Educause Security Discussion mailing list archives
Re: Silently unregistering shimgvw.dll via startup script
From: "Gaddis, Jeremy L." <jlgaddis () IVYTECH EDU>
Date: Wed, 4 Jan 2006 12:01:10 -0500
Hi Todd, Have you tried unregistering the DLL via a computer startup script as opposed to a user login script? When running as a computer startup script, they'll run with higher privileges and can successfully unregister the DLL. A script that I used here was simply: ----- %windir%\system32\regsvr32.exe /u /s shimgvw.dll echo "unregistered" >> \\server\share\%computername% ----- I assigned the batch file to a domain-wide GPO and used psshutdown.exe from Sysinternals to reboot the PCs (after generating a list from the A.D. LDAP server). I was then able to watch the "\\server\share" folder and see files being created (named with the computer name). Checking a few by hand verified that the DLL was being successfully unregistered. The nice thing is that this can be easily reversed once a patch is applied, simply by changing the first line of the script (removing "/u"). HTH, -j -- Jeremy L. Gaddis Project Mgmt. Specialist Computer & Technology Services Ivy Tech Community College of Indiana 812.330.6156 (w) 812.797.6176 (m) -----Original Message----- From: Todd Kisida [mailto:tkisida () DCP UFL EDU] Sent: Tuesday, January 03, 2006 11:05 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] what is your advice to your users Just an update after 1 day of mitigation: Deploying the Ilfak Guilfanov's patch via Suuronen's msi seems to be effective. Using the related checker from hexblog indicates that machines are "invulnerable" after the patch is installed. So far I've seen no ill effects. I suspect problems may come up later in the week as more faculty members return to campus. I've now started deploying the 1.1.14 msi available at http://handlers.sans.org/tliston/WMFHotfix-1.1.14.msi which should be a more reliable deployment on systems other than XP SP2. Un-registering the dll was less effective. Most of our users are "Users" and a few are "Power Users." Seems that "Power Users" are able to unregister the dll, but so much functionality is lost that it's not an acceptable solution. It appears that "Users" are not able to unregister the dll so for a large percentage of our user base the login scripts proved to be a ineffective deployment method. I've now set the login scripts to register the dll so that our "Power Users" get the functionality back. McAfee 8.0i with dat's dated today is detecting at least the web based test exploit posted at http://sipr.net/test.wmf. McAfee 8.0i is deployed to all of our computers and they should get the dat updates at least daily from any internet connection. Our email gateway scans messages with clamav which is supposed to detect several variants. So far we haven't detected any. It's unknown if this is due to a lack of infected email or a failure to detect the email. I have mixed feelings about classes not being in session. On one hand it means less desktop systems are being used this week so they are less likely to be affected. On the other hand many laptops are being used off campus where I can't deploy the patch to them. -- Todd
-----Original Message----- From: Todd Kisida [mailto:tkisida () DCP UFL EDU] Sent: Monday, January 02, 2006 1:10 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] what is your advice to your users I'm deploying the unofficial patch via Group Policy with V. Suuronen's msi. Apparently the msi is not perfect, but hopefully it'll help. Probably will need to sneaker net the wmffix_hexblog13.exe tomorrow. I'm also attempting to unregister shimgvw.dll via login script. MS states the need for admin rights, but regsvr32 reports success as a User. Being a design school I can't have this dll inactive for long, but I'm hoping to buy some time. I'm not convinced of the effectiveness of either solution, but hopefully they can decrease the attack surface at least a bit. -- Todd Kisida Director of Information Technology University of Florida College of Design, Construction and Planning 142 Architecture Building P.O. Box 115701 Gainesville, FL 32611 Voice (352) 392-4836 ext. 316 Fax (352) 392-7266 Email: tkisida () dcp ufl edu-----Original Message----- From: Ken Connelly [mailto:Ken.Connelly () UNI EDU] Sent: Monday, January 02, 2006 11:24 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] what is your advice to your users Yes, I have suggested that local Windows admins install this unofficial patch. - ken Leslie Maltz wrote:"Users of the Windows OS should install an unofficialsecurity patchnow without waiting for Microsoft Corp. to make its move,securityresearchers at The SANS Institute's Internet Storm Center (ISC) advised yesterday." seehttp://www.computerworld.com/securitytopics/security/holes/story/0,10801,107420,00.html Are you advising your users to install an unofficial patchor are youwaiting? And Happy New Year to all as we start the year off with newproblems.-leslie
Current thread:
- Re: Silently unregistering shimgvw.dll via startup script Gaddis, Jeremy L. (Jan 04)