Saturday, December 31, 2005

Windows Security flaw update

I've been following a lot of the recommended advice on how to deal with the latest Windows vulnerability. This is a tough one and it's going to take some time to address. The exploit is spreading quickly and in a variety of ways and locations. There is advice out there on how to secure your system. I am passing along some of this, but I do NOT vouch for the advice nor do I think it is perfect. As one blogger notes, there is a LOT of bad advice floating about on this.

Said blogger is security expert George Ou from ZDNet blogs. He passes along Microsoft's advice and, in fact, got them to update their advice. George thinks that they didn't update the advice appropriately, so he suggests the following:
They should have left the following portion in: "By default software-enforced DEP applies to core operating system components and services. This vulnerability can be mitigated by enabling DEP for all programs on your computer. For additional information about how to “Enable DEP for all programs on your computer”, see the product documentation."
Basically, George is suggesting the following steps:
1) Right click on My Computer
2) Go to Properties
3) Select the Advanced tab
4) Under the Performance header, click Settings
5) Select the Data Execution Protection tab
6) Select the button marked: "Turn on DEP for all programs and services except those that I select"
7) Hit the Apply button
8) This will require a restart

In addition to this, Microsoft is recommending that people uninstall the dll that is at the heart of the exploit. To do this, click Start>Run and type in "regsvr32 /u shimgvw.dll" (without the quotes). This will prevent the problem in IE, but it will also disable viewing thumbnails of photos in IE. On top of that, it doesn't work for some programs such as MSPaint, LotusNotes, and Google Desktop. Plus, the user will have to re-register the DLL after Microsoft issues the fix, which means many won't because they won't remember to do it and probably don't know how (easy to do, go to Start>Run and type in "regsvr32 shimgvw.dll" without the quotes). Gee, think that Microsoft could issue a little executable to do that for the customer and then re-register it when they issue the fix?

Sunbelt Blog reports that they have a fix that seems to work with their firewall. It's a rules update.

F Secure's blog reports that Firefox and Opera browsers aren't as vulnerable as IE in that they at least ask the user if either MS Paint or MS Fax and Picture Viewer should be opened. If true, it's another knock against IE and regular readers will note that I've encouraged people to drop that software for a couple of years, now.

F Secure also reports on a hotfix from another developer that is downloadable as an executable. Writes F Secure:

Here's an alternative way to fix the WMF vulnerability.

Ilfak Guilfanov has published a temporary fix which does not remove any functionality from the system (all pictures and thumbnails continue to work normally).

The fix works by injecting itself to all processes loading USER32.DLL. It patches the Escape() function in GDI32.DLL, revoking WMF's SETABORT escape sequence that is the root of the problem.

Now, we wouldn't normally blog about a security patch that is not coming from the original vendor. But Ilfak Guilfanov isn't just anybody. He's the main author of IDA (Interactive Disassembler Pro) and is arguably one of the best low-level Windows experts in the world.

I've loaded Ilfak's fix and haven't noticed any problems yet. If it does work as described, then it's a better solution than Microsoft's. Note that Ilfak asks on his blog whether or not this affects any other programs (meaning, he's not sure), so caution is advised. He also notes that his program should be removed as soon as Microsoft issues an official patch. Finally, his program only works on the Windows XP operating system.

No comments: