Re: WMF patch released

[Todd Kisida <tkisida () DCP UFL EDU>]

The SANS recommendation is to leave unofficial patch till the officail
patch is on.  I'm going to try this on a few machines then aprove it via
WSUS.

1.  Reboot your system to clear any vulnerable files from memory
2.  Download and apply the new patch
3.  Reboot
4.  Uninstall the unofficial patch, by using Add/Remove Programs on
single systems. If you used msi to install the patch on multiple
machines you can uninstall it with this:
msiexec.exe /X{E1CDC5B0-7AFB-11DA-8CD6-0800200C9A66} /qn
5.  Re-register the .dll if you previously unregistered it (use the same
command but without the "-u"):
regsvr32 %windir%\system32\shimgvw.dll
6.  Reboot one more time just for good measure 

> -----Original Message-----
> From: Jeni Li [mailto:jeni.li () ASU EDU] 
> Sent: Thursday, January 05, 2006 3:57 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] WMF patch released
>
> A question came up from one of our desktop managers --
>
> Has anyone found or discovered any info related to the 
> consequences of applying the official update with Ilfak's 
> unofficial fix still installed?  I know sans is recommending 
> uninstalling the unofficial fix first, but with the way AD 
> timings and WSUS timings work, the only way to really 
> guarantee that it happens in that order is to leave all of 
> your machines unprotected from all fixes for a considerable 
> amount of time (undeploy Ilfak's msi, wait a day or so, then 
> approve the MS fix via WSUS.
>
> Jeni Li
> Web/Systems Administrator
> Arizona State University, at the Polytechnic campus
>
> > -----Original Message-----
> > From: Doug Pearson [mailto:dodpears () INDIANA EDU]
> > Sent: Thursday, January 05, 2006 1:52 PM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: Re: [SECURITY] WMF patch released
> >
> >
> > The link ...advance.mspx still (3:45 EST) doesn't have web-download 
> > link to the fix - says that will be made available at 2:00p 
> PST. But 
> > the fix can be web-downloaded at:
> > http://www.microsoft.com/technet/security/Bulletin/MS06-001.mspx
> >
> >
> > At 03:25 PM 1/5/2006 -0500, David LaPorte wrote:
> > > Microsoft has released the patch early.  I was able to pull it via 
> > > Windows Update:
> > >
> > > http://www.microsoft.com/technet/security/bulletin/advance.mspx
> > >
> > > David
> > >
> > > --
> > > David LaPorte, CISSP, CCNP
> > > Security Manager, Network and Server Systems Harvard University 
> > > Information Systems
> > > -----------------------------------------------
> > > Email: david_laporte () harvard edu
> > >  PGP: 0x4DC3E508
> > >       4A1F058DB2B32FEF10A14F6BD370A6AD4DC3E508