Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - WMF: patches and workarounds explained InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

WMF: patches and workarounds explained

Published: 2006-01-03
Last Updated: 2006-01-04 10:47:18 UTC
by Swa Frantzen (Version: 1)
0 comment(s)
We continue to get many questions on the WMF vulnerability, and are trying to explain it a bit more graphically.

Feel free to use the presentations below to explain why you need to use the unofficial patch or how it works on a high level.
To help you answer the "kill" questions:
  • You might not have seen exploits yet because:
    • You are lucky so far: estimates are that up to now 10% of our readers have seen them.
    • The bad guys haven't released their worst (yet), but we know they have the tools and means to create it and we expect them to do so well enough before the official patches are released next week.
    • The detection might be insufficient or might be failing, so you would not know it.
      (esp. if the attack was subtle enough in a first phase, it can be very hard to detect as it's designed to be very hard to detect by anti-virus and IDS/IPS systems)
    • We were told of McAfee reporting a 6% infection rate at their customers on New Year's Eve already.
But when you will see the exploits, it will be too late. So act now and be prepared for the coming storm.
  • The Internet Storm Center knows of quite a few goverment and larger organisations that did roll-out the unofficial patch, so your "peers" might very well be doing the right thing already.
  • The usual precautions, such as telling the users not to click or surf to bad sites, updating anti-virus signatures, filtering email, ... will help just like a drop of water helps to fill a bucket. It's just not good enough by far.
    • No user interaction is required. This is one of those where the user is a sitting duck, not the offender.
    • Many anti-virus signatures still trigger on the payload, not on the call in the WMF and therefore might get a working signature only after you got hit. This can be more painful if you are unlucky to get hit early.
    • IDS/IPS can be easily bypassed by using off-the-shell tools already available to the bad guys.
    • Firewalls will not prevent filesharing once the files are inside.
    • ...

In addition to this, please do make the difference between a vulnerability and the lack of an exploit.
  • One working exploit proves a vulnerability.
  • Many non-functional exploits prove nothing towards the lack of a vulnerability.

--
Swa Frantzen
Keywords:
0 comment(s)
Diary Archives