Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Trustworthy Computing InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Trustworthy Computing

Published: 2006-01-01
Last Updated: 2006-01-01 17:58:01 UTC
by Tom Liston (Version: 1)
0 comment(s)
Looking forward to the week ahead, I find myself in the very peculiar position of having to say something that I don't believe has ever been said here in the Handler's diary before: "Please, trust us."

I've written more than a few diaries, and I've often been silly or said funny things, but now, I'm being as straightforward and honest as I can possibly be: the Microsoft WMF vulnerability is bad.  It is very, very bad.

We've received many emails from people saying that no one in a corporate environment will find using an unofficial patch acceptable.

Acceptable or not, folks, you have to trust someone in this situation.

To the best of my knowledge, over the past 5 years, this rag-tag group of volunteers hasn't asked for your trust: we've earned it.  Now we're going to expend some of that hard-earned trust:

This is a bad situation that will only get worse.  The very best response that our collective wisdom can create is contained in this advice - unregister shimgvw.dll and use the unofficial patch.  You need to trust us.

Looking back over the past year, the ISC handlers have faced up to any number of challenges: from worms and viruses to DNS poisoning and hurricanes.  We've done our best to keep you informed and to tell it like it is.  Somehow, it seems fitting that on the last day of 2005 we rang in the New Year in what can only be described as typical ISC style.

On December 31st, we received word that a "new and improved" version of the WMF exploit had been published.  This new exploit code generated WMF files that were sufficiently different that they bypassed nearly all AV and IDS signatures.  Publishing exploit code such as this for an unpatched vulnerability on a holiday weekend is, without any doubt, a totally irresponsible act.

And so, as the hours to the New Year slowly counted down, a group of volunteers gave up their holiday weekend to come together as a team and put their collective knowledge and intellect to work on the problems this reckless disclosure created.  Some tested the exploit, some talked to AV vendors, some worked toward finding a means to mitigate the vulnerability, some tested "fix" ideas and the resulting patches.

I was privileged to be a part of that team, and I'm incredibly proud of everyone who participated.  As it became obvious that the "fix" that we were working toward was essentially what had already been created by Ilfak Guilfanov, we wrote to him to ask if we could redistribute his patch from the ISC.  He was incredibly gracious and courteous in allowing us to do so and we were able to work with him to verify several changes that allowed the patch to work on a wider variety of Windows systems.

We have very carefully scrutinized this patch.  It does only what is advertised, it is reversible, and, in our opinion, it is both safe and effective.

The word from Redmond isn't encouraging.  We've heard nothing to indicate that we're going to see anything from Microsoft before January 9th. 

The upshot is this: You cannot wait for the official MS patch, you cannot block this one at the border, and you cannot leave your systems unprotected.

It's time for some real trustworthy computing.  All we're asking is if we've proved ourselves to be worthy of your trust.
0 comment(s)
Diary Archives