VMWare Browser
In all of the confusion over the .wmf issue comes a bit of hope from one of our favorite vendors. VMWare has a Browser Appliance virtual machine available for free download. It's a BIG file (258Mb zipped) so be sure you have a plenty of time for downloading. The appliance can be run in either VMWare Workstation or the free VMWare Player and provides you with a safer environment for web surfing. Thanks to John Holmblad for pointing this out to us.
(Be sure that you are running the latest version of VMWare Workstation, since there was a security issue disclosed several days ago. Also, note that the VMWare Player installion process asks if you want to install the Google desktop search application, which should remind you of yet another vector for the .wmf vulnerability to manifest itself.)
UPDATE - two more sandbox approaches to browsing were sent to us. Morland Halliday said to check out www.greenborder.com, and Derrill Guilbert pointed us to www.sandboxie.com. Thanks to both of you!
(Be sure that you are running the latest version of VMWare Workstation, since there was a security issue disclosed several days ago. Also, note that the VMWare Player installion process asks if you want to install the Google desktop search application, which should remind you of yet another vector for the .wmf vulnerability to manifest itself.)
UPDATE - two more sandbox approaches to browsing were sent to us. Morland Halliday said to check out www.greenborder.com, and Derrill Guilbert pointed us to www.sandboxie.com. Thanks to both of you!
Keywords:
0 comment(s)
Overview of the WMF related articles at the ISC
Since this is one of the more complex stories to follow I've made a quick overview of the WMF issues.
The first story on the WMF vulnerability and the initial exploit
http://isc.sans.org/diary.php?storyid=972
The update explaining why we went to yellow the first time around
http://isc.sans.org/diary.php?storyid=975
The story pointing to the Microsoft bulletin
http://isc.sans.org/diary.php?storyid=976
The availability of the first snort sigs
http://isc.sans.org/diary.php?storyid=977
The going back to green article
http://isc.sans.org/diary.php?storyid=978
More WMF signatures
http://isc.sans.org/diary.php?storyid=980
Lotus notes affected
http://isc.sans.org/diary.php?storyid=981
The bandaid post: deregistering not reliable, extension filtering not enough
http://isc.sans.org/diary.php?storyid=982
The free phone number for micrsoft support
http://isc.sans.org/diary.php?storyid=985
Indexing and WMF
http://isc.sans.org/diary.php?storyid=986
Musings on how to protect organisations beyond the trivial
http://isc.sans.org/diary.php?storyid=990
An IM worm found using the WMF stuff
http://isc.sans.org/diary.php?storyid=991
The second exploit, back to yellow, new sigatures and an unoffical patch
http://isc.sans.org/diary.php?storyid=992
The WMF FAQ
http://isc.sans.org/diary.php?storyid=994
2nd generation exploit use in spam
http://isc.sans.org/diary.php?storyid=995
Trustwothy computing
http://isc.sans.org/diary.php?storyid=996
Recommended block list
http://isc.sans.org/diary.php?storyid=997
Status of the anti-virus detection after one day
http://isc.sans.org/diary.php?storyid=998
Updated version of Ilfak Guilfanov's patch
http://isc.sans.org/diary.php?storyid=999
More .wmf woes
http://isc.sans.org/diary.php?storyid=1002
Installing a Patch Silently
http://isc.sans.org/diary.php?storyid=1004
.wmf FAQ Translations
http://isc.sans.org/diary.php?storyid=1005
Checking for .wmf Vulnerabilities
http://isc.sans.org/diary.php?storyid=1006
MS to Release Update on Jan 10
http://isc.sans.org/diary.php?storyid=1009
.MSI installer file for WMF flaw available
http://isc.sans.org/diary.php?storyid=1010
--
Swa Frantzen
The first story on the WMF vulnerability and the initial exploit
http://isc.sans.org/diary.php?storyid=972
The update explaining why we went to yellow the first time around
http://isc.sans.org/diary.php?storyid=975
The story pointing to the Microsoft bulletin
http://isc.sans.org/diary.php?storyid=976
The availability of the first snort sigs
http://isc.sans.org/diary.php?storyid=977
The going back to green article
http://isc.sans.org/diary.php?storyid=978
More WMF signatures
http://isc.sans.org/diary.php?storyid=980
Lotus notes affected
http://isc.sans.org/diary.php?storyid=981
The bandaid post: deregistering not reliable, extension filtering not enough
http://isc.sans.org/diary.php?storyid=982
The free phone number for micrsoft support
http://isc.sans.org/diary.php?storyid=985
Indexing and WMF
http://isc.sans.org/diary.php?storyid=986
Musings on how to protect organisations beyond the trivial
http://isc.sans.org/diary.php?storyid=990
An IM worm found using the WMF stuff
http://isc.sans.org/diary.php?storyid=991
The second exploit, back to yellow, new sigatures and an unoffical patch
http://isc.sans.org/diary.php?storyid=992
The WMF FAQ
http://isc.sans.org/diary.php?storyid=994
2nd generation exploit use in spam
http://isc.sans.org/diary.php?storyid=995
Trustwothy computing
http://isc.sans.org/diary.php?storyid=996
Recommended block list
http://isc.sans.org/diary.php?storyid=997
Status of the anti-virus detection after one day
http://isc.sans.org/diary.php?storyid=998
Updated version of Ilfak Guilfanov's patch
http://isc.sans.org/diary.php?storyid=999
More .wmf woes
http://isc.sans.org/diary.php?storyid=1002
Installing a Patch Silently
http://isc.sans.org/diary.php?storyid=1004
.wmf FAQ Translations
http://isc.sans.org/diary.php?storyid=1005
Checking for .wmf Vulnerabilities
http://isc.sans.org/diary.php?storyid=1006
MS to Release Update on Jan 10
http://isc.sans.org/diary.php?storyid=1009
.MSI installer file for WMF flaw available
http://isc.sans.org/diary.php?storyid=1010
--
Swa Frantzen
Keywords:
0 comment(s)
Scripting the Unofficial .wmf Patch
Brent Hughes sent us a script that he used today to push the unofficial .wmf patch across his enterprise. Here is what he sent us, and I suspect that it will work nicely with the updated patch from Ilfak. Note that our html editor sometimes eats backslashes, apologies if that happens below.
I put the patches in netlogon to help distribute the load a bit across the domain controllers. Here's just the relevent section of my script (in vbscript). It assumes the patch always installs in c:program files. If program files is somewhere else you might have to find it [ie. progdir = objShell.ExpandEnvironmentStrings("%programfiles%")].
----------------
Const HOTFIXDIR = "%home%\netlogon\patches"
set objShell = CreateObject("Wscript.shell") Set oFSO = CreateObject("Scripting.FileSystemObject")
if NOT oFSO.FileExists("c:program files\Windows\MetafileFix\wmfhotfix.cpp") then
objShell.Popup "Installing WMF unofficial patch", 5
objShell.Run "%windir%\system32\regsvr32.exe -u %windir%\system32\shimgvw.dll"
objShell.Run HOTFIXDIR & "wmffix_hexblog13.exe /VERYSILENT /SUPPRESSMSGBOXES"
end if
-----------------
You could batch file it too (though I've never tried this in group
policy):
----------------
@echo off
if exist "c:program files\windows\metafilefix\wmfhotfix.cpp" goto end
%windir%\system32\regsvr32.exe -u %windir%\system32\shimgvw.dll
%home%\netlogon\patches\wmffix_hexblog13.exe /VERYSILENT /SUPPRESSMSGBOXES
:end
----------------
Put one of those in a group policy under shutdown scripts and it should patch on reboot. I'm still working on the best way to script rebooting the network, but I'll send that too when I've got it.
-Brent
I put the patches in netlogon to help distribute the load a bit across the domain controllers. Here's just the relevent section of my script (in vbscript). It assumes the patch always installs in c:program files. If program files is somewhere else you might have to find it [ie. progdir = objShell.ExpandEnvironmentStrings("%programfiles%")].
----------------
Const HOTFIXDIR = "%home%\netlogon\patches"
set objShell = CreateObject("Wscript.shell") Set oFSO = CreateObject("Scripting.FileSystemObject")
if NOT oFSO.FileExists("c:program files\Windows\MetafileFix\wmfhotfix.cpp") then
objShell.Popup "Installing WMF unofficial patch", 5
objShell.Run "%windir%\system32\regsvr32.exe -u %windir%\system32\shimgvw.dll"
objShell.Run HOTFIXDIR & "wmffix_hexblog13.exe /VERYSILENT /SUPPRESSMSGBOXES"
end if
-----------------
You could batch file it too (though I've never tried this in group
policy):
----------------
@echo off
if exist "c:program files\windows\metafilefix\wmfhotfix.cpp" goto end
%windir%\system32\regsvr32.exe -u %windir%\system32\shimgvw.dll
%home%\netlogon\patches\wmffix_hexblog13.exe /VERYSILENT /SUPPRESSMSGBOXES
:end
----------------
Put one of those in a group policy under shutdown scripts and it should patch on reboot. I'm still working on the best way to script rebooting the network, but I'll send that too when I've got it.
-Brent
Keywords:
0 comment(s)
.wmf FAQ Translations
Thanks to the work of several of our handlers and readers, we've got a nice set of FAQs in multiple languages:
Catalan
Deutsch and Deutsch (pdf)
Dutch/Nederlands
English
Español
Italiana and Italiana
Polski
Suomenkielinen
Portugues - Br
Danish
Japanese
Slovenian
Chinese
Norwegian
Turkish
French
Latvian
More coming as they are submitted to us.
Catalan
Deutsch and Deutsch (pdf)
Dutch/Nederlands
English
Español
Italiana and Italiana
Polski
Suomenkielinen
Portugues - Br
Danish
Japanese
Slovenian
Chinese
Norwegian
Turkish
French
Latvian
More coming as they are submitted to us.
Keywords:
0 comment(s)
Installing a Patch Silently
For those who are manually patching systems using Ilfak Guilfanov's unofficial patch, handler Tom Liston says that you can install it in an unattended mode by using this incantation:
A reminder: be sure to test the patch above before deploying it across an enterprise. While the handlers (including me) are running it on our own personal systems and it works as advertised, we can't vouch for any special software you might have in your own systems that could be disabled after the patch is installed.
wmffix_hexblog14.exe /VERYSILENT /SUPPRESSMSGBOXES
More details are here. This version looks like it will work well with startup scripts in the Active Directory. Previous versions were a bit noisy and would create annoying error messages to users that might not understand what they were seeing.A reminder: be sure to test the patch above before deploying it across an enterprise. While the handlers (including me) are running it on our own personal systems and it works as advertised, we can't vouch for any special software you might have in your own systems that could be disabled after the patch is installed.
Keywords:
0 comment(s)
Checking for .wmf Vulnerabilities
As far as we know there are no tools available yet for remote scanning and detection of systems vulnerable to the .wmf issue. Ilfak Guilfanov has a testing tool available on his website, and he cautions users that it only checks for one version of the exploit so it might not detect new variations.
If you want to experiment with another file submitted to us by Kevin Gennuso (thanks, Kevin) you can download it here. The file will open calc.exe and kill explorer.exe on vulnerable systems but otherwise causes no damage as far as we can tell. As always, test this file before using it on a production or enterprise computer. This file is useful for seeing if Ilfak's patch worked for your system.
Reik Bohne sent us a link to a test on heise.de. It's in German but essentially what it does is provides you with a way to check your browser and your email client to see if you are vulnerable. Like the file above, it starts calc.exe on an unpatched system.
If you want to experiment with another file submitted to us by Kevin Gennuso (thanks, Kevin) you can download it here. The file will open calc.exe and kill explorer.exe on vulnerable systems but otherwise causes no damage as far as we can tell. As always, test this file before using it on a production or enterprise computer. This file is useful for seeing if Ilfak's patch worked for your system.
Reik Bohne sent us a link to a test on heise.de. It's in German but essentially what it does is provides you with a way to check your browser and your email client to see if you are vulnerable. Like the file above, it starts calc.exe on an unpatched system.
Keywords:
0 comment(s)
More .wmf Woes
The WMF issue continues to spin. Overnight we received a note from HD Moore at Metasploit:
While many might disagree with what Moore and others are doing in the Metasploit project, be grateful that their efforts are "open" and available for both defenders and attackers to view. If only the bad guys had the tools then the good guys would be left guessing on how this stuff works. This reminds me of how bad we felt in the early 1990s when Satan was released. We (the good guys) felt that they (the bad guys) had a tool that was "unfair" in that it allowed them to scan our networks looking for flaws. Today of course no sysadmin worth his or her GIAC certification would run a network without scanning periodically for vulnerable systems. So, if you haven't looked at the Metasploit project then today might be the day you should. Think of it as a defender's best friend rather than an evil hacking tool.
We released a new version of the metasploit framework module for the WMF flaw, this one uses some header padding tricks and gzip encoding to bypass all known IDS signatures. Consider this "irresponsible" if you like, but it clearly demonstrates that a run-of-the-mill signature-based IDS (or A/V) is not going to work for this flaw. If anyone has any questions about why we are releasing these types of modules so early after the disclosure, feel free to drop me an email.
-HD
http://metasploit.com/projects/Framework/exploits.html#ie_xp_pfv_metafile
-HD
http://metasploit.com/projects/Framework/exploits.html#ie_xp_pfv_metafile
While many might disagree with what Moore and others are doing in the Metasploit project, be grateful that their efforts are "open" and available for both defenders and attackers to view. If only the bad guys had the tools then the good guys would be left guessing on how this stuff works. This reminds me of how bad we felt in the early 1990s when Satan was released. We (the good guys) felt that they (the bad guys) had a tool that was "unfair" in that it allowed them to scan our networks looking for flaws. Today of course no sysadmin worth his or her GIAC certification would run a network without scanning periodically for vulnerable systems. So, if you haven't looked at the Metasploit project then today might be the day you should. Think of it as a defender's best friend rather than an evil hacking tool.
Keywords:
0 comment(s)
×
Diary Archives
Comments