I finally decided this was serious enough to do something about it sooner than the MS patch, but while this seems to be the official link to the SANS patch http://isc1.sans.org/diary.php?storyid=1010
it also is timing out. I have seen a couple of other links from googling to people who have "repackaged" this, but I really don't want to download something that doesn't match the SANS MD5..
Any links or suggestions?
Here is the link to the unofficial patches creators site.
http://www.hexblog.com/ This is the one sans links to.
Sans seems to be having a hard day.. No Dshield mailings today either..
Isc.sans.org is sporadic as well..
According to isc.sans.org, hexblog.com was down due to bandwidth issues
earlier. See the isc.sans.org homepage for details on alternate ways to
get to it.
> I finally decided this was serious enough to do something about it sooner
> than the MS patch, but while this seems to be the official link to the SANS
> patch http://isc1.sans.org/diary.php?storyid=1010
> it also is timing out. I have seen a couple of other links from googling to
> people who have "repackaged" this, but I really don't want to download
> something that doesn't match the SANS MD5..
> Any links or suggestions?
perhaps it is outdated, but as a workaround, it would be enough to
unregister the DLL wich handles WMF:
on the Start menu, choose Run, type "regsvr32 -u %windir%\system32
\shimgvw.dll", and then click OK.
For more details, visit this link:
Thanks Thomas, something really useful. One thing I am still curious about, I read that there were other image formats can be used in an exploit, GIF, .BMP, .JPG, .TIF can also be used, according to F-Secure. I find this a little confusing, if that dll only deals with WMF file type then the exploit must not be directly connected with that dll Or does that dll handle all of those as well?
But then I found this http://www.pcworld.com/howto/article/0,aid,119993,00.asp
Which makes sense. The way a lot of things I have been seeing go on about this they act like WMF is the only format of issue and that obviously is not at all true. I would have more likely ignored this if it really was only WMF files and the MS patch a week or so away.
I believe Windows uses the file header/descriptor data as well as or instead of the extension to know how to handle images. Otherwise, simply renaming/blocking all WMF files would result in an effective mitigation method.
Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin