Re: WMF patch
At 12:54 PM 1/5/2006, you wrote: Thanks Thomas, something really useful. One thing I am still curious about, I read that there were other image formats can be used in an exploit, GIF, .BMP, .JPG, .TIF can also be used, according to F-Secure. I find this a little confusing, if that dll only deals with WMF file type then the exploit must not be directly connected with that dll Or does that dll handle all of those as well? But then I found this http://www.pcworld.com/howto/article/0,aid,119993,00.asp Which makes sense. The way a lot of things I have been seeing go on about this they act like WMF is the only format of issue and that obviously is not at all true. I would have more likely ignored this if it really was only WMF files and the MS patch a week or so away. I believe Windows uses the file header/descriptor data as well as or instead of the extension to know how to handle images. Otherwise, simply renaming/blocking all WMF files would result in an effective mitigation method. -Robert Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com | 888-TELLURIAN | 973-300-9211 "Well done is better than well said." - Benjamin Franklin
Re: WMF patch
At 01:40 AM 1/5/2006, Thomas Kuehling wrote: Hi Eric Am Mittwoch, den 04.01.2006, 08:14 -0800 schrieb Eric Frazier: > Hi, > > I finally decided this was serious enough to do something about it sooner > than the MS patch, but while this seems to be the official link to the SANS > patch http://isc1.sans.org/diary.php?storyid=1010 > it also is timing out. I have seen a couple of other links from googling to > people who have "repackaged" this, but I really don't want to download > something that doesn't match the SANS MD5.. > > Any links or suggestions? perhaps it is outdated, but as a workaround, it would be enough to unregister the DLL wich handles WMF: on the Start menu, choose Run, type "regsvr32 -u %windir%\system32 \shimgvw.dll", and then click OK. For more details, visit this link: http://www.frsirt.com/english/advisories/2005/3086 Thanks Thomas, something really useful. One thing I am still curious about, I read that there were other image formats can be used in an exploit, GIF, .BMP, .JPG, .TIF can also be used, according to F-Secure. I find this a little confusing, if that dll only deals with WMF file type then the exploit must not be directly connected with that dll Or does that dll handle all of those as well? But then I found this http://www.pcworld.com/howto/article/0,aid,119993,00.asp Which makes sense. The way a lot of things I have been seeing go on about this they act like WMF is the only format of issue and that obviously is not at all true. I would have more likely ignored this if it really was only WMF files and the MS patch a week or so away. Thanks, Eric Mit freundlichen GrüÃen Thomas Kühling -- Mapsolute Gmbh - Techn. Administration - TK2325-RIPE
Re: [ok] Re: WMF patch
On Wed, 4 Jan 2006, Fred Heutte wrote: My observation had more to do with the posturing of the "security" vendors (anti-virus, firewall, IDS, etc.) and the broad range of highly important experts who are all clamoring for attention on this and on all the other everyday security issues out there. There is certainly a need for security services and products and activities, but I am just not enamored of the "security mindset." This is just a part of what our job is so let's get on with it. And if we can convince the PHBs that moving off of Windows is (1) feasible, which is obvious; (2) manageable for them, which is not so clear, so much the better. I've broken my hammer pounding this particular nail, so having failed at moving management away from Windows, I moved myself away from management. You do of course realize that there is entire industry and quite a number of vendors whose main products involve fixing bugs, closing holes and providing timely updates for that insecure and buggy OS. If the OS was not like that, the industry would be much smaller as would the job area that involve security and other associates OS maintanance actiity. Notice also that most managers do come from the MS world and they see this all as quite normal after many years. -- William Leibzon Elan Networks [EMAIL PROTECTED]
Re: WMF patch
Indeed. It's the security equivalent of "the market can stay irrational longer than you can stay solvent" - perhaps we could reformulate that as "the users can remain clueless longer than your business can survive the DDOS"On 1/5/06, Stephane Bortzmeyer <[EMAIL PROTECTED]> wrote: On Wed, Jan 04, 2006 at 05:58:16PM -0500, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote a message of 46 lines which said: > How many times do you propose we FTDT before we get fed up and ask> upper management to authorize a migration to some other software> with a better record? And how many more FTDT's do we need to > tolerate while we wait for upper management to authorize a> migration?There is no limit to what human beings can stand before becomingreasonable. That is human nature and the engineers' rationality is no match for it.Think about religion, for instance. A lot of people still believe in asupernatural being despite a very bad track record (much worse thanMS-Windows').
Re: WMF patch
On Wed, Jan 04, 2006 at 05:58:16PM -0500, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote a message of 46 lines which said: > How many times do you propose we FTDT before we get fed up and ask > upper management to authorize a migration to some other software > with a better record? And how many more FTDT's do we need to > tolerate while we wait for upper management to authorize a > migration? There is no limit to what human beings can stand before becoming reasonable. That is human nature and the engineers' rationality is no match for it. Think about religion, for instance. A lot of people still believe in a supernatural being despite a very bad track record (much worse than MS-Windows').
Re: WMF patch
> > > Martin Hannigan quoth: > > Internet security problems at large haven't even reached the break > of dawn yet. Wait until every phone, toaster, baby intensive care > sensor, and car is hooked up. > > Indeed, depending on how you look at it, Vint Cerf's formulation, > "IP on everything," is either a promise or a threat. Maybe both. > > http://content.answers.com/main/content/img/CDE/_IPONEV.GIF Of course you know that this is Vint Cerf and it is clearly something he would never do. > http://old-www.nersc.gov/aboutnersc/presentations/future/sld061.htm > > OK, now I'll shut up. Thanks. I was being serious. Internet security isn't a joke at anyones expense anymore. I'd like to think that everyone is thinking about the future of the Internet. I think this is an interesting argument _for_ full disclosure even though it's being cast as a debacle. -M<
Re: WMF patch
Martin Hannigan quoth: Internet security problems at large haven't even reached the break of dawn yet. Wait until every phone, toaster, baby intensive care sensor, and car is hooked up. Indeed, depending on how you look at it, Vint Cerf's formulation, "IP on everything," is either a promise or a threat. Maybe both. http://content.answers.com/main/content/img/CDE/_IPONEV.GIF http://old-www.nersc.gov/aboutnersc/presentations/future/sld061.htm OK, now I'll shut up. Fred
Re: [ok] Re: WMF patch
> I understand the frustration Valdis has with the Microsoft situation. > I've done my share of patching and updating and crawling under > desks and wrestling with Exchange Server and all the rest, > and fortunately (for my sanity) I'm not managing a few dozen > M$ desktops anymore. > > My observation had more to do with the posturing of the "security" > vendors (anti-virus, firewall, IDS, etc.) and the broad range of > highly important experts who are all clamoring for attention on All the markets are up. Almost all the security companies are down. Outbreaks cost money. They suck up resources. How are the ISP's that are competing on TV as secure networks fairing on this? Are their customers calling their call centers? > this and on all the other everyday security issues out there. > There is certainly a need for security services and products and > activities, but I am just not enamored of the "security mindset." > This is just a part of what our job is so let's get on with it. > > And if we can convince the PHBs that moving off of Windows is > (1) feasible, which is obvious; (2) manageable for them, which is > not so clear, so much the better. I've broken my hammer pounding > this particular nail, so having failed at moving management away > from Windows, I moved myself away from management. Realistically, it's irrelevant. MS is their target because of marketshare. The next market leader will be subject to the same effort. How many times have you heard of SGI having massive security flaws exploited endangering the Internet? They do, but they aren't that big a slice of the pie so the effort is less worthwhile and profitable. The 30 PC network of unmanaged machines is a far bigger problem. Let's pray that they get a zombie and they get one someones botnet report so they can get fixed. The hammer seems to kinda sorta work these days. SP's have had a hand here. Back in the trumpet winsock days we were screaming for ease of use so our support costs would go down. Well, they did it. And the end users loved it. It can't be just taken away. Internet security problems at large haven't even reached the break of dawn yet. Wait until every phone, toaster, baby intensive care sensor, and car is hooked up. -M<
Re: [ok] Re: WMF patch
> And if we can convince the PHBs that moving off of Windows is > (1) feasible, which is obvious; (2) manageable for them (3) they won't end up like Peter Quinn http://www.theregister.co.uk/2005/12/29/mass_odf_cio/ brandon
Large-Scale Manageability [Was: Re: [ok] Re: WMF patch]
A few dozen? Try >10,000. Or 20,000. Or more. Believe me -- I am glad I'm a network plumber -- I don't envy the administrative job of managing an enterpise boat-load of MS desktops -- it's a nightmare.Bbut it would perhaps be more of a nightmare if they were not MS. I've seen the scope firsthand, and I repect those folks immensely. The problems here are many, and needless to say, we shouldn't be trying to re-hash the debate on the appropriate desktop enterprise OS, etc. -- that's a dead-end. What _is_ handy is that that there nice tools available to roll out patches to each end-system in a manageable fashion. Now -- if only the patch were available... :-) And keeping users' from surfing the web and _not_ clicking on exploit web pages is an exercise left for the reader (without being a network nazi)... - ferg -- Fred Heutte <[EMAIL PROTECTED]> wrote: I understand the frustration Valdis has with the Microsoft situation. I've done my share of patching and updating and crawling under desks and wrestling with Exchange Server and all the rest, and fortunately (for my sanity) I'm not managing a few dozen M$ desktops anymore. My observation had more to do with the posturing of the "security" vendors (anti-virus, firewall, IDS, etc.) and the broad range of highly important experts who are all clamoring for attention on this and on all the other everyday security issues out there. There is certainly a need for security services and products and activities, but I am just not enamored of the "security mindset." This is just a part of what our job is so let's get on with it. And if we can convince the PHBs that moving off of Windows is (1) feasible, which is obvious; (2) manageable for them, which is not so clear, so much the better. I've broken my hammer pounding this particular nail, so having failed at moving management away from Windows, I moved myself away from management. Fred -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED] ferg's tech blog: http://fergdawg.blogspot.com/
Re: [ok] Re: WMF patch
I understand the frustration Valdis has with the Microsoft situation. I've done my share of patching and updating and crawling under desks and wrestling with Exchange Server and all the rest, and fortunately (for my sanity) I'm not managing a few dozen M$ desktops anymore. My observation had more to do with the posturing of the "security" vendors (anti-virus, firewall, IDS, etc.) and the broad range of highly important experts who are all clamoring for attention on this and on all the other everyday security issues out there. There is certainly a need for security services and products and activities, but I am just not enamored of the "security mindset." This is just a part of what our job is so let's get on with it. And if we can convince the PHBs that moving off of Windows is (1) feasible, which is obvious; (2) manageable for them, which is not so clear, so much the better. I've broken my hammer pounding this particular nail, so having failed at moving management away from Windows, I moved myself away from management. Fred
Re: WMF patch
On Wed, 04 Jan 2006 13:36:53 PST, Fred Heutte said: > In my reading this is a serious vulnerability, but the self- > inflating agitation in the "security community" has reached > a highly annoying level. I'm in the FTDT (fix the damn thing) > school; let's deal with it and get on with it. Every cycle spent > moaning about the faults of Microsoft is a lost opportunity > for something more productive. How many times do you propose we FTDT before we get fed up and ask upper management to authorize a migration to some other software with a better record? And how many more FTDT's do we need to tolerate while we wait for upper management to authorize a migration? Or to put it differently - if you discovered that your router vendor was vulnerable because they had a proprietary BGP extension *designed* to deliver arbitrary code for execution, would you FTDT, or would you be on the phone with your vendor venting your outrage? And what if it wasn't the first, but more like the 10th year in a row that a similar design issue had surfaced? Would you still just FTDT? And while you're trying to figure out how to roll out a patch to 200 routers that are totally under your control, keep in mind that a *small* organization can have 30K PCs, not always totally managed. Still feel like just FTDT? pgpXqlH2YqtEh.pgp Description: PGP signature
RE: WMF patch
More info. This seems pretty reasonable: http://castlecops.com/a6445-WMF_Exploit_FAQ.html Steve Gibson is also mirroring Guilfanov's bypass, and says Microsoft's cryptographically signed but unreleased patch is floating around the net now: http://www.grc.com/sn/notes-020.htm In my reading this is a serious vulnerability, but the self- inflating agitation in the "security community" has reached a highly annoying level. I'm in the FTDT (fix the damn thing) school; let's deal with it and get on with it. Every cycle spent moaning about the faults of Microsoft is a lost opportunity for something more productive. Back to /usr/lurk . . . regards, Fred - > >On Wed, 4 Jan 2006, Brance Amussen wrote: > >> >> Howdy, >> Here is the link to the unofficial patches creators site. >> http://www.hexblog.com/ This is the one sans links to. >> Sans seems to be having a hard day.. No Dshield mailings today either.. >> Isc.sans.org is sporadic as well.. > >According to isc.sans.org, hexblog.com was down due to bandwidth issues >earlier. See the isc.sans.org homepage for details on alternate ways to >get to it. >
RE: WMF patch
On Wed, 4 Jan 2006, Fergie wrote: > Ilfak's server was overwhelmed -- the temporary 'path' is > not being hosted by CastleCops: > > http://www.castlecops.com/forums.html Just explain to your users the difference between clicking on links on the site and other "fix your PC links" on the page which are advertisments and may or may not be as reputable depending on who buys the links tomorrow.
RE: WMF patch
not true since we're educating folk who don't read all the standard security lists and blogs, ... from sans some hours ago lfak's site is back, reduced to the bare minimum as it had very high load. If you still can't reach it's possible that there is some caching between you/your ISP/Ilfak's site. Thanks to Alexander H for pointing out that, due to changes on Ilfak's site, URLs from old diary entries don't work anymore. You can go to the main web page, http://www.hexblog.com to access Ilfak's files. Just one more update - if you can't access the site, the main reason is that your DNS server(s) still don't have the updated (new) DNS entries. Ilfak changed IP address of his site so it will take a while for this to propagate. The new IP address is 216.227.222.95, and you can reach the site by going to http://216.227.222.95. randy
RE: WMF patch
Ilfak's server was overwhelmed -- the temporary 'path' is not being hosted by CastleCops: http://www.castlecops.com/forums.html - ferg -- Steve Sobol <[EMAIL PROTECTED]> wrote: On Wed, 4 Jan 2006, Brance Amussen wrote: > > Howdy, > Here is the link to the unofficial patches creators site. > http://www.hexblog.com/ This is the one sans links to. > Sans seems to be having a hard day.. No Dshield mailings today either.. > Isc.sans.org is sporadic as well.. According to isc.sans.org, hexblog.com was down due to bandwidth issues earlier. See the isc.sans.org homepage for details on alternate ways to get to it. -- Steve Sobol, Professional Geek 888-480-4638 PGP: 0xE3AE35ED Company website: http://JustThe.net/ Personal blog, resume, portfolio: http://SteveSobol.com/ E: [EMAIL PROTECTED] Snail: 22674 Motnocab Road, Apple Valley, CA 92307 -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED] ferg's tech blog: http://fergdawg.blogspot.com/
RE: WMF patch
On Wed, 4 Jan 2006, Brance Amussen wrote: > > Howdy, > Here is the link to the unofficial patches creators site. > http://www.hexblog.com/ This is the one sans links to. > Sans seems to be having a hard day.. No Dshield mailings today either.. > Isc.sans.org is sporadic as well.. According to isc.sans.org, hexblog.com was down due to bandwidth issues earlier. See the isc.sans.org homepage for details on alternate ways to get to it. -- Steve Sobol, Professional Geek 888-480-4638 PGP: 0xE3AE35ED Company website: http://JustThe.net/ Personal blog, resume, portfolio: http://SteveSobol.com/ E: [EMAIL PROTECTED] Snail: 22674 Motnocab Road, Apple Valley, CA 92307
RE: WMF patch
Howdy, Here is the link to the unofficial patches creators site. http://www.hexblog.com/ This is the one sans links to. Sans seems to be having a hard day.. No Dshield mailings today either.. Isc.sans.org is sporadic as well.. Brance :)_S -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Frazier Sent: Wednesday, January 04, 2006 11:15 AM To: [EMAIL PROTECTED] Subject: WMF patch Hi, I finally decided this was serious enough to do something about it sooner than the MS patch, but while this seems to be the official link to the SANS patch http://isc1.sans.org/diary.php?storyid=1010 it also is timing out. I have seen a couple of other links from googling to people who have "repackaged" this, but I really don't want to download something that doesn't match the SANS MD5.. Any links or suggestions? Thanks, Eric
