Oh let’s just rip out those dll’s shall we?

One of the suggestions I see on many of the Security sites are to unregister certain DLL’s to ensure that this WMF vulnerability can’t be exploited.  Now maybe it’s just me…but unregistering DLLs that break image, thumbnails and what not… and especially if I have to worry about registering those files and sticking them back in seems to me a bit drastic.  To me the saner approach is to …again…use our Risk Analysis view….


Which machines in my office are most at risk…. uh… honestly?  Mine.  But do give extra protection for all in the office…what’s an easy protection mechanism that I can do on my network?


Steps I’ve already done…block files at the mail gateway ….block image types at the firewall…..


Okay so what else can I do on my machine…. Enable DEP protection for all programsViruslist says that DEP is marginally effective and doesn’t work if you have image viewers like Irfanview.  Yo.  Folks.  Irfanview is a known image program in the forensic biz that can view ANYTHING.  I don’t define it as the ‘viewer of choice for many’.  Geeks maybe.  But my Mom and Dad?  No.


Do I have it on any other machine except for mine?  Nope.  Does it appear that enabling DEP for all programs is effective for mere mortals that have normal software at this time?  Yes.  Can DEP be enabled without major impact?  You bet your bippy.  Working just fine here and so I’m thinking…why the heck am I leaving it at the default?


P.S. Knowing my luck I’ll probably find out that bippy means something obscene….

4 Thoughts on “Oh let’s just rip out those dll’s shall we?

  1. What the heck is a bippy?

  2. once again…the diva brings it to the low point.

    the phrase ‘you bet your sweet bippy’ was popularized on rowan & martin’s groundbreaking variety show “laugh-in.”

    and, altho no formal definition exists for ‘bippy’…the general consensus is that is it means ‘you bet your sweet a**’

  3. I think it’s long past time, too, that graphics rendering programs (actually, any program that can open files of multiple types) refused to render a “.GIF” containing a WMF, or an “.MPG” containing an AVI, or a “.RTF” that contains a DOC file. Maybe give the information as to what type the file really is, so that a user can rename wrongly named files, but that way you would be able to do blocking on extension, and know that the ones that got through by pretending to be something else would stand a chance (however slight, given some users’ desperate need to view naked dancing pigs) of being stopped at the desktop.

    And, of course, people like thee and me would be made aware that we are looking at a potential incursion.

  4. Hey Bradley,

    Thank you for the reference to my Blog. I spent a lot of time researching this new exploit and I’ve had enough. As Dana points out it’s the focus of a million Blog’s now and has been beaten to death.

    I did create one last entry to explain why many of us recommend a drastic step like unregistering a system DLL.

    http://billpstudios.blogspot.com/2005/12/why-is-0-day-wmf-exploit-such-big-deal.html

    One of the reasons I mention is,

    “An example of the programming code that allows this hack has been widely distributed and is still available online. That means a twelve year old with some computer skills can replicate his own version…”

    Glad I found your Blog,
    BillP

Post Navigation