Thread: What is everyone doing about this security flaw til 1/10/06
View Single Post
  #4  
Old 01-05-2006, 02:34 AM
R. McCarty
 
Posts: n/a
Default Re: What is everyone doing about this security flaw til 1/10/06
Depends, most AV providers have some level of protection. For those
that want an immediate "Fix", there is the .Msi based patch posted by
SANS /ISC and supposedly tested/verified.
http://handlers.sans.org/tliston/WMFHotfix-1.1.14.msi

It's a judgment call. The "Official" patch will appear on Microsoft's
normal patch Tuesday (January 10th). User's can either Unregister the
module or use the .Msi posted above.


"dblues" <dblues@discussions.microsoft.com> wrote in message
news:C4E2B543-C7A3-4240-A8E6-5E61E614C405@microsoft.com...
> NEW YORK (Dow Jones)--Microsoft Corp. (MSFT) plans to release a patch for
> a
> new security flaw at its next scheduled update release on Jan. 10, leaving
> users largely unprotected until then from a rapidly spreading computer
> virus
> strain.
>
> "Microsoft's delay is inexcusable," said Alan Paller, director of research
> at computer security group SANS Institute. "There's no excuse other than
> incompetence and negligence."
>
> "It's a problem that there's no known solution from Microsoft," said
> Alfred
> Huger, senior director of engineering at Symantec Corp.'s (SYMC) security
> response team.
>
> SANS Institute, via its Internet Storm Center, has taken the unusual step
> of
> releasing its own patch for the problem until a Microsoft-approved fix is
> available. "It's not something we like to do," said Paller.
>
> The Internet Storm Center, which tracks viruses and other outbreaks on the
> Web, increased the threat level to "yellow" - a warning that means a
> significant new threat is developing.
>
> Microsoft said evaluation and testing affect the timing of security
> patches.
> "Creating security updates that effectively fix vulnerabilities is an
> extensive process. There are many factors that impact the length of time
> between the discovery of a vulnerability and the release of a security
> update," Microsoft said in a security advisory on its Web site.
>
> "Quality is the gating factor," said a Microsoft spokeswoman. The company
> views the issue as "serious," but believes that "the scope of the attacks
> is
> not widespread," she added.
>
> The attack is the latest to hit Microsoft, despite redoubled efforts to
> respond to security threats. With more than 90% of personal computers
> running
> Windows, it represents the biggest target for hackers.
>
> The virus began spreading last week, as hackers took advantage of a
> previously unknown flaw in Windows Meta File code in what is known as a
> "zero-day attack."
>
> The small amount of code in the virus can call down other programs that
> could install spyware to steal personal data or turn a system into a "bot"
> (a
> computer controlled by hackers).
>
> "The flaw is fairly significant in terms of its reach," said Alain
> Sergile,
> product manager at Internet Security Systems Inc.'s (ISSX) X-Force threat
> analysis service.
>
> The bug was found in current server and desktop versions of Windows and is
> considered serious because it requires relatively minor user interaction
> to
> be unleashed. The virus is carried in picture files and can be triggered
> if
> an image is viewed in an email or on an infected Web site. It is also
> being
> distributed through Instant Messenger.
>
> Johannes Ullrich, chief research officer at SANS Institute, said there are
> hundreds of Web sites that carry the infected images, and he's tracking
> the
> possibility that an online ad service is serving up infected image files.
> He
> says 5% to 10% of users appear to be infected, "an order of magnitude more
> than other attacks."
>
> Google Inc.'s (GOOG) desktop search tool can also trigger the virus as it
> indexes files on a computer, even if the image hasn't been viewed by the
> user.
>
> The virus takes advantage of the way Windows processes Windows Meta Files,
> or WMF, images. These file types can carry more common .jpg extensions,
> but
> still carry the malicious code.
>
> Microsoft recommends users unregister a file called shimgvw.dll. "While
> this
> workaround will not correct the underlying vulnerability, it helps block
> known attack vectors," the software maker says in its security advisory.
>
> Security experts are advising people to turn off preview panes in email
> programs like Outlook and be very careful about what web sites they visit
> and
> what emails they open.
>
> -By Chris Reiter, Dow Jones Newswires; 201-938-5244;
> chris.reiter@dowjones.com
>


Reply With Quote