.WMF Security Patch Releasing Today (out-of-cycle)
-
Microsoft is releasing a patch out-of-cycle today to remedy the .WMF issue that has been making the news. It'll be available, based on their posts, at 2 PM PST.
More here:
Microsoft Security Bulletin Summary for January, 2006
This is in addition to the two security patches rated crticial Microsoft will release on Tuesday as part of the normal cycle.
K. Brian Kelley
@kbriankelley -
This was removed by the editor as SPAM
-
It was kind of interesting to watch how this played out at our place of business. As a member of the Vulnerability Response Team, I received an alert about this and forwarded it to our Security Admin. She then did some research of her own and scheduled a flurry of meetings with the team. Long story short, we all decided that since their were active exploits for this in the wild, and since this could essentially deliver any payload an attacker wanted to develop that we would immediately test and apply the custom patch from GRC. Just about the time we had it tested and ready to deploy to the network, Microsoft released their out-of-cycle patch so we had to start all over.
One troubling thing for us is that we still have some Win 95 PC's out their that support some older Pervasive based applications and these remain potentially open to WMF exploits. Restricting their e-mail and browser access is not an accepatble option for these users at this time. I'm wondering what others are doing to protect/isolate machines with older OS's on their networks. GRC has committed to releasing a patch for these machines if Microsoft does not, but so far I have not seen anything from them on this or any further discussion since the initial posting. Just curious to know how others are handling this situation. Any input is appreciated.
My hovercraft is full of eels.
-
The patch GRC had available actually came from Ilfak Guilfanov, one of the main developers of IDA Pro. His patch basically modified the .DLL image in memory, removing access to the method causing all the problems. You can find his blog at http://www.hexblog.com. It later was hosted by Sunbelt Software because his site couldn't handle the bandwidth it was getting. I think this is when GRC and SANS jumped on board, too. Microsoft's patch changed the actual DLL to prevent access from a .WMF file. If you still need the functionality (say for printing), it's there, something that wasn't possible in the custom patch (Ilfak wasn't going to modify a Microsoft .DLL).
As for older systems, we don't have that issue, but about the only thing that can be done is hope virus defs catch a malicious file coming in. Windows 95 didn't have the FAX and Picture viewer, making it less susceptible, but if an application used the functionality which was exploited, that application is potentially vulnerable. So keep virus defs up to date on those systems, cross your fingers, and hope the GRC patch comes out soon is what most orgs having to deal with legacy systems are doing, so far as I am aware. Another option may be IPS (intrusion prevention systems - which on a system place shims in place to intercept buffer overflow problems and other suspicious activity) if you can find one which is back to Windows 95.
K. Brian Kelley
@kbriankelley -
Thanks for taking the time to reply Brian. It looks like this issue has helped me finally get the problems with supporting older PC's back on the front burner, and I've been promised that we'll look at getting XP machines out to these users. In the meantime, I will be testing and deploying a custom patch once it's released as there's not really any other good mitigation for this problem. And it can be really nasty once you get bitten with it from what I've seen.
Funny thing, I brought this up 6 months ago and no one wanted to talk about it. Now that the WMF exploit is out there and certain managers found out that we still had to support Windows 95 machines, all of a sudden it's top priority. Another classic management disconnect. But at least we're doing something about it now. Thanks again.
My hovercraft is full of eels.
Viewing 5 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic. Login to reply