wmf flaw being exploited

The flaw in the processing of (yet another) graphics file – the wmf file is actively being exploited to load spyware and other nasties. At the moment there is no patch available and the workaround on the above site is to disable the Windows Picture and Fax Viewer engine by doing the following. (I wish the unregistration was silent as I could then deploy it in a login script) By adding a /s before the %windir% it becomes silent so I *can* deploy. I’ll make a check to see it has already been deployed and then unregister it if it hasn’t)

Un-register the Windows Picture and Fax Viewer (Shimgvw.dll) on Windows XP Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and Windows Server 2003 Service Pack 1

To un-register Shimgvw.dll, follow these steps:
1.Click Start, click Run, type “regsvr32 -u %windir%\system32\shimgvw.dll” (without the quotation marks), and then click OK.
2.A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.
To undo this change, re-register Shimgvw.dll by following the above steps. Replace the text in Step 1 with “regsvr32 %windir%\system32\shimgvw.dll” (without the quotation marks).

Stored passwords in xp

Had an interesting problem today with a user who suddenly couldn’t connect to one of the servers on the network. It turns out they had recently changed their password and had previously managed to save the password in XP. Following the instructions I was able to remove the stored passwords from the machine and when they next logged on all the network drives were connected ok. I managed to get to this point by following the trail from eventid 14 in the system logs with a source id of kerberos and looking this up at and then following the link to the stored passwords page.
I must say this is the first time I’ve ever seen this problem and it had me baffled for a while.
“rundll32.exe keymgr.dll,KRShowKeyMgr” will allow you to delete the obsolete entry.

MBSA for Visio

There is a great tool for integrating Microsoft Baseline Security Analyzer (MBSA) into Visio network diagrams but this is almost useless for the consulting side of things. MBSA requires that it is run as a user with credentials on the domain which is not possible to do on a consultants laptop as it is unlikely that it is going to be a member of the customers domain. Therefore MBSA will not scan the machines and the benefit is lost. It would work if the customer had a copy of visio, but this is unlikely for most of my customers.
I don’t have admin rights on the network back in the office so I can’t even try it out on my office network either 🙁
However, if you are not a consultant and have visio, then this tool is well worth checking out as it will give you colour coded status for each server on the network within visio. From first impressions it does look like you need to have your servers in visio as a server object – you can’t use one of your own objects like a dell rack mount object.

Skype password changed

hmmm – I got an email this morning stating that they were going to change my skype password in the next 24 hours due to a upgrade of their software. Why they can’t tell me that they have changed it now, instead of me waiting until I can’t log into skype and then changing it myself I don’t know. This also sounds suspiciously like one of the websites was hacked or compromised. I really can’t see any other reason that they would need to change passwords for so many people. There is more information at SkypeJournal and it seems like a lot of people share my concerns AND have trouble trying to get the password changed.
The funny thing is that they try to convince you that this is not a hoax by saying that there is a copy of the email on the website…Now if I was a scammer with a website such as it wouldn’t be difficult to host a copy of a phishing email that I am sending out to all my target customers would it?

greasemonkey security hole

Apparently there is a major security hole that allows any website to view the contents of any file on your harddisk if you have greasemonkey installed (see greasemoney mailing list post for information. I can’t reproduce the problem with their proof of concept code, but its a pretty scary possibility. Annoyingly, turning off greasemonkey will reduce the functionality on my flickr/geocaching pages 🙁 Thanks to Pip for the tipoff