Well disabling Active Scripting is a pain. Chances are Microsoft will release a patch early anyway. In the meantime I would recommend you apply the latest IE patch, that also fixes something like 27 bugs (apparently).
We're looking at disabling oledb32 temporarily via group policy or maybe zapping the registry key they mention in the advisory (to clobber "XML Island functionality"). Not sure what the impact will be yet... virtual machines are go!
Anyone tried SIMS/FMS/MSAccess after any of these workarounds?
I have asked to see if the infected code is being caught by our local RBC filters as this could help mitigate things.
@Tom will this be caught in the next smoothwall update?
Tony: things should be being caught as of last week.
Not sure (as we only have PoC) how many "wild" exploits it will catch, but I would be happier with the rule than without.
Those of you with "recommended security" rules on will be running it already.
And that would be how a good company manages issues.
Well they aren't making a fix, they're doing a day-to-day update to their product's most fundamental function. By their own admission the fix is far from watertight so I'd be very wary of relying on it. I would be much happier with a client-side fix for this than hoping the smoothwall rules are accurate enough and stay accurate as variants emerge. (This is not a dig at smoothwall who are obviously doing what they can)
From some experimentation with this demo of "XML island" functionality (which has nothing to do with the exploit code) it seems that putting a deny entry on the following registry key breaks the link between IE6 and MSXML3.dll:
I can't see why the Microsoft Advisory is suggesting people empty the contents of that key and subkeys instead of just setting an ACL entry. I suspect it's going to be a fair bit easier to remove that deny entry via GPO than to reconstruct a bunch of registry keys reliably.
@Tom: There are some screenshots of a malicious version on the websense blog which it would be interesting to compare with your filter to see if it would pick it up:
Last edited by sahmeepee; 16th December 2008 at 09:15 PM. Reason: stupid timeouts
tom_newton (17th December 2008)
I've had a good look at the Advisory and I think unregistering and then registering OLEDB32.DLL (when Microsoft release a patch), is the easiest option.
Register:Code:Regsvr32.exe /u "%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll"
I'm not going to implement the fix on admin workstations or servers, as I am pretty positive this will stop SQL related services such as SIMS, CMIS or of course WSUS from running (not good).Code:Regsvr32.exe "%ProgramFiles%\Common Files\System\Ole DB\oledb32.dll"
If only the end of term was tomorrow then I could forget about it and just turn all machines off over the Christmas period!
Well we tried disabling that on a virtual PC, but unfortunately it reliably kills mail merges (between word and excel) and probably anything else of that nature. SIMS itself ran fine although we didn't test any report generation etc.
The XML data island fix is much less likely to break stuff so I'm going with that on our admin and classroom PCs until this out-of-band patch comes out tomorrow and we get it deployed everywhere:
Microsoft Security Bulletin Advance Notification for December 2008
Using web browsers on servers is even more wrong than normal at the moment!
I just conducted a quick experiment on one of my SQL Servers. Using the above method of unregistering OLEDB32.DLL, I then attempted to run Sims.NET and FMS in turn and both work fine I could logon, which would indicate database functionality is normal.
And speaking of databases, SQL 2005 SP3 has been released. Something for the new year I think!
You're right; I can re-create this using Office 2003 SP3.but unfortunately it reliably kills mail merges (between word and excel)
As a quick update, I disabled the XML island stuff overnight and now Outlook Web Access is pretty much borked! It seems it's needed for replies and setting high importance and possibly for sending mails at all. Not good. Luckily reverting the setting is quite easy.
So thus far I've not found a suitable fix. Let's hope the patch comes quickly!
Just to echo what sahmeepee. Outlook Web Access is almost unusable after disabling the XML Data Island CLSID. The TechNet blog article on this recommends this method as "our least intrusive workaround". Clearly Microsoft don't use their own webmail product very much!
Last edited by AngryTechnician; 17th December 2008 at 10:11 AM.
There are currently 1 users browsing this thread. (0 members and 1 guests)