Well, every person has flaws too, right?

That's why we also try to patch ourselves.

More proof that SP2 doesn't do a thing to protect consumers, as was HEAVILY advertised. It was a PR patch to avoid class action lawsuits.

Microsoft is NOT a software company (unless you consider buying all your software from other companies 'software development'), they are strictly a marketing company, and reasonably good at that one thing.

Is there an easy way to block all .biz sites? Like with the hosts file or something?

You could probably do it with a local proxy.

http://www.privoxy.org/

Proxomitron can easily block .biz, .ru and so on (with URL killfile).

What??? Not all .biz sites are bad. I'm making one myself that reviews sites based on how well they're made. Web standards, usability, whether or not they install spyware, etc. Why not also filter out .com sites too? After all, the vast majority of porn sites use .com, you know.

More here

http://www.updatexp.com/wmf-exploit.html

Heh a new vulnerability...nope this .dll has been around since Windows 3.1 I wouldn't call it NEW.

By the way, Windows x64 does not support WMF formats at all since it has no native support for 16 bit processes. Finally all this old stuff that's been hanging around since Windows 3.1 will go away.

What!? Upgrade to NEW technology? Blasphemy!

this is why i use Linux and Solaris 10. enjoy your windows

I DO enjoy my Windows, because I KNOW how to use them properly!

When u use windows as a restricted user, e.g. a standard way since NT times, and you use other non-IE browser (personally I use Firefox) and you have DEP turned on (default on all programs on 2003), you should not be afraid. Add to it FW, Antivirus, etc

It is a problem and security issue, but for companies who let their users use computers as admins, do not learned them use other browsers and do not care about antiviruses or security at all!

Windows is not so bad, especially once you've loaded it with lots of free software and locked it down. My only complaints with it today are spyware, and viruses which can't be blamed on Microsoft. Sure there are bugs here and there, but they are addressing them much better today than they did 3 years ago.

A couple of security firms, including Verisign's iDefense, have published workarounds that appear to mitigate the threat. According to iDefense, Windows users can disable the rendering of WMF files using the following hack:

1. Click on the Start button on the taskbar.
2. Click on Run...
3. Type "regsvr32 /u shimgvw.dll" to disable.
4. Click ok when the change dialog appears.

iDefense notes that this workaround may interfere with certain thumbnail images loading correctly, though I have used the hack on my machine and haven't had any problems yet. The company notes that once Microsoft issues a patch, the WMF feature may be enabled again by entering the command "regsvr32 shimgvw.dll" in step three above.

You mean like was stated here: http://www.grc.com/sn/notes-020.htm

EDIT: Didn't see the post below.

If you have CPU with NoExecute features, like latest AMD/Intel CPUs, you can also be protected from this bug by enabling Data Execution Prevention for all programs. No need to unregister shimgvw.dll

Thanks for the tip Adrian79. I really don't get a chance to read all articles and it is very helpful when I come across these. Another one of the reasons I like BN.

Also if you only have software DEP, from Microsoft's advisory:

"I have software DEP enabled on my system, does this help mitigate the vulnerability?
Yes. Windows XP Service Pack 2 also includes software-enforced DEP that is designed to reduce exploits of exception handling mechanisms in Windows. By default software-enforced DEP applies to core operating system components and services. This vulnerability can be mitigated by enabling DEP for all programs on your computer.
For additional information about how to “Enable DEP for all programs on your computer”, see the product documentation."

Microsoft Security Advisory (912840)
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution.

http://www.microsoft.com...ty/advisory/912840.mspx

Be careful of this hack. Some people are reporting inability to load JPG's at all, even on alternative viewers as regsitered. Also, on my system, it appears to have messed with 7-zip's ability to extract jpg images through right clicking. Not a big deal, a logoff/logon fixed it.

True but it's easily undone. Just write
regsvr32 /i shimgvw.dll to install it back

If you're going to post, post accurate details, please. Deregistration does not cause the issue you describe. That type of issue is caused if the file formats were never properly registered to another application.

http://www.eweek.com/art...2/0,1895,1907131,00.asp

More details can be found there including some relatively minor caveats with the current workaround.

I came across this that may be usefull... Not sure!

http://www.grc.com/sn/notes-020.htm

When are we going to go back and create a OS from scratch? Windoes is a minefield, Linux is a bad joke, and I don't think BSD or Solaris are going to provide the answer.
I spent a lot of my career training people how to use this garbage. I've run everything from BeOS 5 to Solaris 10 and they all have serious problems. Maybe we should go back to DOS 8bit and see if we can get it right. I'm seriously thinking of formatting all my drives and taking up embroidery.

"When are we going to go back and create a OS from scratch?"

One word: Compatability.

Bah....if Apple can do it...

By scratch you mean using the very old OS BSD?

we have a nice OS written from scratch by AWESOME coders, e.g. hard programming veteran experts from MS.

its called Singularity and is written in C# and some other similar language, e.g. in languages that are the MOST progressive and powerfull or inovative today. Just it is in early alpha research state, and is not expecting to be much windows nt compatibile.

"...is written in C#..."

That's all I had to see to know never to even try it (kidding)

I was joking, but yeah, I guess that'd be the one. ;)

Why not use ASM?

When users decide compatibility and learning curves no longer matter. Also, if and when a company with a lot of money and guts decides to take on Microsoft, Apple, and Open Source.

Everything has it's flaws, you need to understand that by now :)

Nothing is ever perfect. Programming languages are created by us, humans, and we are flawed beings, therefore how are we going to produce something that is 100% perfect?

Great.

Maybe now people will understand why I don't trust MS to secure my computer.

MS are totally useless. I bet they won't even act on this for at least a few months.
By which time a lot of their customers will have their computers destroyed by spyware and viruses...

Why would this flaw... something that requires deliberate user action and easily blocked by proxies and filters, somehow be worse than a worm? Why would one new flaw like this change people's opinions if they've had their preference for years?

This is also not the fault of MS. How long has there been WMF? This is not a flaw in any way, but truly an incident that has been exploited. Why is it an issue with WMF and not in the webpage code and how it is handled. Blame is always pushed quickly to MS and not where they should be. If blog sites would prevent 'talkback' for a brief period while a fix is developed, I would see an effort of collaboration in fixing the problem, but everyone seems to stop and point fingers to MS.

Maybe I am too naive or don't fully understand the root of the problem here, but don't see how MS could have forseen this problem. Therefore, if they weren't deliberate in knowing this could be exploited and hid it from the rest, the problem is not really a reason to hate MS in any way as 'No Beer For You' suggests. Purely, it is his way of validating his use of Linux products(which by the way has shown to have problems in the past few months).

The issue, as I am sure you will agree, is how quickly MS will respond. Not only do they have to do their own research on the problem to define the extent of the problem, but then develop a fix as quickly as possible. Enter the Holiday season and they are even further criticized.

It is bad for them as well as us, but I am sure there are people working on this problem as we speak. I really dislike the MS hater comments in that they believe they are better protected with the use of LINUX. Time and time again, they have been shown that no one or any piece of software is secure, and it is not the fault of MS when it is exploited. The threats of Windows XP from 2001 are totally different than those of 2005. Get a grip and comment on what really matters.

"which by the way has shown to have problems in the past few months"

What problems?

you must be in denial, because there were a few exploits even mentioned right here in BN. And if you are telling me that Linux has never had the need to be updated in the past few months, there is no reason to even respond to your comments. You obviously just like to attack.

http://www.betanews.com/...ox_for_Linux/1127316878

http://www.betanews.com/...sers_at_Risk/1127927698

http://www.betanews.com/...inux_Attacks/1118708809

Hmm

Firefox problem, Realplayer problem, and "protential" problem prevention.

How about something substantial now.

Come on, logon to Linux.com and do the math yourself. You are taking my point to the depths of idiocy, and I will not follow you. I am sure you know of them, but are playing dumb. Let's forego these tactics. Just as there are many versions of Linux that have varying degrees of vulnerabilites, so does Windows. Concede the point and move on! The mindless argument that you wish to take upon in this forum will end with this comment from me. You may argue with yourself if need be.

Whether the vulnerability is from another company/program or not, MS is accussed in many cases and often the one left to fix it. Both systems were designed for a purpose and have done so, well. It is only sad to see people put down the company for the misdoings of people whom have too much time on their hand and in need of a labotomy.

http://secunia.com/product/2719/

look through 2.5 and 2.4 if you'd like. I'd say on average there are 4-6 linux kernel vulns a month. We're not even talking individual dists, software, etc.

I love linux, but it's not the security solution that everyone thinks. On the bright side, many of those vulns can be patched with the kernel up and running and no to little downtime. Also, linux is more modular than windows and therefore there are always workarounds in these situations.

There isn't anything to concede, you made a comment that you obviously can't back up.

This is absolutely true. Fortunately it's not all that bad.

http://secunia.com/graph...eriod=all&prod=2719

Speak for yourself...

Excuse me?

I didn't post a comment declaring:

"which by the way has shown to have problems in the past few months"

Which you'll note he has since edited out.

You are just angry because I expect y'all to substantiate your hateful comments and not a single one of you has been able to do so.

I'm still waiting for you to substantiate every single one of yours, where are those posts at bubba?

Wow. I actually agree with you on this athome.

Well said.

Maybe if you actually took the time to read my comment you'd see the phrase "I bet they won't even act on this for at least a few months."

I'm not a linux user. I use MS products.
I have no other problem with MS apart from the fact they like to sit on exploits for a good few months without acting.
As far as "no piece of software is secure" goes, that's true.
However MS are targeted more often than the smaller companies, meaning any MS exploit is likely to be spread quicker and used more often.
This exploit is already "out there".
MS needs to act quicker than their usual few months response times.

By the way MS asskissers like you really annoy me. Damn retard.

If you are unwilling to be proven wrong there is nothing I can say or show that would change your mind. I'm sure you'll disagree with me--you may think you can change your mind, but fact is you are so sure of yourself nothing I say or point out will. That's why I'm outa here. He did backup his point and you made a point that his claims were not "substantial". How do you back that up...nevermind you don't have to answer that--I probably wouldn't read it anyway.

How do I back that up? Well if his claims were against Linux and he provided evidence to support the claim then they would have been validated, however they were made against applications that run on Linux which did not validate his claim at all.

I'll gladly admit being wrong if one of you can actually prove it but you can't so you have to make wild claims just like you've done elsewhere.

You continue to attack me without being able to provide any evidence what so ever to support anything that you've said.

You are outa here because you have nothing. You never have and likely never will.

Lets look at some of the facts about Bourgeoisdude, found this while researching why you don't like me. It really cleared things up and brought things into perspective. Yes I do research, and lots of it. I tend to do it as I am responding to comments so I can respond with an informed opinion.

"15. I'm still living at home with my parents ..
..
3. I have never been on a date, mostly because of my big mouth; I have a horrible case of OMIF (Open Mouth, Insert Foot)." -Bourgeoisdude

That right there says a lot, doesn't it? I'll gladly substantiate it with a link but I don't think you'll want me to do that.

Lets go back in time.

"We're sorry, but this profile cannot be displayed.

This profile page is hidden because the community has blocked this user. "

Sure wish Betanews had a block button.

Now, I'm asking you to stop attacking me. I suggest that you take it into consideration.

It is true that WMF has been around for years and never before recent years been a major concern. It is equally true, however, that WMF should never have been capable of execute priviledges. I also recognize that attackers are determined to take advantage of any exploit they can.

I admit that Linux has its flaws, and that often- not always- those flaws are minor by comparison, however, I still believe that its ease of use (or rather lack thereof) with common users contradicts any benefit of security that it currently offers. In time, I believe that will change just as it has with Microsoft from version to version of Windows.

Ultimately, however, I have and will always place responsibility on administrators and users to protect themselves rather than depend on a single company or solution. Security comes only through education and effort.

"Sure wish Betanews had a block button."

But fewt, if we had a block option we wouldn't have anyone to laugh at when they post ignorant remarks. :)

I, too, am unwilling to admit error when it is not proven or known that I am in error. That is because I take time to verify my facts before opening my mouth, or typing my posts as the case may be.

Many here do not share such competence in their posts. Some here post onlybased on emotion and uninformed opinion.

fewt, as much as that graph may show evidence to the contrary, how many Linux users do you suspect run as root more often than not? Because those who do are likely to experience those issues in greater number if they do not update.

Even so, I admit that generally, only tech savvy users run Linux. This helps immensely. The difficulties presently experienced in learning Linux prevent average users from using it in a meaningful way. As that fact changes, and I know it will, I expect those figures in your graph to change.

Hopefully not many run as root. Newer distributions like Ubuntu don't even set a root password by default increasing security. You are absolutely correct that tech savvy users running Linux does help immensely. Linux can be very difficult to get off the ground.

True that!

This is not good timing by any account. Little staff, lots of problems. This is NOT IE related, but is definately a Microsoft problem. I almost feel sorry for them--they had a relatively good year and even some MS bashers have acknowledged that Microsoft is trying harder as of late to get their act together as far as security is concerned. This will destroy the MS "success stories" and end the year on a bad note for MS. 2005: the year MS tried to revamp their security, but failed in the end.

"...toolbarbiz.biz, toolbarsite.biz, toolbartraff.biz,
toolbarurl.biz, buytoolbar.biz, buytraff.biz, iframebiz.biz, iframecash.biz, iframesite.biz, iframetraff.biz and iframeurl.biz."

I just found it interesting that only .biz domains seem to have the exploit so far.

"I just found it interesting that only .biz domains seem to have the exploit so far."
Exactly.

Furthermore, other than clipart , I don't recall any valid use of WMF files.

Anyway, as I understand it, leave or raise Internet Zone security to High, and don't d*** on links that look retarded.

*moves on*

I think I used WMF once in 1994. (haha)

"It's a holiday week, where the company might not be running full staff,"

Well I would hate for this extremely critical flaw to hamper the MS company ski trip.

No one would really know... the same is true of most businesses this time of year.

"The company estimates the amount of computers infected by the flaw at 1.48 percent."

Give us some context here guys.

Computers connected to the internet that have visitted a site?

"[The fix] will include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs,"

Very vague...i guess when nobody can even update their machines that is where the 'depending on customer's needs' will come in

There's an unofficial patch for XP-SP2 available by following the link from http://www.f-secure.com/weblog/

I honestly don't think that's too vague. They're being honest. They'll put it in the next monthly update if it's ready. OR if we as consumers need it before then we will probably get it... If the number given is close to acurate, we probably wont need it for a longer period of time.

I feel its more and understanding of the web and how things work that get us snared into these little pitfalls. I know from experience that I don't go to certain sites if I want my computer to continue to work the way I want it to. This is OS independant advice.