http://msmvps.com/blogs/bradley/archive/2005/12/29/79978.aspxOne of the suggestions I see on many of the Security sites are to unregister certain DLL's to ensure that this WMF vulnerability can't be exploited. Now maybe it's just me...but unregistering DLLs that break image, thumbnails and what not... and especiallyenCommunityServer 2008.5 SP2 (Build: 40407.4157)http://msmvps.com/blogs/bradley/archive/2005/12/29/79978.aspx#80120Sun, 01 Jan 2006 03:53:56 GMTd67277c4-116b-43f1-b688-e9ef184ea916:80120Bill PytlovanyHey Bradley, <br> <br> Thank you for the reference to my Blog. I spent a lot of time researching this new exploit and I've had enough. As Dana points out it's the focus of a million Blog's now and has been beaten to death. <br> <br>I did create one last entry to explain why many of us recommend a drastic step like unregistering a system DLL. <br> <br><a rel="nofollow" target="_new" href="http://billpstudios.blogspot.com/2005/12/why-is-0-day-wmf-exploit-such-big-deal.html">http://billpstudios.blogspot.com/2005/12/why-is-0-day-wmf-exploit-such-big-deal.html</a> <br> <br>One of the reasons I mention is, <br> <br>&quot;An example of the programming code that allows this hack has been widely distributed and is still available online. That means a twelve year old with some computer skills can replicate his own version...&quot; <br> <br>Glad I found your Blog, <br>BillP<div style="clear:both;"></div><img src="http://msmvps.com/aggbug.aspx?PostID=80120" width="1" height="1">http://msmvps.com/blogs/bradley/archive/2005/12/29/79978.aspx#80044Fri, 30 Dec 2005 23:52:34 GMTd67277c4-116b-43f1-b688-e9ef184ea916:80044Dana Epp's ramblings at the SanctuaryWondering why you haven't seen any feedback from me on the most recent 0-day exploit on Windows, which takes advantage of a vulnerability in the graphics rendering engine? I took a vacation away from the computer for a few days to catch up on some technical reading, and come back to a plethora of information that pretty much sums up anything I would say. In a blog post in the next few days, I will post just WHAT I was reading, as its pretty interesting. I'm shaking my head as I absorb some of this new stuff. Anyways, as a summary of the past few days where the world has been screaming that the sky is falling, here is the nitty gritty that matters (at least from my POV) Before you do anything, go read the Microsoft Security Advisory (MSA 912840) on the matter. According to guys over at Sunbelt, Microsoft may be incorrectly stating that software DEP will help mitigate against this threat. Seems that hardware DEP works, software DEP from Microsoft does not. No one has reported if some of the other software DEP agents defend against this attack or not. Susan has a great post on how to filter out WMF attachments on Exchange. Jesper has an excellent post on how to block certain extensions with ISA. Even when he goes on holidays he has time to play with ISA :) The easiest fix (temporarily) is to unregister the vulnerable code, using &amp;quot;REGSVR32 /U SHIMGVW.DLL&amp;quot; (without the quotes of course) from Start-&amp;gt;Run I disagree with Susan that it is too drastic to unregister the DLL. It's quite trival a fix to signficantly mitigate against this threat without impacting the rest of the system. So you don't get pretty thumbnails. But you do prevent the exploit through this attack vector (I will point out it won't stop against someone opening an exploited WMF in MS Paint etc). And with the ability to push this out to all the desktops pretty quickly with a script... it takes no time to toggle it on/off. YMMV of course. That's pretty much all you will hear from me on the WMF issue for now. You can read the other 1,000,000 blog posts about it for more information....<div style="clear:both;"></div><img src="http://msmvps.com/aggbug.aspx?PostID=80044" width="1" height="1">http://msmvps.com/blogs/bradley/archive/2005/12/29/79978.aspx#80019Fri, 30 Dec 2005 17:00:13 GMTd67277c4-116b-43f1-b688-e9ef184ea916:80019Alun JonesI think it's long past time, too, that graphics rendering programs (actually, any program that can open files of multiple types) refused to render a &quot;.GIF&quot; containing a WMF, or an &quot;.MPG&quot; containing an AVI, or a &quot;.RTF&quot; that contains a DOC file. Maybe give the information as to what type the file really is, so that a user can rename wrongly named files, but that way you would be able to do blocking on extension, and know that the ones that got through by pretending to be something else would stand a chance (however slight, given some users' desperate need to view naked dancing pigs) of being stopped at the desktop. <br> <br>And, of course, people like thee and me would be made aware that we are looking at a potential incursion.<div style="clear:both;"></div><img src="http://msmvps.com/aggbug.aspx?PostID=80019" width="1" height="1">http://msmvps.com/blogs/bradley/archive/2005/12/29/79978.aspx#79990Fri, 30 Dec 2005 05:27:36 GMTd67277c4-116b-43f1-b688-e9ef184ea916:79990happyfunboyonce again...the diva brings it to the low point. <br> <br>the phrase 'you bet your sweet bippy' was popularized on rowan &amp; martin's groundbreaking variety show &quot;laugh-in.&quot; <br> <br>and, altho no formal definition exists for 'bippy'...the general consensus is that is it means 'you bet your sweet a**'<div style="clear:both;"></div><img src="http://msmvps.com/aggbug.aspx?PostID=79990" width="1" height="1">http://msmvps.com/blogs/bradley/archive/2005/12/29/79978.aspx#79984Fri, 30 Dec 2005 02:07:26 GMTd67277c4-116b-43f1-b688-e9ef184ea916:79984Vlad MazekWhat the heck is a bippy?<div style="clear:both;"></div><img src="http://msmvps.com/aggbug.aspx?PostID=79984" width="1" height="1">