek.com/article2/0,1895,1907102,00.asp
|>>
|>> I didn't see NOD on the list......so I'll defer to your experience.

|>Note, that article was dated: December 31, 2005

I didn't get the original post so have to piggy back on the reply.

I post this to another message a few days ago:

From: "David H. Lipman" <DLipman~nospam~@Verizon.Net>
Newsgroups: microsoft.public.windowsxp.general

Carey:

Please don't post the following...

Microsoft Live Safety Center
http://safety.live.com/site/en-US/default.htm

It is a Beta and on a scale from 1 to 10 it is a 2

If you are going to ost a online scanner post one that actually has a
high catch rate.

Kaspersky:
http://www.kaspersky.com/de/scanforvirus

I have been in communication with Randy Treir and I have been testing
the site. Straight
talk -- it sucks !

I gave it a zoo and it had a 22% catch rate.

When I tested an "Exploit-WMF" sample Yesterday, these were the
results...

AntiVir 6.33.0.70 12.29.2005 TR/Dldr.WMF.Agent.D
Avast 4.6.695.0 12.29.2005 Win32:Exdown
AVG 718 12.29.2005 Downloader.Agent.13.AI
Avira 6.33.0.70 12.29.2005 TR/Dldr.WMF.Agent.D
BitDefender 7.2 12.29.2005 Exploit.Win32.WMF-PFV.C
CAT-QuickHeal 8.00 12.29.2005 WMF.Exploit
ClamAV devel-20051123 12.29.2005 Exploit.WMF.A
DrWeb 4.33 12.29.2005 Exploit.MS05-053
eTrust-Iris 7.1.194.0 12.29.2005 Win32/Worfo.C!Trojan
eTrust-Vet 12.4.1.0 12.29.2005 Win32/Worfo
Ewido 3.5 12.29.2005 Downloader.Agent.acd
Fortinet 2.54.0.0 12.29.2005 W32/WMF-exploit
F-Prot 3.16c 12.29.2005 security risk or a "backdoor" program
Ikarus 0.2.59.0 12.29.2005 Trojan-Downloader.Win32.Agent.ACD
Kaspersky 4.0.2.24 12.29.2005 Trojan-Downloader.Win32.Agent.acd
McAfee 4662 12.29.2005 Exploit-WMF
Microsoft ?? 12.29.2005 no virus found
NOD32v2 1.1343 12.28.2005 Win32/TrojanDownloader.Wmfex
Norman 5.70.10 12.29.2005 no virus found
Panda 9.0.0.4 12.28.2005 Exploit/Metafile
Sophos 4.01.0 12.29.2005 Troj/DownLdr-NK
Symantec 8.0 12.29.2005 Download.Trojan
TheHacker 5.9.1.064 12.28.2005 Exploit/WMF
Trend Micro 135 12.29.2005 TROJ_NASCENE.D
UNA 1.83 12.29.2005 no virus found
VBA32 3.10.5 12.28.2005 no virus found


Today however it is causght...

Microsoft ?? 12.30.2005 Exploit:Win32/Wmfap

Just because you are a Microsoft MVP, please don't suggest a low
quality product wjhen there
are high quality alternatives.
Especially when it is a security related issue !


--
Time Wasting Sites on the Net
http://freebies.about.com/od/710/tp/timewasting.htm