Read Here For More Information
Read Here For More Information
I have downloaded the "unofficial" (but got out a heck of a lot quicker than M$) patch. Haven't tested it yet, but will do. SANS released it as an MSI- which is very handy indeed. And you can uninstall the patch *when* MS release a fix- which will be (they say) January 10th.
I'm getting fed up with their excuses really.
Posting from the safety of my Linux desktop box at the moment. There's already a lot of worms/trojans/adware floating about abusing this bug. Just what exactly is MS playing at?
You're right Geoff: this has really made me take stock. I have been using Mac OS and Ubuntu to surf from at home since hearing of this and until I have applied the *temporary* fix I won't be surfing with Windows. But really, this is just another straw that keeps snapping that old camel's back!
Aren't there something like 80 variants of the exploit out there already? Disgusting.
I've tested and done a limited deployment of the unofficial patch. I also added a startup script to unregister the shimgvw.dll.
We already block .wmf on the proxy, but if it's a decision to between a peer-reviewed unofficial patch or wait for microsoft to provide a working patch - no contest. We'll be rolling out the unofficial patch tonight / next workstation reboot.
Tested on one machine- no problems. Going to push it out tomorrow too.
Does it uninstall cleanly if you remove the GPO from the machines scope? (assuming your rolling it out with AD).
The official patch is out ... and tested
Took one known infected email and dropped it onto a virtual machine.
No problems at all ... will monitor over tonight and if ok will allow it through WSUS tomorrow.
Yes: On a mix of 2K SP4, XP SP2 clients and AD2003. However, YMMV / may include nuts etc.Quote:
Originally Posted by Geoff
Probably should include this from SANS.org:
I've tested and pushed out the official patch as well, but won't be removing the unofficial one until it's deployed.Quote:
We have received reports and researched an issue with Ilfak's patch AND/OR deregistering SHIMGWV.DLL causing printing issues.
De-registering SHIMGVW.DLL can cause printer issues. This has been verified.
Pedro a fellow SANS handler provided this:
"From Microsoft Windows Server 2003 Inside Out
By William R. Stanek The client first uses the print driver to partially render the document into EMF and then spools the EMF file to the print server. The print server converts the EMF file to final form and then queues the file to the printer queue (printer)."
ScottF another SANS handler states "I have seen a few new printing bugs...basically the printer spooler tray icon pops up and says there is an error and then prints without a problem" this was when SHIMGWV.DLL was deregistered.
It appears that Ilfak Guilfanov's patch can also cause printer problems.
Paul Shane reported
"It seems that users printing with Lotus 1-2-3 V5 for windows (yes...the old version), running on Windows XP, cannot print with the hexblog patch installed. As soon as the patch is uninstalled and the machine is rebooted, printing works."
Finally JimC another SANS handler writing about Ilfak's patch states:
"Actually, I guess this one doesn't surprise me too much. The "legitimate" use of the SETABORTFUNC Escape() call in gdi32.dll is for printing. We have heard of a couple of other widely scattered situations where some sort of printing function was disrupted by the unofficial patch.
Only a few cases of printer problems have been reported so far. Over 100,000 people have installed the patch and/or deregistered the shimgwv.dll.
We have shoved the official patch out today at work using WSUS (I still cannot believe it took 5 days to download all the updates to it (we downloaded everything, the works thats 58GB of updates). The kiddies are back next week, hopefully that is going to keep us virus free.
Wonderful! I have already been driven round the twist with the popping up restart your computer now screen on my servers and workstations this week (just deployed WSUS over Crimbo so they are catching up with all the updates) and it sure gets annoying as you say later, and it is about 5 minutes later!. But lets hope this patch hold up
You can use Group Policy to adjust this btw - just so you know ;)Quote:
Originally Posted by john
I havent tho - it is annoying isn't it? lol :)
Left the fileserver restarting earlier thanks to pesky update needing restart hehe
Excellent Nathan, I will look at that tomorrow, the old SUS was nicer in that way, as an admin we could say we will restart later, and a week later we could still have not restarted and we would never be told again, and thats how I want it for us admins, as I acidently shut down the mailserver today by accident by just hitting return on another program, but the update popup came over it and I was on the phone and looking at the door at the same time and next thing I saw was Outlook saying no server connection! Whoopse! Thank goodnes it only take 3 mins to come back up.
Due to certain matters i have at work, I'm thinking of scheduling a server restart later on when no one is about.
If i can schedule it after the script i have restarts all the XP workstations and when WSUS updates & installs the updates, then I'm on a winner.
The trouble is that it all takes sooo long - especially with a fairly long tape backup taking place too - so its gonna be difficult to juggle all these schedules.
Ah well... ;)