Educause Security Discussion mailing list archives
Re: what is your advice to your users
From: Todd Kisida <tkisida () DCP UFL EDU>
Date: Tue, 3 Jan 2006 23:04:36 -0500
Just an update after 1 day of mitigation: Deploying the Ilfak Guilfanov's patch via Suuronen's msi seems to be effective. Using the related checker from hexblog indicates that machines are "invulnerable" after the patch is installed. So far I've seen no ill effects. I suspect problems may come up later in the week as more faculty members return to campus. I've now started deploying the 1.1.14 msi available at http://handlers.sans.org/tliston/WMFHotfix-1.1.14.msi which should be a more reliable deployment on systems other than XP SP2. Un-registering the dll was less effective. Most of our users are "Users" and a few are "Power Users." Seems that "Power Users" are able to unregister the dll, but so much functionality is lost that it's not an acceptable solution. It appears that "Users" are not able to unregister the dll so for a large percentage of our user base the login scripts proved to be a ineffective deployment method. I've now set the login scripts to register the dll so that our "Power Users" get the functionality back. McAfee 8.0i with dat's dated today is detecting at least the web based test exploit posted at http://sipr.net/test.wmf. McAfee 8.0i is deployed to all of our computers and they should get the dat updates at least daily from any internet connection. Our email gateway scans messages with clamav which is supposed to detect several variants. So far we haven't detected any. It's unknown if this is due to a lack of infected email or a failure to detect the email. I have mixed feelings about classes not being in session. On one hand it means less desktop systems are being used this week so they are less likely to be affected. On the other hand many laptops are being used off campus where I can't deploy the patch to them. -- Todd
-----Original Message----- From: Todd Kisida [mailto:tkisida () DCP UFL EDU] Sent: Monday, January 02, 2006 1:10 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] what is your advice to your users I'm deploying the unofficial patch via Group Policy with V. Suuronen's msi. Apparently the msi is not perfect, but hopefully it'll help. Probably will need to sneaker net the wmffix_hexblog13.exe tomorrow. I'm also attempting to unregister shimgvw.dll via login script. MS states the need for admin rights, but regsvr32 reports success as a User. Being a design school I can't have this dll inactive for long, but I'm hoping to buy some time. I'm not convinced of the effectiveness of either solution, but hopefully they can decrease the attack surface at least a bit. -- Todd Kisida Director of Information Technology University of Florida College of Design, Construction and Planning 142 Architecture Building P.O. Box 115701 Gainesville, FL 32611 Voice (352) 392-4836 ext. 316 Fax (352) 392-7266 Email: tkisida () dcp ufl edu-----Original Message----- From: Ken Connelly [mailto:Ken.Connelly () UNI EDU] Sent: Monday, January 02, 2006 11:24 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] what is your advice to your users Yes, I have suggested that local Windows admins install this unofficial patch. - ken Leslie Maltz wrote:"Users of the Windows OS should install an unofficialsecurity patchnow without waiting for Microsoft Corp. to make its move,securityresearchers at The SANS Institute's Internet Storm Center (ISC) advised yesterday." seehttp://www.computerworld.com/securitytopics/security/holes/story/0,10801,107420,00.html Are you advising your users to install an unofficial patchor are youwaiting? And Happy New Year to all as we start the year off with newproblems.-leslie
Current thread:
- what is your advice to your users Leslie Maltz (Jan 02)
- <Possible follow-ups>
- Re: what is your advice to your users Ken Connelly (Jan 02)
- Re: what is your advice to your users Todd Kisida (Jan 02)
- Re: what is your advice to your users H. Morrow Long (Jan 02)
- Re: what is your advice to your users Sadler, Connie (Jan 02)
- Re: what is your advice to your users Gary Flynn (Jan 02)
- Re: what is your advice to your users Chris Harrington (Jan 02)
- Re: what is your advice to your users Todd Kisida (Jan 03)
- Re: what is your advice to your users Ken Connelly (Jan 03)
- Re: what is your advice to your users Mike Iglesias (Jan 03)
- Re: what is your advice to your users Flagg, Martin D. (Jan 04)
- Re: what is your advice to your users Drake, Craig (Jan 04)
- Re: what is your advice to your users Gary Flynn (Jan 04)
- Re: what is your advice to your users Todd Kisida (Jan 04)
- Re: what is your advice to your users Jeni Li (Jan 04)
- Re: what is your advice to your users John Stauffacher (Jan 04)
- Re: what is your advice to your users Flagg, Martin D. (Jan 04)
- Re: what is your advice to your users Todd Kisida (Jan 04)
(Thread continues...)