Josh Einstein wrote:
> By the way, I got a patch at www.grc.com (another well known Windows
> security expert) who links to Ilfak Guilfanov's temporary patch.
>


Gibson may be well known, but he's a "security" expert in his own mind
only.

Gibson is a very poor source for computer security advice. Gibson
has been fooling a lot of people for several years, now, so don't feel
too bad about having believed him. He mixes just enough facts in with
his hysteria and hyperbole to be plausible. Despicably, Gibson is
assuming a presumably morally superior pose as a White Knight out to
rescue the poor, defenseless computer user, all the while offering
solutions that do no good whatsoever.

Perhaps you should read what real computer security specialists
have to say about Steve Gibson's "security" expertise. You can start here:
http://www.grcsucks.com/


--

Bruce Chambers

Help us help you:
http://dts-l.org/goodpost.htm
http://www.catb.org/~esr/faqs/smart-questions.html

You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH

Josh Einstein wrote:
> I'm just saying people should trust security experts. There *are* people out
> there more qualified to give security guidance than you or MS. SANS,
> F-secure, and Steve Gibson are 3 such parties.
>

Actually, if Gibson's recommending it, I'd avoid it like the plague.


--

Bruce Chambers

Help us help you:
http://dts-l.org/goodpost.htm
http://www.catb.org/~esr/faqs/smart-questions.html

You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH

You would do well to heed your own advice... "Do some research first..."

I am not alone in proposing that people take the lead in preventing this
exploit by utilizing an "unofficial" patch.

And, even if I were..... Norton Antivirus, McAfee antivirus, etc. are not
officially recognized or suggested by Microsoft. Should they be wiped from
users' aresenal of security applications?

Had you actually "done some reasearch first" (even as little as reading the
CNET article at
http://news.com.com/Wait+for+Windows...?tag=nefd.lede)
you would see that more outside eyes have looked over this patch than over
any Microsoft patches that we install without a second thought.

Curious that Microsoft doesn't make thier patches open source. After all,
the exploits are already open source and we all have access to those.

Hey, Bruce....before you post again...."Do some research first..."

Jim


"Bruce Chambers" <bchambers@cable0ne.n3t> wrote in message
news:eHIXPqNEGHA.1424@TK2MSFTNGP12.phx.gbl...
> Jim wrote:
>> Chris,
>>
>> You are acting in an extremely irresponsible manner.
>
>
> No, you're the one trying to con people into downloading an unknown patch
> from an unofficial source. What specific type of malware are you trying
> to distribute.
>
>
>
> --
>
> Bruce Chambers
>
> Help us help you:
> http://dts-l.org/goodpost.htm
> http://www.catb.org/~esr/faqs/smart-questions.html
>
> You can have peace. Or you can have freedom. Don't ever count on having
> both at once. - RAH

Well I don't tend to put much stock into any domain with the word "sucks" in
it cause it's usually pretty one sided. Especially one that links to the
register.

I do admit Steve Gibson is quite paranoid and self serving about security,
but he is also not a hacker and I don't think anyone would ever accuse him
of irresponsibly linking to an unsafe patch. (Which of course has been
linked to by many others now as well.)

(By the way, I don't read Steve Gibson's stuff and I don't particularly care
for his anti-Microsoft attitude, but while searching for mirrors for the
file, I came across his site and knew that it could be trusted not to be
malicious.)

--
Josh Einstein
Tablet Enhancements for Outlook 2.0 - Try it free for 14 days
www.tabletoutlook.com

"Bruce Chambers" <bchambers@cable0ne.n3t> wrote in message
news:%23C2yZrNEGHA.1424@TK2MSFTNGP12.phx.gbl...
> Josh Einstein wrote:
>> By the way, I got a patch at www.grc.com (another well known Windows
>> security expert) who links to Ilfak Guilfanov's temporary patch.
>>
>
>
> Gibson may be well known, but he's a "security" expert in his own mind
> only.
>
> Gibson is a very poor source for computer security advice. Gibson has
> been fooling a lot of people for several years, now, so don't feel too bad
> about having believed him. He mixes just enough facts in with his
> hysteria and hyperbole to be plausible. Despicably, Gibson is assuming a
> presumably morally superior pose as a White Knight out to rescue the poor,
> defenseless computer user, all the while offering solutions that do no
> good whatsoever.
>
> Perhaps you should read what real computer security specialists have
> to say about Steve Gibson's "security" expertise. You can start here:
> http://www.grcsucks.com/
>
>
> --
>
> Bruce Chambers
>
> Help us help you:
> http://dts-l.org/goodpost.htm
> http://www.catb.org/~esr/faqs/smart-questions.html
>
> You can have peace. Or you can have freedom. Don't ever count on having
> both at once. - RAH

I'm outta here.

I have shown you what I know about the patch and protecting yourselves. I
have projects to get out and must concentrate on them at this time.

Ultimately (in PCs as in life), your seurity is in your hands. Do your
research. Listen to whom you trust.

I wish you all the very best in this new year.

Have fun and be safe.

Jim

anyone know how to tell if you ARE infected?
Will the patch destroy the infection too?


Jim wrote:
> In case you have been living under a rock for the last week or so,
> you may not have heard about the WMF Windows exploit.
>
> For those rock dwellers, here's the scoop.....short and sweet. Reprinted
> here without permission from SANS at
> http://isc.sans.org/diary.php?storyid=994. Hope they don't mind....
> .
> ---------------------------------------------
>
> WMF FAQ (NEW)
> Published: 2006-01-03,
> Last Updated: 2006-01-03 08:55:06 UTC by Johannes Ullrich (Version:
> 3(click to highlight changes))
>
> [a few users offered translations of this FAQ into various languages.
> Obviously, we can not check the translation for accuracy, nor can we
> update them. So use at your own risk: Deutsch and Deutsch (pdf),
> Catalan , Español , Italiana and Italiana, Polski, Suomenkielinen,
> Danish, Japanese, Slovenian, Chinese, Norwegian and Nederlands (in
> progress) ]
>
> a.. Why is this issue so important?
> The WMF vulnerability uses images (WMF images) to execute arbitrary
> code. It will execute just by viewing the image. In most cases, you
> don't have click anything. Even images stored on your system may
> cause the exploit to be triggered if it is indexed by some indexing
> software. Viewing a directory in Explorer with 'Icon size' images
> will cause the exploit to be triggered as well.
>
> a.. Is it better to use Firefox or Internet Explorer?
> Internet Explorer will view the image and trigger the exploit without
> warning. New versions of Firefox will prompt you before opening the
> image. However, in most environments this offers little protection
> given that these are images and are thus considered 'safe'.
>
> a.. What versions of Windows are affected?
> All. Windows 2000, Windows XP, (SP1 and SP2), Windows 2003. All are
> affected to some extent. Mac OS-X, Unix or BSD is not affected.
>
> Note: If you're still running on Win98/ME, this is a watershed
> moment: we believe (untested) that your system is vulnerable and
> there will be no patch from MS. Your mitigation options are very
> limited. You really need to upgrade.
>
> a.. What can I do to protect myself?
> 1.. Microsoft has not yet released a patch. An unofficial patch was
> made available by Ilfak Guilfanov. Our own Tom Liston reviewed the
> patch and we tested it. The reviewed and tested version is available
> here (now at v1.4, MD5: 15f0a36ea33f39c1bcf5a98e51d4f4f6), PGP
> signature (signed with ISC key) here. THANKS to Ilfak Guilfanov for
> providing the patch!! 2.. You can unregister the related DLL.
> 3.. Virus checkers provide some protection.
> To unregister the DLL:
>
> a.. Click Start, click Run, type "regsvr32 -u
> %windir%system32shimgvw.dll" (without the quotation marks... our
> editor keeps swallowing the backslashes... its
> %windir%(backslash)system32(backslash)shimgvw.dll) , and then click OK.
> b.. A dialog box appears to confirm that the un-registration process
> has succeeded. Click OK to close the dialog box.
> Our current "best practice" recommendation is to both unregister the
> DLL and to use the unofficial patch.
>
> a.. How does the unofficial patch work?
> The wmfhotfix.dll is injected into any process loading user32.dll. The DLL
> then patches (in memory) gdi32.dll's Escape() function so
> that it ignores any call using the SETABORTPROC (ie. 0x09) parameter.
> This should allow Windows programs to display WMF files normally
> while still blocking the exploit. The version of the patch located
> here has been carefully checked against the source code provided as
> well as tested against all known versions of the exploit. It should
> work on WinXP (SP1 and SP2) and Win2K.
> a.. Will unregistering the DLL (without using the unofficial patch)
> protect me?
> It might help. But it is not foolproof. We want to be very clear on
> this: we have some very stong indications that simply unregistering
> the shimgvw.dll isn't always successful. The .dll can be
> re-registered by malicious processes or other installations, and
> there may be issues where re-registering the .dll on a running system
> that has had an exploit run against it allowing the exploit to
> succeed. In addition it might be possible for there to be other
> avenues of attack against the Escape() function in gdi32.dll. Until
> there is a patch available from MS, we recommend using the unofficial
> patch in addition to un-registering shimgvw.dll.
> a.. Should I just delete the DLL?
> It might not be a bad idea, but Windows File Protection will probably
> replace it. You'll need to turn off Windows File Protection first.
> Also, once an official patch is available you'll need to replace the
> DLL. (renaming, rather than deleting is probably better so it will
> still be handy).
>
> a.. Should I just block all .WMF images?
> This may help, but it is not sufficient. WMF files are recognized by a
> special header and the extension is not needed. The files could
> arrive using any extension, or embeded in Word or other documents.
>
> a.. What is DEP (Data Execution Protection) and how does it help me?
> With Windows XP SP2, Microsoft introduced DEP. It protects against a
> wide range of exploits, by preventing the execution of 'data
> segements'. However, to work well, it requires hardware support. Some
> CPUs, like AMD's 64 Bit CPUs, will provide full DEP protection and
> will prevent the exploit.
> a.. How good are Anti Virus products to prevent the exploit?
> At this point, we are aware of versions of the exploit that will not
> be detected by antivirus engines. We hope they will catch up soon.
> But it will be a hard battle to catch all versions of the exploit. Up
> to date AV systems are necessary but likely not sufficient.
>
> a.. How could a malicious WMF file enter my system?
> There are too many methods to mention them all. E-mail attachments,
> web sites, instant messaging are probably the most likely sources.
> Don't forget P2P file sharing and other sources.
>
> a.. Is it sufficient to tell my users not to visit untrusted web
> sites? No. It helps, but its likely not sufficient. We had at least
> one widely trusted web site (knoppix-std.org) which was compromissed.
> As part of the compromise, a frame was added to the site redirecting
> users to a corrupt WMF file. "Tursted" sites have been used like this
> in the past.
> a.. What is the actual problem with WMF images here?
> WMF images are a bit different then most other images. Instead of just
> containing simple 'this pixel has that color' information, WMF images
> can call external procedures. One of these procedure calls can be
> used to execute the code.
>
> a.. Should I use something like "dropmyrights" to lower the impact
> of an exploit.
> By all means yes. Also, do not run as an administrator level users
> for every day work. However, this will only limit the impact of the
> exploit, and not prevent it. Also: Web browsing is only one way to
> trigger the exploit. If the image is left behind on your system, and
> later viewed by an administrator, you may get 'hit'.
>
> a.. Are my servers vulnerable?
> Maybe... do you allow the uploading of images? email? Are these images
> indexed? Do you sometimes use a web browser on the server? In short:
> If someone can get a image to your server, and if the vulnerable DLL
> may look at it, your server may very well be vulnerable.
>
> a.. What can I do at my perimeter / firewall to protect my network?
> Not much. A proxy server that strips all images from web sites?
> Probably wont go over well with your users. At least block .WMF
> images (see above about extensions...). If your proxy has some kind
> of virus checker, it may catch it. Same for mail servers. The less
> you allow your users to initiate outbound connections, the better.
> Close monitoring of user workstations may provide a hint if a work
> station is infected.
> a.. Can I use an IDS to detect the exploit?
> Most IDS vendors are working on signatures. Contact your vendor for
> details. Bleedingsnort.org is providing some continuosly improving
> signatures for snort users.
>
> a.. If I get hit by the exploit, what can I do?
> Not much :-(. It very much depends on the exact exploit you are hit
> with. Most of them will download additional components. It can be
> very hard, or even impossible, to find all the pieces. Microsoft
> offers free support for issues like that at 866-727-2389 (866 PC
> SAFETY).
> a.. Does Microsoft have information available?
> http://www.microsoft.com/technet/sec...ry/912840.mspx
> But there is no patch at the time of this writing.
>
>
> a.. What does CERT have to say?
> http://www.kb.cert.org/vuls/id/181038
> http://www.cve.mitre.org/cgi-bin/cve...=CVE-2005-4560
>
>
> -----------------------------------------
>
> So run the patch, reboot and keep your fingers crossed!
>
> Jim

Sharkman@comcast.net wrote:
> anyone know how to tell if you ARE infected?
> Will the patch destroy the infection too?

Update your virus definitions and do a full scan. The patch will not
destroy the infection, but it should block the ability of the virus to
take control of your system.
--
Tom Porterfield
MS-MVP Windows
http://support.teloep.org

Please post all follow-ups to the newsgroup only.

And the patch can be uninstalled later?

Tom Porterfield <tpporter@mvps.org> wrote:

>Sharkman@comcast.net wrote:
>> anyone know how to tell if you ARE infected?
>> Will the patch destroy the infection too?
>
>Update your virus definitions and do a full scan. The patch will not
>destroy the infection, but it should block the ability of the virus to
>take control of your system.
Thanks
Juan I. Cahis
Santiago de Chile (South America)
Note: Please forgive me for my bad English, I am trying to improve it!

"Tom Porterfield" wrote:

> Sharkman@comcast.net wrote:
> > anyone know how to tell if you ARE infected?
> > Will the patch destroy the infection too?
>
> Update your virus definitions and do a full scan. The patch will not
> destroy the infection, but it should block the ability of the virus to
> take control of your system.
> --
> Tom Porterfield
> MS-MVP Windows
> http://support.teloep.org
>
> Please post all follow-ups to the newsgroup only.
>

Yes. And, it should be uninstalled prior to installing Microsoft's patch.

Jim

"Juan I. Cahis" <jiclbchSINBASURA@attglobal.net> wrote in message
news:mgnnr1ps4vcteb4u3hbhum0q3v25pft8hh@4ax.com...
And the patch can be uninstalled later?

Tom Porterfield <tpporter@mvps.org> wrote:

>Sharkman@comcast.net wrote:
>> anyone know how to tell if you ARE infected?
>> Will the patch destroy the infection too?
>
>Update your virus definitions and do a full scan. The patch will not
>destroy the infection, but it should block the ability of the virus to
>take control of your system.
Thanks
Juan I. Cahis
Santiago de Chile (South America)
Note: Please forgive me for my bad English, I am trying to improve it!