Sorry. Maybe it's too much holiday partying: DEP?
-----Original Message-----
From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
[mailto:[EMAIL PROTECTED]
Sent: Thursday, December 29, 2005 5:41 PM
To: [email protected]
Subject: Re: [ActiveDir] ZeroDay-WMF
True...but right now the vector they are using is WMF so it mitgates
that one.
Risk analysis and for right now ...that's the steps I took for my
office. [I'm thinking about DEP enabling everyone as I'm seeing no
impact here and I'm the only one running Irfanview
Now whether I do more tomorrow.... ask me tomorrow :-) I'm still not
ready to unregister dll's..... yet....
{Cool thing about SBSland is the Change Management department around
here is really agreeable with whatever I decide to do}
Crawford, Scott wrote:
>This has been discussed on Jespers blog, but the main problem is that
>blocking wmf files doesn't mitigate the risk because simply renaming a
>file to .jpg or .gif will still cause it to be parsed by the same .dll
>which will treat it as the file type it really is.
>
>-----Original Message-----
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
>CPA aka Ebitz - SBS Rocks [MVP]
>Sent: Thursday, December 29, 2005 7:08 PM
>To: [email protected]
>Subject: Re: [ActiveDir] ZeroDay-WMF
>
>What did I do?
>
>1. Fired up Trend and blocked the wmf files
>2. Fired up ISA and blocked WMF images
>3. On my high risk workstations [uh...mine] enabled DEP for all
>programs [and seriously considering doing this for all as I'm 100% borg
>XP sp2 here]
>How to Configure Memory Protection in Windows XP SP2:
>http://www.microsoft.com/technet/security/prodtech/windowsxp/depcnfxp.ms
>px
>3. Ensured that the a/v dats were covering it
>4. Informed all of what was going on and telling them to 'be careful'.
>
>I have not unregistered that dll as to me... ripping that out like that
>is last resort. You will break a lot of stuff.
>
>
>E-Bitz - SBS MVP the Official Blog of the SBS "Diva" : So if you have
>ISA here are some things you can do:
>http://msmvps.com/blogs/bradley/archive/2005/12/28/79908.aspx
>E-Bitz - SBS MVP the Official Blog of the SBS "Diva" : Blocking those
>WMF's at the email border:
>http://msmvps.com/blogs/bradley/archive/2005/12/28/79925.aspx
>E-Bitz - SBS MVP the Official Blog of the SBS "Diva" : WMF and blocking:
>http://msmvps.com/blogs/bradley/archive/2005/12/29/79966.aspx
>
>
>Noah Eiger wrote:
>
>
>
>>Susan -
>>
>>
>>
>>I examined the steps you provided for unregistering shimgvw.dll but
>>notes at
>>http://billpstudios.blogspot.com/2005/12/zero-day-wmf-exploit.html
>>seem to indicate that this will only help if you get an infected
>>attachment in email. Or did I mis-read that?
>>
>>
>>
>>Also, if this is a good stop-gap, are you deploying it via script/GPO?
>>
>>
>
>
>
>>At least until MS patches?
>>
>>
>>
>>Thanks.
>>
>>
>>
>>-- nme
>>
>>
>>--
>>No virus found in this outgoing message.
>>Checked by AVG Free Edition.
>>Version: 7.1.371 / Virus Database: 267.14.9/216 - Release Date:
>>
>>
>12/29/2005
>
>
>
>
>
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.14.9/216 - Release Date: 12/29/2005
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.14.9/216 - Release Date: 12/29/2005
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
