Re: WMF patch
On Wed, Jan 04, 2006 at 05:58:16PM -0500, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote a message of 46 lines which said: > How many times do you propose we FTDT before we get fed up and ask > upper management to authorize a migration to some other software > with a better record? And how many more FTDT's do we need to > tolerate while we wait for upper management to authorize a > migration? There is no limit to what human beings can stand before becoming reasonable. That is human nature and the engineers' rationality is no match for it. Think about religion, for instance. A lot of people still believe in a supernatural being despite a very bad track record (much worse than MS-Windows').
Re: WMF patch
Indeed. It's the security equivalent of "the market can stay irrational longer than you can stay solvent" - perhaps we could reformulate that as "the users can remain clueless longer than your business can survive the DDOS"On 1/5/06, Stephane Bortzmeyer <[EMAIL PROTECTED]> wrote: On Wed, Jan 04, 2006 at 05:58:16PM -0500, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote a message of 46 lines which said: > How many times do you propose we FTDT before we get fed up and ask> upper management to authorize a migration to some other software> with a better record? And how many more FTDT's do we need to > tolerate while we wait for upper management to authorize a> migration?There is no limit to what human beings can stand before becomingreasonable. That is human nature and the engineers' rationality is no match for it.Think about religion, for instance. A lot of people still believe in asupernatural being despite a very bad track record (much worse thanMS-Windows').
Ilfak's WMF patch
"securiTeam Blogs" posted an interview with Ilfak, the WMF patch author. He explains what it does, and why: http://blogs.securiteam.com/index.php/archives/176 Just in case some of you don't follow security sources or need another affirmation - I know Ilfak and he is trusted. He is a Good Guy. Gadi.
Re: [ok] Re: WMF patch
On Wed, 4 Jan 2006, Fred Heutte wrote: My observation had more to do with the posturing of the "security" vendors (anti-virus, firewall, IDS, etc.) and the broad range of highly important experts who are all clamoring for attention on this and on all the other everyday security issues out there. There is certainly a need for security services and products and activities, but I am just not enamored of the "security mindset." This is just a part of what our job is so let's get on with it. And if we can convince the PHBs that moving off of Windows is (1) feasible, which is obvious; (2) manageable for them, which is not so clear, so much the better. I've broken my hammer pounding this particular nail, so having failed at moving management away from Windows, I moved myself away from management. You do of course realize that there is entire industry and quite a number of vendors whose main products involve fixing bugs, closing holes and providing timely updates for that insecure and buggy OS. If the OS was not like that, the industry would be much smaller as would the job area that involve security and other associates OS maintanance actiity. Notice also that most managers do come from the MS world and they see this all as quite normal after many years. -- William Leibzon Elan Networks [EMAIL PROTECTED]
MPLS Providers
We're looking at purchasing MPLS services for locations nationwide. Does anyone have personal experiences they'd care to share about providers...the good, the bad, the ugly? I'm not looking for public bashing, just data to differentiate one from another. Any comments or direction appreciated. Andrew
Re: WMF patch
At 01:40 AM 1/5/2006, Thomas Kuehling wrote: Hi Eric Am Mittwoch, den 04.01.2006, 08:14 -0800 schrieb Eric Frazier: > Hi, > > I finally decided this was serious enough to do something about it sooner > than the MS patch, but while this seems to be the official link to the SANS > patch http://isc1.sans.org/diary.php?storyid=1010 > it also is timing out. I have seen a couple of other links from googling to > people who have "repackaged" this, but I really don't want to download > something that doesn't match the SANS MD5.. > > Any links or suggestions? perhaps it is outdated, but as a workaround, it would be enough to unregister the DLL wich handles WMF: on the Start menu, choose Run, type "regsvr32 -u %windir%\system32 \shimgvw.dll", and then click OK. For more details, visit this link: http://www.frsirt.com/english/advisories/2005/3086 Thanks Thomas, something really useful. One thing I am still curious about, I read that there were other image formats can be used in an exploit, GIF, .BMP, .JPG, .TIF can also be used, according to F-Secure. I find this a little confusing, if that dll only deals with WMF file type then the exploit must not be directly connected with that dll Or does that dll handle all of those as well? But then I found this http://www.pcworld.com/howto/article/0,aid,119993,00.asp Which makes sense. The way a lot of things I have been seeing go on about this they act like WMF is the only format of issue and that obviously is not at all true. I would have more likely ignored this if it really was only WMF files and the MS patch a week or so away. Thanks, Eric Mit freundlichen GrüÃen Thomas Kühling -- Mapsolute Gmbh - Techn. Administration - TK2325-RIPE
RE: MPLS Providers
That's sort of a loaded question. Some provider's offerings are good for different reasons/have different strengths. Your best fit would depend on your individual needs. How many sites will you have, and what is your access method and speed preference? Do you need granular QoS from CPE to CPE or will queuing on the access loop suffice? Prefer or require layer 2 (Martini, Kompella/Lasserre, etc.) MPLS vs. layer 3 (2547)? Do you need the service to support multicast? Does your WAN require the service to support an IGP (OSPF, RIPv2, etc.)? Do you require internet access over the same access loop? Require the provider's network to be physically separate from the public internet? Plus many more... The answers to these questions should significantly narrow your choices. Bryant Rump -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andrew Staples Sent: Thursday, January 05, 2006 12:36 PM To: nanog@merit.edu Subject: MPLS Providers We're looking at purchasing MPLS services for locations nationwide. Does anyone have personal experiences they'd care to share about providers...the good, the bad, the ugly? I'm not looking for public bashing, just data to differentiate one from another. Any comments or direction appreciated. Andrew
Re: WMF patch
At 12:54 PM 1/5/2006, you wrote: Thanks Thomas, something really useful. One thing I am still curious about, I read that there were other image formats can be used in an exploit, GIF, .BMP, .JPG, .TIF can also be used, according to F-Secure. I find this a little confusing, if that dll only deals with WMF file type then the exploit must not be directly connected with that dll Or does that dll handle all of those as well? But then I found this http://www.pcworld.com/howto/article/0,aid,119993,00.asp Which makes sense. The way a lot of things I have been seeing go on about this they act like WMF is the only format of issue and that obviously is not at all true. I would have more likely ignored this if it really was only WMF files and the MS patch a week or so away. I believe Windows uses the file header/descriptor data as well as or instead of the extension to know how to handle images. Otherwise, simply renaming/blocking all WMF files would result in an effective mitigation method. -Robert Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com | 888-TELLURIAN | 973-300-9211 "Well done is better than well said." - Benjamin Franklin
sober.z to hit tomorrow
Wouldn't it be fun if it contained the WMF exploit in some form? So, I'm planning on using swatch to monitor DNS requests for the known affected domains. What is everyone else planning to do? -Wil
Re: sober.z to hit tomorrow
Wil Schultz wrote: Wouldn't it be fun if it contained the WMF exploit in some form? So, I'm planning on using swatch to monitor DNS requests for the known affected domains. What is everyone else planning to do? -Wil All the popular domains known we have puched out a global rule to our customers to block those domains and we are blocking those domains on the aggregate circuits/routers as a secondary precaution. I plan to check a few times tomorrow to see if any of those domains that aren't registered yet actually show up and possibly use netflow also. -- http://www.digitalrage.org/ The Information Technology News Center
Re: sober.z to hit tomorrow
I'm sutting PCs down and going on vacation for a while. Seriously. :-) TIA to those of you working to protect your customers and therefore other systems as well. -Jim P. - Original Message From: Wil Schultz <[EMAIL PROTECTED]> To: nanog@merit.edu Sent: Thursday, January 05, 2006 1:53:09 PM Subject: sober.z to hit tomorrow Wouldn't it be fun if it contained the WMF exploit in some form? So, I'm planning on using swatch to monitor DNS requests for the known affected domains. What is everyone else planning to do? -Wil
WMF Microsoft Patch is out
FYI all, the Microsoft Official patch is out for WMF and available via Windows Update.Cheers,Jerry
MS PATCH details plus URL's for download [was: Re: WMF Microsoft Patch is out]
Jerry Dixon wrote: FYI all, the Microsoft Official patch is out for WMF and available via Windows Update. I took this from the funsec list: Larry Seltzer- http://www.microsoft.com/technet/security/bulletin/advance.mspx "Microsoft originally planned to release the update on Tuesday, January 10, 2006 as part of its regular monthly release of security bulletins, once testing for quality and application compatibility was complete. However, testing has been completed earlier than anticipated and the update is ready for release... "Microsoft's monitoring of attack data continues to indicate that the attacks are limited and are being mitigated both by Microsoft's efforts to shut down malicious Web sites and with up-to-date signatures form anti-virus companies. "The security update will be available at 2:00 pm PT as MS06-001. " - Matthew Murphy: According to my MSRC source, the patch has hit WU now. The bulletin is up as we speak: http://www.microsoft.com/technet/security/bulletin/ms06-001.mspx My tests indicate the updates are up as well: Windows 2000 SP4 http://www.microsoft.com/downloads/details.aspx?familyid=AA9E27BD-CB9A-4EF1-92A3-00FFE7B2AC74 Windows XP SP1/SP2 http://www.microsoft.com/downloads/details.aspx?familyid=0C1B4C96-57AE-499E-B89B-215B7BB4D8E9 Windows XP x64 Edition http://www.microsoft.com/downloads/details.aspx?familyid=3A1166E6-5E9E-4E73-BCD4-28ECA6ECE877 Windows Server 2003 http://www.microsoft.com/downloads/details.aspx?FamilyId=1584AAE0-51CE-47D6-9A03-DB5B9077F1F2 Windows Server 2003 for Itanium http://www.microsoft.com/downloads/details.aspx?FamilyId=6E372D41-2C16-415E-8306-A5CA8845CC09 Windows Server 2003 x64 Edition http://www.microsoft.com/downloads/details.aspx?FamilyId=A8F4DCBA-5D28-4D9D-A6A4-3B71108CFE2D There is *NO PATCH* for Windows 98, Windows 98 SE, or Windows Me at this time. A quick study of the bulletin reveals this from the FAQ: "Specifically, the change introduced to address this vulnerability removes the support for the SETABORTPROC record type from the META_ESCAPE record in a WMF image. This update does not remove support for ABORTPROC functions registered by application SetAbortProc() API calls." So, IOW, it's the same functionality as in Ilfak's patch, minus the hook.
RE: WMF Microsoft Patch is out
So rather than finish the testing they wanted to do, they rushed it out? Hmmm. Sounds a little scary to me Chuck From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jerry Dixon Sent: Thursday, January 05, 2006 3:37 PM To: [EMAIL PROTECTED] Subject: WMF Microsoft Patch is out FYI all, the Microsoft Official patch is out for WMF and available via Windows Update. Cheers, Jerry
RE: WMF Microsoft Patch is out
On Thu, 5 Jan 2006, Church, Chuck wrote: So rather than finish the testing they wanted to do, they rushed it out? Hmmm. Sounds a little scary to me Scarier then the architectural decisions they made that led to having to release this patch? -- William Leibzon Elan Networks [EMAIL PROTECTED]
RE: WMF Microsoft Patch is out
[EMAIL PROTECTED] wrote: > So rather than finish the testing they wanted to do, they rushed it > out? Hmmm. Sounds a little scary to me The way the SANS folks have been going into hysterics over the vulnerability I'd say there was considerable pressure to get it out the door as soon as humanly possible... Andrew Cruse
Re: WMF Microsoft Patch is out
> > > > On Thu, 5 Jan 2006, Church, Chuck wrote: > > > So rather than finish the testing they wanted to do, they rushed it out? > > Hmmm. Sounds a little scary to me > > Scarier then the architectural decisions they made that led to having > to release this patch? Scarier than using patches for MS products from NON-MS sources and authors? -M<
net-op: traffic loads as the result of patching
So, maybe an operational question. What are people seeing as far as network traffic loads due to WMF patching activity, e.g. auto-update and manual downloads? Microsoft has used several CDNs in addition to its own servers to distribute the load in the past.
Re: net-op: traffic loads as the result of patching
Sean Donelan wrote: So, maybe an operational question. What are people seeing as far as network traffic loads due to WMF patching activity, e.g. auto-update and manual downloads? Microsoft has used several CDNs in addition to its own servers to distribute the load in the past. Most organizations use from one to quite a few of their own distribution points. It would be interesting to know what the stats are at broadband providers... Although proxying may make the results a bit "nicer" in some places. Gadi.
Re: net-op: traffic loads as the result of patching
Sean Donelan wrote: So, maybe an operational question. What are people seeing as far as network traffic loads due to WMF patching activity, e.g. auto-update and manual downloads? Microsoft has used several CDNs in addition to its own servers to distribute the load in the past. WSUS servers are being pounded right now. Usually 5 to 7% CPU now 72% -- http://www.digitalrage.org/ The Information Technology News Center
Re: net-op: traffic loads as the result of patching
Elijah Savage wrote: Sean Donelan wrote: So, maybe an operational question. What are people seeing as far as network traffic loads due to WMF patching activity, e.g. auto-update and manual downloads? Microsoft has used several CDNs in addition to its own servers to distribute the load in the past. WSUS servers are being pounded right now. Usually 5 to 7% CPU now 72% On usual Black Tuesdays though, there is quite a rush as well. Thing is this patch is alone while then there are a few. I believe it might even itself out in statistics. Gadi.
Re: Awful quiet?
Subject: Awful quiet? Date: Wed, Dec 21, 2005 at 12:09:23AM -0800 Quoting Jim Popovitch ([EMAIL PROTECTED]): > > I miss the endless debates. Is *everyone* Christmas shopping? > > Here's a thought to ponder > > With the thousands of datacenters that exist with IPv4 cores, what will it > take to get them to move all of their infrastructure and customers to IPv6? > Can it even be done or will they just run IPv6 to the core and proxy the rest? A datacenter typically has L2 VLANs everywhere, connected to one or more routing devices for v4 connectivity, so all one needs to do is get one or two routers with all VLANs trunked in on ethernets and give each L2 broadcast domain a /64. Run RA to taste. I've done this on what amounts to a "very large data center", a LAN gamer party with over 5000 participants. Of course, not many were using v6 (We really need a FPS game with v6 transport to drive this forward!), but it was available to everyone, and, it did not harm v4 traffic. -- Måns Nilsson Systems Specialist +46 70 681 7204 KTHNOC MN1334-RIPE INSIDE, I have the same personality disorder as LUCY RICARDO!! pgpDFN0vskUGc.pgp Description: PGP signature
Re: sober.z to hit tomorrow
FYI: I've set some traps on our DNS servers, dunno exactally what this means but I thought that I should share: Jan 5 18:41:09 myServer named[24490]: client X.X.X.X#1192: query: arcor.de IN MX Jan 5 18:45:48 myServer named[24490]: client X.X.X.X#1034: query: freenet.de IN MX These are the only two logs I have at this point. And I don't recall any other Sober searching for an email server. -Wil Wil Schultz wrote: Wouldn't it be fun if it contained the WMF exploit in some form? So, I'm planning on using swatch to monitor DNS requests for the known affected domains. What is everyone else planning to do? -Wil
[Fwd: Re: sober.z to hit tomorrow]
Here is some more interesting information. I'm not positive this is Sober.Z related but it's walking like and talking like a duck. First I see the below DNS requests, shortly after I see many SMTP packets hitting Hotmail, AOL, Yahoo.com, Yahoo.co.uk, Progegy, etc Looks like it's... Sending SPAM?!?! This I didn't expect at all, here is a trace from one of the known infected users: ### ### Wil Schultz wrote: FYI: I've set some traps on our DNS servers, dunno exactally what this means but I thought that I should share: Jan 5 18:41:09 myServer named[24490]: client X.X.X.X#1192: query: arcor.de IN MX Jan 5 18:45:48 myServer named[24490]: client X.X.X.X#1034: query: freenet.de IN MX These are the only two logs I have at this point. And I don't recall any other Sober searching for an email server. -Wil Wil Schultz wrote: Wouldn't it be fun if it contained the WMF exploit in some form? So, I'm planning on using swatch to monitor DNS requests for the known affected domains. What is everyone else planning to do? -Wil
