PSA for Windows users
Jan. 3rd, 2006 07:57 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
ellarienIt seems worthwhile passing on this from our computing guru at work, not usually given to over-reaction:
You have may have heard about the latest problem: called the WMF vulnerability after the type of image file (.wmf) that is the main vector for infection. Infected computers are likely to become components in "Zombie Nets" used by Organized Crime for blackmail and Spam/virus propagation. Some commentators are predicting that the WMF vulnerability will become a major disaster over the next few days...
Please see http://isc.sans.org/diary.php?storyid=994 and http://www.infoworld.com/article/05/12/28/HNmalicioushackers_1.html?9809798
for details.
So what do we do about it? First: Microsoft has NOT released a patch for the vunerability (presumably they will, eventually). So our usual mechanisms for protecting Windows systems are ineffective against this
threat. (Hey. Microsoft: I'm working on a holiday, why aren't you?!?!).
Second: If you are comfortable with tinkering with your computer, please do the following two exercises:
Unregister the WMF DLL:
* Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK.
* A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.
Install an unofficial (but vouched for by SANS) patch:
http://handlers.sans.org/tliston/wmffix_hexblog13.exe
(Be sure to use "Add or Remove Programs" in the Control Panel to remove this patch once the Official Microsoft Patch arrives).
Third: If you are not comfortable with tinkering,
DO NOT surf the web beyond the [redacted] Intranet until this issue settles out.
DO NOT use any Instant Messenger (IM) program until this issue settles out.
I'm not happy about the fact that one of these steps disables Windows' image-previewing feature, but that should be temporary; the real patch is expected next week.
You have may have heard about the latest problem: called the WMF vulnerability after the type of image file (.wmf) that is the main vector for infection. Infected computers are likely to become components in "Zombie Nets" used by Organized Crime for blackmail and Spam/virus propagation. Some commentators are predicting that the WMF vulnerability will become a major disaster over the next few days...
Please see http://isc.sans.org/diary.php?storyid=994 and http://www.infoworld.com/article/05/12/28/HNmalicioushackers_1.html?9809798
for details.
So what do we do about it? First: Microsoft has NOT released a patch for the vunerability (presumably they will, eventually). So our usual mechanisms for protecting Windows systems are ineffective against this
threat. (Hey. Microsoft: I'm working on a holiday, why aren't you?!?!).
Second: If you are comfortable with tinkering with your computer, please do the following two exercises:
Unregister the WMF DLL:
* Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK.
* A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.
Install an unofficial (but vouched for by SANS) patch:
http://handlers.sans.org/tliston/wmffix_hexblog13.exe
(Be sure to use "Add or Remove Programs" in the Control Panel to remove this patch once the Official Microsoft Patch arrives).
Third: If you are not comfortable with tinkering,
DO NOT surf the web beyond the [redacted] Intranet until this issue settles out.
DO NOT use any Instant Messenger (IM) program until this issue settles out.
I'm not happy about the fact that one of these steps disables Windows' image-previewing feature, but that should be temporary; the real patch is expected next week.
