Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Musings and More WMF Information

Published: 2005-12-30
Last Updated: 2005-12-30 20:10:48 UTC
by Scott Fendley (Version: 1)
0 comment(s)

Websense released some more information about their investigation in some website exploitation that involves IFRAMEs and WMF vulnerability.  My fellow handler Lorna said recently, "IFrames are always suspect in my eyes."  In light of this information, I have to agree with her.  Take a look at Websense Security Labs website for  details of their investigation including a nice movie file showing the exploitation at work.

As a side note,  I am quite thankful that most university and K-12 schools are still on holiday until next week.  This will hopefully give enough lead time for the mass media to report on this issue, and maybe, just maybe, Microsoft will have a better solution for the home users and our student populations.  *crossing his fingers that MS will release a preliminary update quickly*

One reader send us the following summary, which pretty nicely outlines the issues with this vulnerability:

  1. Filename extension filtering will not work.
  2. Even if you un-register the DLL, some programs may re-register it by invoiking it (shimgvw.dll) directly.
  3. you have to delete or rename the DLL to protect yourself. However, remember to undo this once there is a patch.
  4. While images embedded into docuements may not immediately trigger the exploit, they may once saved into their own file.
The readers goes on to note that whatever mitigation is offered in Microsoft's advisory is not much more then a quick temporary bandaid. What we need is a patch and we need it quick.


--
Scott Fendley
Handler on Duty


Keywords:
0 comment(s)
Diary Archives