With client-side exploits so plentiful, it sure would be nice to have some form of serious outbound firewalling built into Windows, wouldn't it?  The XP firewall blocks inbound traffic, but is of little use in outbound defenses.  As Handler Queen Lorna Hutcheson points out, since Win2K, you can filter outbound using the so-called IPSec filters of Windows.  However, such filters are: 1) Really badly named -- they don't have to use IPSec crypto; 2) Really hard to define (what an ugly GUI); and 3) Not limiting to specific applications to use specific ports and protocols.  So, the existing outbound filtering of Windows is extremely limited.

But, here's a nice article about how Microsoft plans on including outbound filtering in the Windows Vista firewall. Let's see, we've had such features with free solutions for over a decade.  But only in 2006 will we get it standard in Windows. 

In Microsoft's defense, though, once an attacker infiltrates via a client-side exploit, their evil code can simply alter the firewall config.  True.  But, still, security is all about raising the bar.  We raise the bar, they jump over it.  We then raise it again.  It's the natural order of things.  I hear some arguments that say, "We shouldn't do this from a security perspective, because they'll jump over this bar."  But, if the cost of such solutions is miniscule, why not raise the bar anyway, knowing that it still can be jumped?  Let's make the bad guys work a little harder if it doesn't cost us anything.

A related story involves Microsoft's OneCare technology, an attempt at a comprehensive set of anti-virus/anti-spyware/firewall tools that help provide an envelope of protection around a user's PC.  A blog post here talks about ways to dodge the defenses of OneCare, primarily by using Java and/or signed code to bypass the firewall restrictions.  Some Microsoft personnel respond here, saying that their goals were to pull security configurations together in one place and offer protection while minimizing application breakage.  It's all about trade-offs.  And I, for one, welcome our new OneCare overlords.  There are many copies.  And they have a plan.

As any stroll down the latest Metasploit exploit list will tell you, attacking client technologies is very hot right now, including browsers, mail readers, audio players, etc.  Here is an interesting article from Brian Krebs about a huge area likely to be very ripe with such exploits: ActiveX controls installed by third parties.  Krebs summarizes well the research of Richard M. Smith, who claims to have found a cornucopia of buffer overflow flaws in widely deployed ActiveX controls.  Handler extraordinaire Agent Tom Liston points out the possibility of using a known flaw in an ActiveX control to really help target a given population, such as a given ISP's customers or perhaps a given corporation or government known to use a given ActiveX control.

Speaking of client-side sploits, it appears that AMD's forums website was used to distribute WMF exploit code the other day.  F-Secure has a write-up on the situation.  It's been resolved, but there is likely a very interesting story behind this one.  Again, client side exploits are the wave of the present.

On December 26, 2005, Secunia released an advisory regarding a vulnerabilty in Shoutcast.  We've received a report about a few sites detecting odd log entries that fit the vulnerability description, with corresponding server crashes over the past few days.  An exploit has been published on, at least, one site.  The solution is to update to the latest version (v.1.9.5).  The advisory is available at Secunia.

The default port for SHOUTcast is 8000--Dshield shows a spike in targets on the 14th and more recently.



-db

Dave Brookshire (http://parapet.net)
Handler-on-Duty

I am a fan of Microsoft AntiSpyware tool for several reasons:

1. It's relatively easy to use
2. It's feature set is very comprehensive
   
3. It's free

• CVE-2006-0381
• FreeBSD announcement

Steps to Reproduce:
1. touch foo\ bar     (the \ escapes the space embedded in the filename)
2. mkdir somedir
3. scp foo\ bar somedir
  
Expected Results:
No message, the file copied  
Actual Results:
cp: cannot stat `foo': No such file or directory
cp: cannot stat `bar': No such file or directory

About BlackWorm

Naming

How would I get infected?

What will BlackWorm do to my system?

Removal

1. BlackWorm uses the same tricks to install itself as other viruses/worms. It may not be the only one on your system. Antivirus will not detect all viruses, and the removal tool will only remove this specific worm.
2. BlackWorm will allow remote access to your system, and additional malware may have been installed via this backdoor.
   

Snort Signatures

1. This sig alerts if someone visits any counter at webstats.web.rcn.net without a Referrer: header in their URL. Could be an infected user, could be one of us checking out the counter stats:

alert tcp any any -> any 80 
  (msg:"webstats.web.rcn.net count.cgi request
        without referrer (possible BlackWorm infection)";
content:"GET /cgi-bin/Count.cgi|3f|"; depth:23; content:"df|3d|";
content:"Host|3a 20|webstats.web.rcn.net"; content:!"Referer|3a|";
classtype:misc-activity; sid:1000376; rev:1;)

2. This sig alerts on the specific pattern BlackWorm uses to test connectivity to www.microsoft.com. It's unique in that the request doesn't have a User-agent: header. So this will catch BlackWorm and possibly other automated requests to microsoft (which could happen if someone codes a sloppy app that uses the exact same pattern - but they should probably be flogged anyway)

alert tcp any any -> any 80 
   (msg:"Agentless HTTP request to
www.microsoft.com (possible BlackWorm 
         infection)"; dsize:92;
content:"GET / HTTP/1.1|0d0a|Host|3a20|www.microsoft.com|0d0a|
Connection|3a20|Keep-Alive|0d0a|Cache-Control|3a20|no-cache|0d0a0d0a|";
classtype:misc-activity; sid:1000377; rev:1;)

Credits

Although Nyxem is comparatively less spread then worms like Sober or Netsky, it's still doing a fair number of rounds.

The graph below is from one of the e-mail gateways with a decent number of e-mails processed daily (around 500.000+). You can see that Nyxem.E is the top malware instance detected in last 24 hours, with more than double the occurences then the next highest occuring worm (Netsky).




This is not strange as the Web counter that the worm visits upon infecting the machine currently shows around 630,000 infections (we can't be sure that this number is correct). Bert Rapp e-mailed us asking about the URL that the worm visits. This can help you in determining if a machine is infected, as it will visit the URL with the counter.

The counter is at:

h tt p:// webstats.web.rcn.net/ [REMOVED] / Count.cgi?df=765247

You can search your web logs for this host name (which looks as a legitimate site).

Other than that, Fortinet released their in-depth analysis of the Nyxem worm with some pretty interesting details (you can find the original analysis here).
The most interesting part, which I haven't seen in other analysis of the worm says:

"Additional Registry Changes

• The virus is coded to register the dropped ActiveX control through changes to the system registry. By creating the following registry entries, the control is considered "safe" and digitally signed."

• An anti-spyware program: MacScan
• A free virusscanner: ClamXav
• Some well known windows vendors have Mac OS X versions: Symantec, McAfee and Sophos
• Although OS X has a built in firewall, there are third party solutions for it such as Intego NetBarrier, Pliris Firewalk, Sustainable Softworks IPNetSentryX and Objective Development Little Snitch.

SymbOS.Sendtool.A -  The Trojan horse drops a hacktool that can be used to send malicious programs, such as variants of the SymbOS.PBStealer family of Trojans, to other mobile devices via Bluetooth.

SymbOS.Bootton.E - A Trojan horse that restarts the mobile device when executed. However, as it also drops corrupted components, the device is unable to restart.

Immediately after the FrSIRT public release of the exploit against Veritas NetBackup scanning for TCP/13701 started to increase dramatically.

Cisco published a report about a DoS condition on some of their routers.

It is situated in the Stack Group Bidding Protocol (sgbp) wich is used to enable bandwidth on demand using Multilink PPP (MLP).

To summarize:

• Not vulnerable if the router does not support sgbp or if it is not configured (so #show sgbp should give no output or a syntax error message).
  
• Workarounds are listed with ACLs to protect UDP/9900 on the affected routers.
• Upgrade to fix it
• Traffic to UDP/9900 might now be DoS attempts.
  

First off, I'm not bashing vendors, pet operating systems or even people. Just trying to make people realize they might have illusions. So stop reading here if you cannot deal with disillusions.

Windows

I recently purchased a computer for my wife at a small shop. I really like the shop. They customize off-the-shelf hardware to make extremely silent high performance PCs. So after the waiting for this new monster's parts to be collected and customized, I went to the shop to pick it up.  The shopkeeper takes the time to open up the case to show their work, turns it on, and I verify the hardware properties to make sure my custom build machine has all the right parts. All good, I still like them.

Before he turns it off though he tells me something very worrisome. It went like: "We turned off the windows automatic updates". I wasn't sure if I'd wipe the harddisk or not at that point, but as such things would convince me to wipe, I answered "No problem, I'll enable it when I get home, thanks for the warning". Then he goes on to explain they do that always as "In our experience windows update and all those patches break more than the viruses harm you. Just add a good anti-virus program, we've already tightened up the windows firewall. You'll be safe, don't worry. In our experience it is best to install the service packs Microsoft brings out, but stay away from the crap in between". Painfully wrong advise in my opinion, from a shop I like a lot for their hardware.

I'm very worried about the less security savvy consumer. I'm not convinced other shops give that much better advise. Sure they might want to try to sell me an anti-virus and personal firewall bundle. So we need to get the word out to the world at large. Do not believe all to easily you are safe, no matter the fancy explanations.

• A personal firewall will help, but it will not protect you from everything out there.
• An anti-virus program will help, but it will be unable to protect you from everything out there, especially new things go undetected very easily.
• Updates from Microsoft are critical to be installed as soon as possible after they have been released. Microsoft does not release patches unless there are exploits against it.
  

Mac OS X

• Often we get answers -even here at the Internet Storm Center with our much more security minded population of readers- that go like "I'm using a mac, no security worries". Why can you be sure there are worries ? Check the number of security patches you got, they fix vulnerabilities. Well you have security worries, just no (mass) exploits.
• Apple is switching to Intel CPUs away from the PowerPCs. Most script kiddies out there know Intel CPUs much better than they know a G4 or G5, so exploiting it becomes much easier for them. And yes, that Intel Duo is a dual core centrino, and a centrino is what it's just their cup of tea, plenty of machine code coders for it.
• Apple uses open source software as a basis. One of the reasons I like OS X is exactly that it's based on BSD unix. But that open source community fixes vulnerabilities documenting the vulnerability in source code and at a very fast rate. Apple takes a bit longer to issue fixes for the same vulnerabilities. And that leaves a relative long window of vulnerability to exploit.
• Apple is gaining market share. History has shown more popular OSes get attacked more. Exploit developers like to say there are zillions of affected customers. Look at it the other way: Seen any recent high profile exploit against AIX, Windows 3.1, Ultrix, IRIX, ... ? I'm pretty sure they are not 100% vulnerability free, just not that interesting as a target.
  
• Anti-virus, anti-spyware, ... software for OS X? There is such software, I tried to buy it.
• I went to the website of a well know anti-virus vendor, found they had something for Tiger, but when I tried to go to their consumer ordering system, I got a nice message I needed to use Internet Explorer to order anything. Hmm, I'm happy to say I do not have Internet Explorer on my Mac, and want to keep it that way.
  
• I went to their business side of the web, and unexpectedly, I could order there the OS X version of their product, and their shopping basket was working for both safari and firefox. Funny, it looks like it's the same software for that basket. But apparently corporate customers are not meeting the roadblock that prevents them from entering that part of the website even if they do not surf the web with MSIE.
• They only sell their OS X product in bundles of 5 licenses. I don't have 5 Macs, just 2. Nor am I likely to buy 3 more macs in the near future.

So somehow we'll need to live with the constantly increasing risk and a user community that thinks it is invulnerable.

Browsers

The rest

Paranoia?

FrSIRT has notified the ISC that a new exploit has been released utilizing the Stack Overflow vulnerability in Veritas Netbackup Enterprise Server.  As a reminder, a specifically crafted packet, sent to the Volume Manager via port 13701, will cause a stack overflow, allowing the attacker to run code of her/his choosing.  Authentication by the attacker is not needed to take advantage of this vulnerability.  

The vulnerability that this exploit takes advantage of is ~60 days old.  The downside of this exploit is that, in one pass, an attacker would have the ability to create a disaster, and then destroy a company's ability to recover from said disaster.

The security packs that address this vulnerability, Symantec Advisory #SYM05-024, can be found here. 

Thanx again to FrSIRT for providing the update.

With the growing use of two-factor authentication, users are finding it increasingly difficult to safely transport and, especially, store one of the more common devices used in this endeavor; the Smart Card.  A device the size and shape of a common credit card, this is different from standard credit cards in that it has an embedded chip for the storage of information, particularly user information and certificates.  Recent discussions brought about the point that an individual might be wise to protect the Smart Card with the same degree of protection as the other piece of two-factor authentication, the PIN.  

Both devices, at a minimum, require protection from the greatest threat posed to date, and that is electromagnetic psychotronic hacking form mind control carriers (MCCs).  In previous articles it was established that psychotronic hacking can be used to decrypt and read brain waves, so the process of hacking a Smart Card would be child's play for MCCs. 

*PIN Protection unit (PPU)
http://zapatopi.net/afdb/

*Smart Card protection unit (SCPU)
http://www.rpi-polymath.com/ducttape/RFIDWallet.php

The regular practice, and combined use, of the PPU and SCPU will result in a little known heightened state of personal security, commonly referred to as Infosystems Defcon 10T (ID-10T)

We received notification last night that a working exploit "MS Windows Metafile (WMF) Remote File Download Exploit Generator" has been released to the public.  The code takes advantage of the "Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution", MS# MS06-001.  The exploit code will generate a .wmf that downloads and executes a specified URL.  The sad part to this story is that we have a set of 'plug & play' source code for evil-doers to spread their wares with.  And only 10 days after a patch has been released. 

 Additionally, as noted by reader Juha-Matti Laurio, we can expect to see variants coming very soon.  The group responsible for this release is well-known for this.

Last night a question was put to us, "I wonder how many people use vendor-loads (on new machines) versus reformat/reload?"  Therefore, in the interest of science (and general curiosity) I thought I would throw the question out for discussion today.  Feel free to let us know via the "Contact" link at the top of this page how you, or your organization, choose to deploy.

/-- UPDATE --/

We have received a number of responses to this question, and the majority has been of the 'reformat/reload' variety.  One of our readers, Ian, submitted some excellent thoughts I would like to share:

 "Experience has shown that vendor loaded machines are regularly unstable, sluggish and overflowing with bloat-ware and needless applications not to mention Windows features which most users will NEVER use!  EVERY instance of clean installation has resulted in a stable, fast (in comparison) machine plus space saving on the hard-drive.  Feedback is always positive... On older machines, people who had considered forking out thousands on the latest and greatest have reconsidered and saved their hard earned coins a little longer.

Dare I question Pros and Cons?  I do...  Pros: Nothing beats the familiarity and intimacy of a custom install... every file is accounted for and required, a blessing if trouble shooting is required in the future.  Cons: Time, it can be time consuming performing a reformat/clean install depending on configuration but long term those hours appreciate to savings in the event of a catastrophe - A worthwhile trade off."  (Thank you Ian, have a safe trip)

Another point submitted by a reader, who wished to remain anonymous, is that when calling a vendor for support, they often require their tools be loaded, or worse, left intact via an install from their recovery CD's.

/-- FINAL WORD --/

The final tally is an overwhelming 'reformat/reload' with some interesting thoughts on how to go about it.  I will consolidate some of those thoughts, and add them to this write-up later in the week. 

Many thanx go out to everybody who wrote in today.  Thank you.

*** Topic for #-sd-bot: $xscan asn139 
     200 5 0 217.x.x.x -r -s
*** #-sd-bot burt0n 1137203776
*** #-sd-bot 1136645024

The channel used to control the bots, '#-sd-bot', is using a standard command to instruct its members to scan an IP range for a particular vulnerability. On the other hand, if a human should connect to the host and issue a '/list' command to find out about channels on that server, the following message is displayed:

/list
*** Channel    Users  Topic
*** #help      1       IF YOU ARE HERE ITS 
BECAUSE I MIGHT HAVE
INFECTED ONE OF YOUR MACHINES, DONT WORRY 
NOTHING IS GONNA BE HARMED
WITH THE DRONES, FOR FURTHER INFORMATION 
ON REMOVALS PLS VISIT -
WWW . NORTONANTIVIRUSES . COM - 
OR LEAVE A MSG KTHX.

We do not know if the owner of 'Nortonantiviruses.com' is actually associated with the bot channel. But the site is not a legit Symantec/Norton site. Instead, its "placeholder" site collecting referral fees. Its whois registration is anonymous. The referral site does not appear to be malicious.

This is just a logical evolution of the current bot business. Like any business, the operators try to maximize the revenue they receive from a customer. If a customer found out that they are infected, and is visiting the bot server to find out more, they may as well try to get a cut on the cleanup revenue which would otherwise be lost.

Update:

This was posted to the 'funsec' list a while ago:

"So he changed his topic:

-:- Topic (#help): changed by burt0n: IF YOU ARE HERE ITS BECAUSE I MIGHT HAVE INFECTED ONE OF YOUR MACHINES, DONT WORRY NOTHING IS GONNA BE HARMED WITH THE DRONES, FOR FURTHER INFORMATION ON REMOVALS PLS VISIT -

WWW.SYMANTEC.COM - OR LEAVE A MSG KTHX.

....however, I guess he didn't like the exposure...after a few hours:

-:- SignOff burt0n: #help (User has been permanently banned from burt0n.IRC
(#linuxsex@undernet))

 :) 

Cool if things work out "right" sometimes.
We also got this message via our contact form signed 'burt0n':

Hmmm... So maybe just a good ol' dumb script kiddie? Why did he infect the systems in the first place? The message was posted from a Sympatico IP address in Canada.

iTunes

• Apple howto.
  

QuickTime

• For general users, I would urge not to downgrade as you'll have the vulnerabilities back. Moreover the problems seem to be not that clear. I'm running the initial Quicktime 7.0.4 uprade and it works just fine.
• Still the uninstaller is here should you not be able to continue without the old version.

Mainstream support includes:

• Incident support (no-charge incident support, paid incident support, support charged on an hourly basis, support for warranty claims)
• Security update support
• The ability to request non-security hotfixes

Self-help online support includes:

• access to Microsoft's Knowledge Base articles
• access to FAQs, troubleshooting tools and other resources
• it does NOT include security update support
  

Windows XP Pro is considered Business class software.  As such, Microsoft provides mainstream support for 5 years after the product was released, extended support for an additional 5 years and self-help online support for 10+ years.

• Incident support (no-charge incident support, paid incident support, support charged on an hourly basis, support for warranty claims)
• Security update support
• The ability to request non-security hotfixes

Extended support includes:

• Paid support
• Security update support at no additional cost
• Non-security related hotfix support requires a separate Extended Hotfix Support contract to be purchased. Per-fix fees also apply.
• Microsoft will not accept requests for warranty support, design changes, or new features during the Extended support phase.
• Extended support is not available for Consumer, Hardware, Multimedia, and Business Solutions.

Self-help online support includes:

• access to Microsoft's Knowledge Base articles
• access to FAQs, troubleshooting tools and other resources
• it does NOT include security update support
  

Extensions - Consumer

• Rocketboom [Warning: we've had one user report that the page handled the quicktime plug-in oddly, and ended up crashing his Firefox browser.]
  

• frixin - an amazing portrait photographer
• guitarjohnny - some stunning wild life photography (check out page two of his gallery)
  
• gary roberts (or is it travis favretto?) - simply incredible use of light, sky, architecture and people

• Reaction Delay

Is there risk?

Patch please?

• Microsoft has not released an official patch so far and there is none on the horizon either.
• The Microsoft workaround (unregistering shimgvm.dll to prevent access to the vulnerable code in gdi32.dll) for other windows versions cannot be performed in win9x.  The shimgvm.dll library file does not exist in win9x.
• The unofficial patch which we endorsed in a very specific situation does not work on win9x. These older versions lack technology needed for the patch to protect in memory libraries from being accessed.
  
• We know that several software coders have or are going to publish patches for Win9x systems.  However, we highly recommend that you make a risk decision based on your own situation as to whether you wait for a Microsoft patch.  We did the extra-ordinary thing of recommending an unofficial patch earlier for a very specific condition. The conditions for the win9x
  situation are simply not the same now. There is no clear and present threat and the defenses in the form of anti-virus programs have become significantly stronger.
  

What options that are left?

• Accept the risk and play the wait and see game.
  
• Possibly, try to mitigate the risk by getting a good anti-virus program in place, preferably one that is known to trigger on the exploits without triggering on the payload in the WMF. Make sure the signatures are always up to date.
  
• Possibly, try to mitigate the risk by isolating the system. Isolating can be done on networks by air-gapping the machines, by removing floppy and cd-rom drives, by disabling USB ports, etc... Some systems might benefit enough from this to remain usable for a while longer.
• Balance the risks of one of the unofficial patches.
• I cannot recommend this action at this time, but it is an option you can evaluate, if you find it reduces your overall risk you might have a mitigation strategy.
  
• Mitigate the risk by changing the OS
• You might need to upgrade the hardware in order to be able to upgrade to a more recent version of windows. (Remember: if you pass down the old hardware to your family, friends or a good cause, they now have the problem you had)
  
• The hardware capable of running win9x is mostly capable of running alternative operating systems such as Linux, OpenBSD, FreeBSD, and others.  So you have many choices from witch to pick.

Sober.Y will be attempting to update itself tonight at midnight. If you have the ability you may wish to monitor traffic towards the sites listed below. The ISPs and hosting sites have known about this update for a while and I believe the malware has been removed from these sites so I don't recommend blocking those sites. Monitering them might provide you with a list of infected  computers:)

From http://www.f-secure.com/v-descs/sober_y.shtml

Sober.Y monitors a fixed list of NTP servers to syncronize its time. If the date is 6.1.2006 or later, instead of mass mailing, it tries to download and execute file from one of the following domains:

 people.freenet.de

 scifi.pages.at

 free.pages.at

 home.pages.at

 home.arcor.de

We have received reports and researched an issue with Ilfak's patch AND/OR deregistering SHIMGWV.DLL causing printing issues.

De-registering SHIMGVW.DLL can cause printer issues. This has been verified.

Pedro a fellow SANS handler provided this:
"From Microsoft Windows Server 2003 Inside Out
By William R. Stanek The client first uses the print driver to partially render the document into EMF and then spools the EMF file to the print server. The print server converts the EMF file to final form and then queues the file to the printer queue (printer)."

ScottF another SANS handler states "I have seen a few new printing bugs...basically the printer spooler tray icon pops up and says there is an error and then prints without a problem" this was when SHIMGWV.DLL was deregistered.

It appears that Ilfak Guilfanov's patch can also cause printer problems.

Paul Shane reported
"It seems that users printing with Lotus 1-2-3 V5  for windows (yes...the old version), running on Windows XP, cannot print with the hexblog patch installed.  As soon as the patch is uninstalled and the machine is rebooted, printing works."

 Finally JimC another SANS handler writing about Ilfak's patch states:
"Actually, I guess this one doesn't surprise me too much.  The "legitimate" use of the SETABORTFUNC Escape() call in gdi32.dll is for printing. We have heard of a couple of other widely scattered situations where some sort of printing function was disrupted by the unofficial patch.

• pdf
• ppt

• You might not have seen exploits yet because:
• You are lucky so far: estimates are that up to now 10% of our readers have seen them.
  
• The bad guys haven't released their worst (yet), but we know they have the tools and means to create it and we expect them to do so well enough before the official patches are released next week.
  
• The detection might be insufficient or might be failing, so you would not know it.
  (esp. if the attack was subtle enough in a first phase, it can be very hard to detect as it's designed to be very hard to detect by anti-virus and IDS/IPS systems)
• We were told of McAfee reporting a 6% infection rate at their customers on New Year's Eve already.
  

• The Internet Storm Center knows of quite a few goverment and larger organisations that did roll-out the unofficial patch, so your "peers" might very well be doing the right thing already.

• The usual precautions, such as telling the users not to click or surf to bad sites, updating anti-virus signatures, filtering email, ... will help just like a drop of water helps to fill a bucket. It's just not good enough by far.
• No user interaction is required. This is one of those where the user is a sitting duck, not the offender.
  
• Many anti-virus signatures still trigger on the payload, not on the call in the WMF and therefore might get a working signature only after you got hit. This can be more painful if you are unlucky to get hit early.
• IDS/IPS can be easily bypassed by using off-the-shell tools already available to the bad guys.
• Firewalls will not prevent filesharing once the files are inside.
• ...
  

• One working exploit proves a vulnerability.
• Many non-functional exploits prove nothing towards the lack of a vulnerability.

Microsoft updated its advisory (KB 912840) this morning with the below information.  For those in academic environments, this may actually work in your favor as students will be coming back after the supposed release date. 

'Microsoft has completed development of the security update for the vulnerability. The security update is now being localized and tested to ensure quality and application compatibility. Microsoft's goal is to release the update on Tuesday, January 10, 2006, as part of its monthly release of security bulletins. This release is predicated on successful completion of quality testing.

The update will be released worldwide simultaneously in 23 languages for all affected versions of Windows once it passes a series of rigorous testing procedures. It will be available on Microsoft's Download Center, as well as through Microsoft Update and Windows Update. Customers who use Windows' Automatic Updates feature will be delivered the fix automatically.

Based on strong customer feedback, all Microsoft's security updates must pass a series of quality tests, including testing by third parties, to assure customers that they can be deployed effectively in all languages and for all versions of the Windows platform with minimum down time.

Microsoft has been carefully monitoring the attempted exploitation of the WMF vulnerability since it became public last week, through its own forensic capabilities and through partnerships within the industry and law enforcement. Although the issue is serious and malicious attacks are being attempted, Microsoft's intelligence sources indicate that the scope of the attacks are not widespread."

The list may be updated later. We do not expect to make this a "regular feature". But at this time we find that it is necessary to point out these particular two netblocks.

They have been associated with a number of high profile criminal activities in the past. A good number of WMF exploits use name servers or other resources in these netblocks. They have been non responsive to current and past requests to remove malicious content.

• Why is this issue so important?

• Is it better to use Firefox vs. Internet Explorer?

• What versions of Windows are affected?

• What can I do to protect myself?

• Will unregistering the DLL protect me?

• Should I just delete the DLL?

• Should I just block all .WMF images?

• What is DEP (Data Execution Protection) and how does it help me?

• How good are Anti Virus products to prevent the exploit?

• How could a malicious WMF file enter my system?

• Is it sufficient to tell my users not to visit untrusted web sites?

• What is the actual problem with WMF images here?

• Should I use something like "dropmyrights" to lower the impact of an exploit.

• Are my servers vulnerable?

• What can I do at my perimeter / firewall to protect my network?

• Can I use an IDS to detect the exploit?

• If I get hit by the exploit, what can I do?

• Does Microsoft have information available ?

New exploit

• with a random size;
• no .wmf extension, (.jpg), but could be any other image extension actually;
• a random piece of junk in front of the bad call; carefully crafted to be larger than the MTU on an ethernet network;
  
• a number of possible calls to run the exploit are listed in the source;
  
• a random trailer

Infection rate

Yellow

UNofficial patch

Snort signatures

• No patch in sight from Microsoft
• Not wanting to infect peers such as customers
• Not wanting to rely on anti-virus signatures when people are developing versions of the exploit with a highly random nature
• Not wanting to rely on IDS devices due to the same randomness and the "it's too late already" aspect

• Ban Microsoft products in your environment
• I told you we were going to start from the extreme viewpoint, so hold your horses.
• What does it buy?
• No windows, no windows WMF vulnerability
• What does it not buy?
• You still can pass on dangerous payload to others like to your customers.
• If a single escaped machine remains or a single machine snuck back in, you still might get affected.
  
• Ban all communication and/or file exchanges
• Extreme again isn't it? Moreover it is perceived very hard in a modern world.
  
• What does it buy you?
• You prevent yourself from getting and giving dangerous payload to all peers
• What does it not buy you?
  
• If a single file would sneak in, or be present already, you might still have a major problem
• You have sacrificed a lot of the availability to gain confidentiality and or integrity

• Isolate them frmm the rest of the company. Plug a firewall between them and the rest of the internal networks. Disallow all unneeded communication with the rest of the company, making sure their servers are on their new inside.
• Use advanced networking solutions to prevent (accidental) hookup of unauthorized equipment to the sensitive network. E.g.:
  
• Make sure switch ports automatically shut down when try try to learn a second MAC address
• Assign only DHCP addresses to known MAC addresses
• Kick unknown MAC addresses into a separate VLAN
• Use layer 2 measures (such as private VLANs) to prevent client-to-client communication
• Disallow dangerous usage:
  
• Disallow IM
• Disallow web surfing
• Disallow email, or strip all attachments from the more secure email server they get access to.
• Now no surfing, no email, ... etc can be hard on the users and they might have really good arguments to have the functionality back.
• Build a second less sensitive network on different infrastructure
• Add machines for those that need the web/email/...
• Allow them to surf the web (with traditional restrctions) on those "less" secure machines but not on the "sensitive" machines which are to be used exclusively for their sensitive application(s).
• Be very procedural and build the needed infrastructure if you want to allow transfers between the two environments.
  
• The more traditional stuff should not be forgotten, especially not on the more secure side:
• Take a tough stance on updating Anti-virus signatures
  
• Look for unregistering the DLL as per Microsofts suggestion
• May be consider an unofficial patch from some reputable source
• Look for other platforms
• This is hard as training users to switch platforms takes time, and worse applications might not have clients for other platforms that work properly. Still it's one way out of the de-facto monoculture of operating systems and related vulnerabilities. We know from agriculture monoculture has risks. If we want not to accept the risks we need to act on it as well.
• Look for other strongholds to build
  
• If you have more than one sensitive section in you company, build more of these strongholds, do not build larger ones.
• More smaller ones will contain the spread of infections and the associated risks and costs in clean up better under control.

• Allowing only non windows machines to acces the Internet was suggested as an approach. While it might protect that machine, the downloaded files might easily migrate to the windows machines and as such be a risk regardless. Also users might find a way to tunnel thtough the allowed machines. But as always it gives something and for some environments it might help to mitigate the risk.
• Remote display clients from a windows desktop to a unix server was suggested. While it might work again some of the tools have file transfer capabilites and/or accellerate the display by using the graphical power in the workstation. You will never be sure the windows machines are fully secure. But it might help in some environments to mitigate some of the risk without giving much assurances.