it cannot be detected by most intrusion detection systems (the snort rule will peg the CPU on your router) nor filtered by packet-inspecting firewalls (it spans two or more ethernet frames).
You *can* run 2 instances of snort in-line to get around this CPU-pegging issue.
Not really a whole lot of choice about this one.
There is always choice - have you considered a defense-in-depth multi-layered approach? I'm taking the following steps
1. unregister the ms pic and fax viewer dll
2. make WMF file extension default to an erroneous app like notepad
3. turn DEP up a notch
4. turn off downloads in IE if you must use it (set default security settings to HIGH)
5. block all WMF files at the perimiter
6. keep antivirus up to date and consider frequent manual updates and scans of key machines
These things in combo with being vigilant over the next few days should keep you and your corporate networks safe. There are even MSI versions of the patch for mass distribution.
1. Microsoft has not yet released a patch. An unofficial patch was made available by Ilfak Guilfanov. http://handlers.sans.org/tliston/wmffix_hexblog13. exe Our own Tom Liston reviewed the patch and we tested it. The reviewed and tested version is available here (now at v1.3, MD5: 14d8c937d97572deb9cb07297a87e62a). THANKS to Ilfak Guilfanov for providing the patch!!
2. You can unregister the related DLL.
3. Virus checkers provide some protection.
To unregister the DLL:
* Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK.
* A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.
This is the same basic exploit - but the seriousness and criticality is dramatically harder. A malicious file can contain any file extension of any random size and still be a WMF file on the "inside" and still have a "arbitrary code" payload. Most security groups are way freaked out now since IDS/IPS and AV patches are not patching this complete yet. Check out http://isc.sans.org/diary.php?rss&storyid=994 more a more indepth answer.
Did you ever see that Simpsons episode around the "Tomaco", the cross between a Tomato and Tabacco?
He should have dueled the Colonel! But instead, Homer gives us a lesson about GMO's that is bar-none the best out there! http://www.thesimpsons.com/episode_guide/1105.htm
My father and stepmother are complete and utter technophobes. Their computer is spyware ridden, I wipe it every 6 months, you know the drill. BUT they have an xbox, they play xbox live, and chat on the headset with players they compete against. To me, this is vastly unnatural (parents playing xbox, including xbox live, and set it all up by themselves). Their PC is still F'ed, but they were able to get "right to the gaming" with XBOX. I applaud MS for this. They are doing something right. And my grandma will frag the crap out of your grandma.
http://www.websensesecuritylabs.com/ is a reputable security provider that I have personally done business with as Director of Vendor Relations at SANS. I did not post that URL lightly.
I could even see a future where we could do away with DNS in the long term as we could access webpages or other information through this network of shared temporary file folders
Yes, and I was thinking of replacing all my lightbulbs with torches and nice sconces as well. The soot will suck, but it will be so COOL!
Java Hype is like saying "C++ hype".
Java is now an engrained language that is just part of most enterprise developers reality. It's just a tool and a glue that can be used any number of ways. Java is not PAST hype, and is just an engrained part of the computing world.
This is NOT a dupe. The previous article was "speculation" and the second was "confirmation". In other words, it is no longer a rumor, it is reality. This is newsworthy and I'm honored that the slashdot staff agreed with my submission.
I don't. I usually just wipe the thing and reinstall the OS. It's often faster, plus by doing that you can be absolutely sure that you nuked everything.
I stand corrected, your honor. Nothing beats nuking' your box of all OEM software and rebuilding it yourself the "right" way!
What is the best way for new IS managers to convince their superiors of the need for widespread change?
The best way to breed resentment is to force a company or individual to change against their grain. You need a somewhat receptive comapany to begin with in order to address these issues. If the company you work for is so misaligned with your beliefs and practices as a professional, then find another job. Otherwise, you risk continued dis-satisfaction and professional stagnation.
I'm fed up and sick to the back teeth of reading the words "for-profit" and "company" in the same sentence, especially when they are used to (attempt to) justify antisocial business practices.
Dude, thats the historical definition OF a corporation. Corporations can, as an "entity", protect the individual owners from legal liability yet still take profit from the company. Want to pollute? Go for it, and heck, if you break the law by only this much the fine is less than the savings so go for it! Get the picture?
Damn, the first thing I do when I get a new dell is:
start->control panel->add/remove programs and remove with wold abandon. I usually wipe "trial security package", all the dell quickset crap, any dell support crap, and any other software that I just don't want in there. Doesn't EVERYBODY?:)
Frankly, this country was founded on the basis of checks and balances that the Patriot act completely wipes away. I see this to be an UN-patriotic act, myself.
What bank are you using? All of the national large banks that I have tested work on Safari, Firefox for MAC and all of the major Win XP browsers. Heck, I even tried ( and continue to use ) First Hawaiian Bank, a rather small bank, yet it works as well in all browsers mentioned above.
I'm really curious as to what bank you are using - if its a rather small regional bank, then may have been suckered into developing IE-ONLY applications, which in my mind is NOT a true web application to begin with.
Slashdot Mirror
it cannot be detected by most intrusion detection systems (the snort rule will peg the CPU on your router) nor filtered by packet-inspecting firewalls (it spans two or more ethernet frames).
You *can* run 2 instances of snort in-line to get around this CPU-pegging issue.
Not really a whole lot of choice about this one.
There is always choice - have you considered a defense-in-depth multi-layered approach? I'm taking the following steps
1. unregister the ms pic and fax viewer dll
2. make WMF file extension default to an erroneous app like notepad
3. turn DEP up a notch
4. turn off downloads in IE if you must use it (set default security settings to HIGH)
5. block all WMF files at the perimiter
6. keep antivirus up to date and consider frequent manual updates and scans of key machines
These things in combo with being vigilant over the next few days should keep you and your corporate networks safe. There are even MSI versions of the patch for mass distribution.
From http://isc.sans.org/diary.php?rss&storyid=994 :
. exe Our own Tom Liston reviewed the patch and we tested it. The reviewed and tested version is available here (now at v1.3, MD5: 14d8c937d97572deb9cb07297a87e62a). THANKS to Ilfak Guilfanov for providing the patch!!
1. Microsoft has not yet released a patch. An unofficial patch was made available by Ilfak Guilfanov. http://handlers.sans.org/tliston/wmffix_hexblog13
2. You can unregister the related DLL.
3. Virus checkers provide some protection.
To unregister the DLL:
* Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK.
* A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.
This Chuck Norris Website is like a message from the LORD above himself. Thanks for passing on this crucial wisdom.
This is the same basic exploit - but the seriousness and criticality is dramatically harder. A malicious file can contain any file extension of any random size and still be a WMF file on the "inside" and still have a "arbitrary code" payload. Most security groups are way freaked out now since IDS/IPS and AV patches are not patching this complete yet. Check out http://isc.sans.org/diary.php?rss&storyid=994 more a more indepth answer.
Did you ever see that Simpsons episode around the "Tomaco", the cross between a Tomato and Tabacco? He should have dueled the Colonel! But instead, Homer gives us a lesson about GMO's that is bar-none the best out there! http://www.thesimpsons.com/episode_guide/1105.htm
My father and stepmother are complete and utter technophobes. Their computer is spyware ridden, I wipe it every 6 months, you know the drill. BUT they have an xbox, they play xbox live, and chat on the headset with players they compete against. To me, this is vastly unnatural (parents playing xbox, including xbox live, and set it all up by themselves). Their PC is still F'ed, but they were able to get "right to the gaming" with XBOX. I applaud MS for this. They are doing something right. And my grandma will frag the crap out of your grandma.
Ok, to calm your nerves, here is the screenshot version: http://www.websensesecuritylabs.com/alerts/alert.p hp?AlertID=385
http://www.websensesecuritylabs.com/ is a reputable security provider that I have personally done business with as Director of Vendor Relations at SANS. I did not post that URL lightly.
Internet Storm Center Coverage - Alert moved to yellow as of this morning. http://isc.sans.org/diary.php?rss&storyid=975/ wmf-movie.wmv it shows step-by-step what happens to a clean machine as it gets exploited by this new menace.
Also, take a look at this movie from websense: http://www.websensesecuritylabs.com/images/alerts
I could even see a future where we could do away with DNS in the long term as we could access webpages or other information through this network of shared temporary file folders
Yes, and I was thinking of replacing all my lightbulbs with torches and nice sconces as well. The soot will suck, but it will be so COOL!
At least the US will still own the Intellectual Property! :)
Sure thing! Meeting chicks at LUG groups is only second to meeting chicks at your local Dungeons and Dragons gaming store!
Java Hype is like saying "C++ hype". Java is now an engrained language that is just part of most enterprise developers reality. It's just a tool and a glue that can be used any number of ways. Java is not PAST hype, and is just an engrained part of the computing world.
Oh comon now, IBM has a virtual city of Lawyers, you gotts to give those boys something to do!
All Right Reserved Heembo Inc. 2005
As much as it galls me to admit - he was right.
It galls you to admit that your husband was right about the well-being of your family during a road trip? What a BEEE-YATCH!
This is NOT a dupe. The previous article was "speculation" and the second was "confirmation". In other words, it is no longer a rumor, it is reality. This is newsworthy and I'm honored that the slashdot staff agreed with my submission.
And take away stream from the upcoming Google Browser release? Google is NOT evil unless money is at stake.
*grin*
How about,
Don't be evil...unless you can make a ton of money, then what the heck, go for it!
I don't. I usually just wipe the thing and reinstall the OS. It's often faster, plus by doing that you can be absolutely sure that you nuked everything.
I stand corrected, your honor. Nothing beats nuking' your box of all OEM software and rebuilding it yourself the "right" way!
What is the best way for new IS managers to convince their superiors of the need for widespread change?
The best way to breed resentment is to force a company or individual to change against their grain. You need a somewhat receptive comapany to begin with in order to address these issues. If the company you work for is so misaligned with your beliefs and practices as a professional, then find another job. Otherwise, you risk continued dis-satisfaction and professional stagnation.
I'm fed up and sick to the back teeth of reading the words "for-profit" and "company" in the same sentence, especially when they are used to (attempt to) justify antisocial business practices.
Dude, thats the historical definition OF a corporation. Corporations can, as an "entity", protect the individual owners from legal liability yet still take profit from the company. Want to pollute? Go for it, and heck, if you break the law by only this much the fine is less than the savings so go for it! Get the picture?
Damn, the first thing I do when I get a new dell is: :)
start->control panel->add/remove programs and remove with wold abandon. I usually wipe "trial security package", all the dell quickset crap, any dell support crap, and any other software that I just don't want in there. Doesn't EVERYBODY?
Frankly, this country was founded on the basis of checks and balances that the Patriot act completely wipes away. I see this to be an UN-patriotic act, myself.
What bank are you using? All of the national large banks that I have tested work on Safari, Firefox for MAC and all of the major Win XP browsers. Heck, I even tried ( and continue to use ) First Hawaiian Bank, a rather small bank, yet it works as well in all browsers mentioned above.
I'm really curious as to what bank you are using - if its a rather small regional bank, then may have been suckered into developing IE-ONLY applications, which in my mind is NOT a true web application to begin with.