Re: what is your advice to your users

[Todd Kisida <tkisida () DCP UFL EDU>]

Just an update after 1 day of mitigation:

Deploying the Ilfak Guilfanov's patch via Suuronen's  msi seems to be
effective.  Using the related checker from hexblog indicates that
machines are "invulnerable" after the patch is installed.  So far I've
seen no ill effects.  I suspect problems may come up later in the week
as more faculty members return to campus.  I've now started deploying
the 1.1.14 msi available at
http://handlers.sans.org/tliston/WMFHotfix-1.1.14.msi which should be a
more reliable deployment on systems other than XP SP2.  

Un-registering the dll was less effective. Most of our users are "Users"
and a few are "Power Users."  Seems that "Power Users" are able to
unregister the dll, but so much functionality is lost that it's not an
acceptable solution.  It appears that "Users" are not able to unregister
the dll so for a large percentage of our user base the login scripts
proved to be a ineffective deployment method.  I've now set the login
scripts to register the dll so that our "Power Users" get the
functionality back.

McAfee 8.0i with dat's dated today is detecting at least the web based
test exploit posted at http://sipr.net/test.wmf.  McAfee 8.0i is
deployed to all of our computers and they should get the dat updates at
least daily from any internet connection.

Our email gateway scans messages with clamav which is supposed to detect
several variants.  So far we haven't detected any.  It's unknown if this
is due to a lack of infected email or a failure to detect the email.

I have mixed feelings about classes not being in session.  On one hand
it means less desktop systems are being used this week so they are less
likely to be affected.  On the other hand many laptops are being used
off campus where I can't deploy the patch to them.  

--
Todd


> -----Original Message-----
> From: Todd Kisida [mailto:tkisida () DCP UFL EDU] 
> Sent: Monday, January 02, 2006 1:10 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] what is your advice to your users
>
> I'm deploying the unofficial patch via Group Policy with V. 
> Suuronen's msi.  Apparently the msi is not perfect, but 
> hopefully it'll help.
> Probably will need to sneaker net the wmffix_hexblog13.exe tomorrow.
>
> I'm also attempting to unregister shimgvw.dll via login 
> script.  MS states the need for admin rights, but regsvr32 
> reports success as a User.  Being a design school I can't 
> have this dll inactive for long, but I'm hoping to buy some time.
>
> I'm not convinced of the effectiveness of either solution, 
> but hopefully they can decrease the attack surface at least a bit.
>
> --
> Todd Kisida
> Director of Information Technology
> University of Florida
> College of Design, Construction and Planning
> 142 Architecture Building
> P.O. Box 115701 Gainesville, FL 32611
> Voice (352) 392-4836 ext. 316 Fax (352) 392-7266
> Email: tkisida () dcp ufl edu 
>
>
> > -----Original Message-----
> > From: Ken Connelly [mailto:Ken.Connelly () UNI EDU]
> > Sent: Monday, January 02, 2006 11:24 AM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: Re: [SECURITY] what is your advice to your users
> >
> > Yes, I have suggested that local Windows admins install this 
> > unofficial patch.
> >
> > - ken
> >
> > Leslie Maltz wrote:
> >
> > > "Users of the Windows OS should install an unofficial
> > security patch
> > > now without waiting for Microsoft Corp. to make its move, 
> security 
> > > researchers at The SANS Institute's Internet Storm Center (ISC)
> > > advised yesterday."   see     
> http://www.computerworld.com/securitytopics/security/holes/story/0,108
> > > 01,107420,00.html
> > >
> > >
> > > Are you advising your users to install an unofficial patch
> > or are you
> > > waiting?
> > >
> > > And Happy New Year to all as we start the year off with new
> > problems.
> > > -leslie