Data Execution Prevention -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Friday, December 30, 2005 11:48 AM To: [email protected] Subject: RE: [ActiveDir] ZeroDay-WMF
Sorry. Maybe it's too much holiday partying: DEP? -----Original Message----- From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [mailto:[EMAIL PROTECTED] Sent: Thursday, December 29, 2005 5:41 PM To: [email protected] Subject: Re: [ActiveDir] ZeroDay-WMF True...but right now the vector they are using is WMF so it mitgates that one. Risk analysis and for right now ...that's the steps I took for my office. [I'm thinking about DEP enabling everyone as I'm seeing no impact here and I'm the only one running Irfanview Now whether I do more tomorrow.... ask me tomorrow :-) I'm still not ready to unregister dll's..... yet.... {Cool thing about SBSland is the Change Management department around here is really agreeable with whatever I decide to do} Crawford, Scott wrote: >This has been discussed on Jespers blog, but the main problem is that >blocking wmf files doesn't mitigate the risk because simply renaming a >file to .jpg or .gif will still cause it to be parsed by the same .dll >which will treat it as the file type it really is. > >-----Original Message----- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, >CPA aka Ebitz - SBS Rocks [MVP] >Sent: Thursday, December 29, 2005 7:08 PM >To: [email protected] >Subject: Re: [ActiveDir] ZeroDay-WMF > >What did I do? > >1. Fired up Trend and blocked the wmf files 2. Fired up ISA and >blocked WMF images 3. On my high risk workstations [uh...mine] enabled >DEP for all programs [and seriously considering doing this for all as >I'm 100% borg XP sp2 here] How to Configure Memory Protection in >Windows XP SP2: >http://www.microsoft.com/technet/security/prodtech/windowsxp/depcnfxp.m >s >px >3. Ensured that the a/v dats were covering it 4. Informed all of what >was going on and telling them to 'be careful'. > >I have not unregistered that dll as to me... ripping that out like that >is last resort. You will break a lot of stuff. > > >E-Bitz - SBS MVP the Official Blog of the SBS "Diva" : So if you have >ISA here are some things you can do: >http://msmvps.com/blogs/bradley/archive/2005/12/28/79908.aspx >E-Bitz - SBS MVP the Official Blog of the SBS "Diva" : Blocking those >WMF's at the email border: >http://msmvps.com/blogs/bradley/archive/2005/12/28/79925.aspx >E-Bitz - SBS MVP the Official Blog of the SBS "Diva" : WMF and blocking: >http://msmvps.com/blogs/bradley/archive/2005/12/29/79966.aspx > > >Noah Eiger wrote: > > > >>Susan - >> >> >> >>I examined the steps you provided for unregistering shimgvw.dll but >>notes at >>http://billpstudios.blogspot.com/2005/12/zero-day-wmf-exploit.html >>seem to indicate that this will only help if you get an infected >>attachment in email. Or did I mis-read that? >> >> >> >>Also, if this is a good stop-gap, are you deploying it via script/GPO? >> >> > > > >>At least until MS patches? >> >> >> >>Thanks. >> >> >> >>-- nme >> >> >>-- >>No virus found in this outgoing message. >>Checked by AVG Free Edition. >>Version: 7.1.371 / Virus Database: 267.14.9/216 - Release Date: >> >> >12/29/2005 > > > > > -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.371 / Virus Database: 267.14.9/216 - Release Date: 12/29/2005 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.371 / Virus Database: 267.14.9/216 - Release Date: 12/29/2005 List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
