Posts tagged ‘WMF’
I haven’t had time to check the transcripts as I am walking out the door to shmoocon.
According to reports, Steve Gibson claims that the wmf vulnerability could not have been a mistake, it was in intentional backdoor inserted by microsoft.
http://thisweekintech.com/sn22
LOL. yet more fodder for grcsucks.com as well as the Microsoft haters.
Steve Gibson. What an idiot.
IMLogic is reporting a new IM worm using the wmf vulnerability. This is currently related as low.
If you’ve got IMLogic, you’re cool. Otherwise you might want to wach access to 168.169.78.19 cause the file is live. Oh, I hear the file is detected with the Symantec bloodhound defs, but I didn’t want to test that for myself.
http://blogs.technet.com/msrc/archive/2006/01/05/416980.aspx
I’m sure the SANS Handlers will have a coronary at the thought that their hystericane is not wide-spread. Nice to hear from Mike on this subject.
In a boring meeting about 2:45 I saw that the WMF patch henseforth known as ms06-001 was out. I immediately grabbed most of the interested parties to organize a plan of action. Unfortunately I got waylaid by the firewall guy and before I could escape, the patch planning discussion was over. As a result, the full plan wasn’t thought through.
We did manage to get the new cab file (or is that xml now) downloaded. Unfortunately the SMS guys dont know how to make the clients report that they need the patch until some automatic scan occurs tomorrow morning. That means the patch probably wont get deployed until 10am tomorrow. 
Hey, I can only make the recommendation for deployment.
I learned through Donna’s Security Flash about some testing av-test.org has done to see which Antivirus vendors can detect wmf files.
See the results from January 1st in a PCMag Article. AVG didn’t fare so well. Aren’t they one of the free products that people alway push instead of the more established vendors?
Over at broadband reports I see a thread with a link (which the moderator has deleted) claiming to be to the official Microsoft patch for the WMF vulneraibility and that it has been fully q/a tested on Windows XP, Windows 2003 x86, x64 english and that it is currently being tested on other language installs and the IA64 architecture.
That sounds like great social engineering.
I’ve been wonderring if Jesper Johansson had a blog, and sure enough Scoble linked to it today for his post on the wmf vulnerability. SWEET!
Does anyone know if Mike Nash or Steve Lipner have blogs?
I had been wondering if it is possible to run the third party WMF patch in a silent mode. When I downloaded the patch and ran it with a /? it did not give me any command line options. SANS is now reporting the syntax to run the install quietly.
I’m still wondering how to uninstall the patch programatically when the real patch is released. I’m assuming since it is listed in add/remove programs is should be possible to find the uninstall command line in the registry. I haven’t looked through.
Sybari (or is that Microsoft) sent out a security bulleting relating to WMF viruses. They are calling it WMF/Exploit.b, Alias: Exploit-WMF trojan, Exploit.Win32.IMG-WMF.a, Troj/DownLdr-QB
But most importantly, they warn:
****PLEASE NOTE****
For Windows platforms, users must set the “ScanAllAttachments” registry value to 1 for this filetype to be detected.
Domino Users:
For Domino, the following can be done:
1. Open the “notes.ini” file.
2. Add the “.JPG” and “.WMF” extension to the “AntigenAveExts” parameter.
3. Save the file.
4. Recycle services.
I always thought it a little sketchy that by default Sybari scans specific file types only. Hopefully Exchange performance wont grind to a halt when this change is made.
