+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 28
Windows Thread, WMF Bug in Technical; WMF Bug Read Here For More Information...
  1. #1

    russdev's Avatar
    Join Date
    Jun 2005
    Location
    Leicestershire
    Posts
    6,985
    Thank Post
    735
    Thanked 559 Times in 374 Posts
    Blog Entries
    3
    Rep Power
    206

    WMF Bug


  2. #2

    Join Date
    Jul 2005
    Location
    Corby
    Posts
    1,056
    Thank Post
    12
    Thanked 20 Times in 18 Posts
    Rep Power
    25

    Re: WMF Bug

    I have downloaded the "unofficial" (but got out a heck of a lot quicker than M$) patch. Haven't tested it yet, but will do. SANS released it as an MSI- which is very handy indeed. And you can uninstall the patch *when* MS release a fix- which will be (they say) January 10th.

    Bump.

    I'm getting fed up with their excuses really.

    Me.Close

    Paul :-)

  3. #3

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,850
    Thank Post
    110
    Thanked 598 Times in 514 Posts
    Blog Entries
    1
    Rep Power
    227

    Re: WMF Bug

    Posting from the safety of my Linux desktop box at the moment. There's already a lot of worms/trojans/adware floating about abusing this bug. Just what exactly is MS playing at?

  4. #4

    Join Date
    Jul 2005
    Location
    Corby
    Posts
    1,056
    Thank Post
    12
    Thanked 20 Times in 18 Posts
    Rep Power
    25

    Re: WMF Bug

    You're right Geoff: this has really made me take stock. I have been using Mac OS and Ubuntu to surf from at home since hearing of this and until I have applied the *temporary* fix I won't be surfing with Windows. But really, this is just another straw that keeps snapping that old camel's back!

    Aren't there something like 80 variants of the exploit out there already? Disgusting.

    Paul :-(

  5. #5


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,715
    Thank Post
    288
    Thanked 789 Times in 616 Posts
    Rep Power
    226

    Re: WMF Bug

    I've tested and done a limited deployment of the unofficial patch. I also added a startup script to unregister the shimgvw.dll.

    We already block .wmf on the proxy, but if it's a decision to between a peer-reviewed unofficial patch or wait for microsoft to provide a working patch - no contest. We'll be rolling out the unofficial patch tonight / next workstation reboot.

  6. #6

    Join Date
    Jul 2005
    Location
    Corby
    Posts
    1,056
    Thank Post
    12
    Thanked 20 Times in 18 Posts
    Rep Power
    25

    Re: WMF Bug

    Agreed Pete.

    Tested on one machine- no problems. Going to push it out tomorrow too.

  7. #7

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,850
    Thank Post
    110
    Thanked 598 Times in 514 Posts
    Blog Entries
    1
    Rep Power
    227

    Re: WMF Bug

    Does it uninstall cleanly if you remove the GPO from the machines scope? (assuming your rolling it out with AD).

  8. #8

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    10,074
    Thank Post
    1,384
    Thanked 1,888 Times in 1,169 Posts
    Blog Entries
    19
    Rep Power
    614

    Re: WMF Bug

    The official patch is out ... and tested

    Took one known infected email and dropped it onto a virtual machine.

    No problems at all ... will monitor over tonight and if ok will allow it through WSUS tomorrow.

  9. #9


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,715
    Thank Post
    288
    Thanked 789 Times in 616 Posts
    Rep Power
    226

    Re: WMF Bug

    Quote Originally Posted by Geoff
    Does it uninstall cleanly if you remove the GPO from the machines scope? (assuming your rolling it out with AD).
    Yes: On a mix of 2K SP4, XP SP2 clients and AD2003. However, YMMV / may include nuts etc.

    Probably should include this from SANS.org:
    http://isc.sans.org/diary.php?rss&storyid=1018

    We have received reports and researched an issue with Ilfak's patch AND/OR deregistering SHIMGWV.DLL causing printing issues.
    De-registering SHIMGVW.DLL can cause printer issues. This has been verified.

    Pedro a fellow SANS handler provided this:
    "From Microsoft Windows Server 2003 Inside Out
    By William R. Stanek The client first uses the print driver to partially render the document into EMF and then spools the EMF file to the print server. The print server converts the EMF file to final form and then queues the file to the printer queue (printer)."

    ScottF another SANS handler states "I have seen a few new printing bugs...basically the printer spooler tray icon pops up and says there is an error and then prints without a problem" this was when SHIMGWV.DLL was deregistered.
    It appears that Ilfak Guilfanov's patch can also cause printer problems.

    Paul Shane reported
    "It seems that users printing with Lotus 1-2-3 V5 for windows (yes...the old version), running on Windows XP, cannot print with the hexblog patch installed. As soon as the patch is uninstalled and the machine is rebooted, printing works."

    Finally JimC another SANS handler writing about Ilfak's patch states:
    "Actually, I guess this one doesn't surprise me too much. The "legitimate" use of the SETABORTFUNC Escape() call in gdi32.dll is for printing. We have heard of a couple of other widely scattered situations where some sort of printing function was disrupted by the unofficial patch.

    Only a few cases of printer problems have been reported so far. Over 100,000 people have installed the patch and/or deregistered the shimgwv.dll.
    I've tested and pushed out the official patch as well, but won't be removing the unofficial one until it's deployed.

  10. #10

    john's Avatar
    Join Date
    Sep 2005
    Location
    London
    Posts
    10,447
    Thank Post
    1,537
    Thanked 1,069 Times in 934 Posts
    Rep Power
    305

    Re: WMF Bug

    We have shoved the official patch out today at work using WSUS (I still cannot believe it took 5 days to download all the updates to it (we downloaded everything, the works thats 58GB of updates). The kiddies are back next week, hopefully that is going to keep us virus free.

  11. #11

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,345
    Thank Post
    242
    Thanked 1,602 Times in 1,278 Posts
    Rep Power
    346

    Re: WMF Bug

    I deployed the official patch yesterday through WSUS and it installed just fine. It was good Microsoft responded earlier than their 10th January patch schedule.

    There will be quite a few updates released on the 10th January though, so the patching for this month isn't over just yet!

  12. #12

    john's Avatar
    Join Date
    Sep 2005
    Location
    London
    Posts
    10,447
    Thank Post
    1,537
    Thanked 1,069 Times in 934 Posts
    Rep Power
    305

    Re: WMF Bug

    Wonderful! I have already been driven round the twist with the popping up restart your computer now screen on my servers and workstations this week (just deployed WSUS over Crimbo so they are catching up with all the updates) and it sure gets annoying as you say later, and it is about 5 minutes later!. But lets hope this patch hold up

  13. #13
    tarquel's Avatar
    Join Date
    Jun 2005
    Location
    Powys, Mid-Wales, UK
    Posts
    1,740
    Thank Post
    13
    Thanked 45 Times in 35 Posts
    Rep Power
    30

    Re: WMF Bug

    Quote Originally Posted by john
    Wonderful! I have already been driven round the twist with the popping up restart your computer now screen on my servers and workstations this week (just deployed WSUS over Crimbo so they are catching up with all the updates) and it sure gets annoying as you say later, and it is about 5 minutes later!. But lets hope this patch hold up
    You can use Group Policy to adjust this btw - just so you know

    I havent tho - it is annoying isn't it? lol

    Left the fileserver restarting earlier thanks to pesky update needing restart hehe

    Nath.

  14. #14

    john's Avatar
    Join Date
    Sep 2005
    Location
    London
    Posts
    10,447
    Thank Post
    1,537
    Thanked 1,069 Times in 934 Posts
    Rep Power
    305

    Re: WMF Bug

    Excellent Nathan, I will look at that tomorrow, the old SUS was nicer in that way, as an admin we could say we will restart later, and a week later we could still have not restarted and we would never be told again, and thats how I want it for us admins, as I acidently shut down the mailserver today by accident by just hitting return on another program, but the update popup came over it and I was on the phone and looking at the door at the same time and next thing I saw was Outlook saying no server connection! Whoopse! Thank goodnes it only take 3 mins to come back up.

  15. #15
    tarquel's Avatar
    Join Date
    Jun 2005
    Location
    Powys, Mid-Wales, UK
    Posts
    1,740
    Thank Post
    13
    Thanked 45 Times in 35 Posts
    Rep Power
    30

    Re: WMF Bug

    Due to certain matters i have at work, I'm thinking of scheduling a server restart later on when no one is about.

    If i can schedule it after the script i have restarts all the XP workstations and when WSUS updates & installs the updates, then I'm on a winner.

    The trouble is that it all takes sooo long - especially with a fairly long tape backup taking place too - so its gonna be difficult to juggle all these schedules.

    Ah well...

    Nath.



SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •