Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: More .wmf Woes SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
More .wmf Woes
The WMF issue continues to spin.  Overnight we received a note from HD Moore at Metasploit:

We released a new version of the metasploit framework module  for the WMF flaw, this one uses some header padding tricks and gzip encoding to bypass all known IDS signatures. Consider this "irresponsible" if you like, but it clearly demonstrates that a run-of-the-mill signature-based IDS (or A/V) is not going to work for this flaw. If anyone has any questions about why we are releasing these types of modules so early after the disclosure, feel free to drop me an email.

-HD

http://metasploit.com/projects/Framework/exploits.html#ie_xp_pfv_metafile

While many might disagree with what Moore and others are doing in the Metasploit project, be grateful that their efforts are "open" and available for both defenders and attackers to view.  If only the bad guys had the tools then the good guys would be left guessing on how this stuff works.  This reminds me of how bad we felt in the early 1990s when Satan was released.  We (the good guys) felt that they (the bad guys) had a tool that was "unfair" in that it allowed them to scan our networks looking for flaws.  Today of course no sysadmin worth his or her GIAC certification would run a network without scanning periodically for vulnerable systems.  So, if you haven't looked at the Metasploit project then today might be the day you should.  Think of it as a defender's best friend rather than an evil hacking tool.


Marcus

301 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!