There is now an unofficial patch out for the wmf flaw but it is currently unavailable. More details at F-Secure’s blog. SANS has a mirrored link of the patch as the original authors website is unavailable, probably because everyone is hitting his site. However, google’s cache of the page that talks about the flaw is available and worth looking at. I’m posting the details into my extended entry in case the google page gets wiped.
For my own reference, How to manually remove Cisco VPN client
I was moving a test site to a live site this morning and in doing so added a couple of redirect lines to the htaccess file/ mod rewrite installation to try and move any broken links to the main index.php page. Unfortunately this has somehow broken the website and now every single page ends up with a 302 which firefox displays as “Firefox has detected that the server is redirecting the request for this address in a way that will never complete.”
I’ve removed all the redirections that I can find but for some reason the website is still running the redirection as valid test html pages still get redirected to the php page and then the 302. I think I am going to have to wait until the webservice is restarted but I’ve logged a ticket in the meantime.
The flaw in the processing of (yet another) graphics file – the wmf file is actively being exploited to load spyware and other nasties. At the moment there is no patch available and the workaround on the above site is to disable the Windows Picture and Fax Viewer engine by doing the following. (I wish the unregistration was silent as I could then deploy it in a login script) By adding a /s before the %windir% it becomes silent so I *can* deploy. I’ll make a check to see it has already been deployed and then unregister it if it hasn’t)
Un-register the Windows Picture and Fax Viewer (Shimgvw.dll) on Windows XP Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and Windows Server 2003 Service Pack 1
To un-register Shimgvw.dll, follow these steps:
1.Click Start, click Run, type “regsvr32 -u %windir%\system32\shimgvw.dll” (without the quotation marks), and then click OK.
2.A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.
Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.
To undo this change, re-register Shimgvw.dll by following the above steps. Replace the text in Step 1 with “regsvr32 %windir%\system32\shimgvw.dll” (without the quotation marks).
For some reason, any time I enter a url in internet explorer it loads the page open in firefox and not internet explorer. Normally this doesn’t bother me but I need to contact Roadrunner support who didn’t leave any paperwork behind about my account and their chat support only works with internet explorer(6) – 7 doesn’t work but will load new pages up ok.
Any suggestions on how to “fix” ie?
Mike pointed out that VMware player could allow virus’s etc to escape from the virtual machine onto the hosting machine and that a new player is available. I’ve downloaded the new version to use and was a bit annoyed to find that it is yet another piece of software that comes bundled with the google toolbar. This software is starting to become as prevalent as malware. So far I’ve been offered the software with firefox, java,vmware player and possibly more. Yes they are far more obvious that this software is being made available to install, but why bundle it into the download so I have to download it several times with each piece of software?
Just to let you know that Kristen and I are unlikely to be blogging much until next Tuesday as that is when we finally get internet access back at the house. I signed up for Roadrunner last Wednesday and was told they would contact me in 7-10 days (when I assumed they’d arrange an installation in the next day or so). I rang them yesterday to chase and got told that the next available installation was in a weeks time. If I’d have known that I’d have rung them straight away.
There is no decent wifi signal in the house either which is good news in some respects as it means there is nothing to interfere with our signal when we install it.
For some reason I had a users computer ask for Microsoft Journal viewer source files whenever a pdf file was launched. According to Lancaster University this is a known problem!
You need to install (or repair) Microsoft Journal Viewer 1.5 using a reliable method (explained below).
You can do this by downloading the viewer from Microsoft’s site:
1. download the viewer from: Microsoft’s download Journal Viewer site.
2. run it.
3. follow instructions
4. retry the Adobe Acrobat update.
I’ve successfully passed the 70-270 exam this morning so I can now return the books to the library and uninstall the training guides from the pc. I didn’t get 100% this time unlike my previous exam so that was a bit of a let down. I thought the exam was a bit hard with loads of questions on RIS and Remote Assistance and even had one question twice (which was either really nice if I got it correct twice or horrible if I got it wrong twice). This exam is one of the electives for my MCSE and It helps the company keep its accreditation and I now have to start work on the next set of exams. I’ve booked a free 2 day course on Small Business Server which comes with some good tuition for the Small Business exam – more details can be found at the USA Partner website. I think you may need to be a MS Partner though to gain access.
Had an interesting problem today with a user who suddenly couldn’t connect to one of the servers on the network. It turns out they had recently changed their password and had previously managed to save the password in XP. Following the instructions I was able to remove the stored passwords from the machine and when they next logged on all the network drives were connected ok. I managed to get to this point by following the trail from eventid 14 in the system logs with a source id of kerberos and looking this up at eventid.net and then following the link to the stored passwords page.
I must say this is the first time I’ve ever seen this problem and it had me baffled for a while.
“rundll32.exe keymgr.dll,KRShowKeyMgr” will allow you to delete the obsolete entry.