Text 8963, 84 rader
Skriven 2006-01-03 15:17:30 av Rich Gauszka (1:379/45)
Ärende: Unofficial WMF patch recommended
========================================
From: "Rich Gauszka" <gauszka@hotmail.com>

'You cannot wait for the official MS patch, you cannot block this one at the
border, and you cannot leave your systems unprotected," Liston wrote. '


http://www.infoworld.com/article/06/01/03/HNwmfflaw_1.html?source=NLC-SEC2006-0
1-09

Users of the Windows OS should install an unofficial security patch now,
without waiting for Microsoft  to make its move, security researchers at The
SANS Institute's Internet Storm Center (ISC) advised on Sunday

Their recommendation follows a new wave of attacks on a flaw in the way
versions of Windows from 98 through XP handle malicious files in the WMF
(Windows Metafile) format. One such attack arrives in an e-mail message
entitled "happy new year," bearing a malicious file attachment called
"HappyNewYear.jpg" that is really a disguised WMF file, security research
companies including iDefense and F-Secure  said Sunday. Even though the file is
labelled as a JPEG, Windows recognizes the content as a WMF and attempts to
execute the code it contains.

Microsoft advised on Dec. 28 that to exploit a WMF vulnerability by e-mail,
"customers would have to be persuaded to click on a link within a malicious
e-mail or open an attachment that exploited the vulnerability." Microsoft's
advisory can be found at
http://www.microsoft.com/technet/security/advisory/912840.mspx

However, simply viewing the folder that contains the affected file, or even
allowing the file to be indexed by desktop search utilities such as the Google 
Desktop, can trigger its payload, F-Secure's Chief Research Officer Mikko
Hypponen wrote in the company's blog on Sunday.

In addition, source code for a new exploit was widely available on the Internet
by Saturday, allowing the creation of new attacks with varied payloads.The file
"HappyNewYear.jpg," for example, attempts to download the Bifrose backdoor,
researchers said.

These factors exacerbate the problem, according to Ken Dunham, director of the
rapid response team at iDefense.

"Risk has gone up significantly in the past 24 hours for any network still not
protected against the WMF exploit," Dunham warned in an e-mail on Sunday.

Alarmed by the magnitude of the threat, staff at the ISC worked over the
weekend to validate and improve an unofficial patch developed by Ilfak
Guilfanov to fix the WMF problem, according to an entry in the Handler's Diary,
a running commentary on major IT security problems on the ISC Web site at
http://isc.sans.org/diary.php

 We have very carefully scrutinized this patch. It does only what is
advertised, it is reversible, and, in our opinion, it is both safe and
effective," Tom Liston wrote in the diary.

You cannot wait for the official MS patch, you cannot block this one at the
border, and you cannot leave your systems unprotected," Liston wrote.

In the diary, ISC provided a link to the version of the patch it has examined,
including a version designed for unattended installation on corporate systems.

While ISC recognizes that corporate users will find it unacceptable to install
an unofficial patch, "Acceptable or not, folks, you have to trust someone in
this situation," Liston wrote.

Due to public holidays in Europe, Microsoft representatives could not
immediately be reached for comment on Monday morning.

Guilfanov published his patch on his Web site on Saturday. His introduction to
it can be found at http://www.hexblog.com/2005/12/wmf_vuln.html

F-Secure's Hypponen highlighted Guilfanov's patch in the F-Secure company's
blog on Saturday night, and then on Sunday echoed the ISC's advice to install
the patch.

Not all computers are vulnerable to the WMF threat: those running non-Windows
operating systems are not affected.

According to iDefense's Dunham, Windows machines running Windows Data Execution
Prevention (DEP) software are at least safe from the WMF attacks seen so far.
However, Microsoft said that software DEP offered no protection from the
threat, although hardware DEP may help.

--- BBBS/NT v4.01 Flag-5
 * Origin: Barktopia BBS Site http://HarborWebs.com:8081 (1:379/45)