For those interested, Core FORCE its a free endpoint security software currently in Beta stage. With it users can configure access control permissions to file system objects independently of the operating System's ACLs and security policy enforcement mechanisms. The default security profiles of IE and FireFox included the package distribution prevented exploitation of the WMF bug through those vectors. Simply because they denied execution of rundll32.exe from within IE or Firefox. The same applies to the MSN Messenger profile submitted to the profiles repository site. Furthermore you can explicitly configure permissions to deny & log read/exec access to shimgvw.dll system wide or on per application basis. This is functionally equivalent to Microsoft's suggested workaround of unregistering the DLL but the advantage is that it does not matter if some program registers it back or if somehow a program tries to load and execute the DLL in anyway. Core Force is available at http://force.coresecurity.com As I said, it is still beta make sure you read the software compatibility and known issues list and the docs. -ivan -- --- To strive, to seek, to find, and not to yield. - Alfred, Lord Tennyson Ulysses,1842 Ivan Arce CTO CORE SECURITY TECHNOLOGIES 46 Farnsworth Street Boston, MA 02210 Ph: 617-399-6980 Fax: 617-399-6987 ivan.arce@xxxxxxxxxxxxxxxx www.coresecurity.com PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A
