Thread: WMF Exploit!!! Install this patch now!
View Single Post
  #10  
Old 01-05-2006, 02:12 AM
Jim
 
Posts: n/a
Default Re: WMF Exploit!!! Install this patch now!

"Tom Porterfield" <tpporter@mvps.org> wrote in message
news:e8ziw6HEGHA.140@TK2MSFTNGP12.phx.gbl...
> Jim wrote:
>> Chris,
>>
>> You are acting in an extremely irresponsible manner. This is one of
>> the largest exploits ever to hit the Windows platform (in number of
>> machines affected), and you are telling people to do nothing.
>>
>> The only thing more irresponsible than your post is Microsoft's
>> refusal to take immediate action for such an exploit.
>
> Microsoft is taking action. They have posted an advisory which includes
> steps that can be taken to decrease the likelihood of a system falling
> prey to this vulnerability. A patch has been developed by MS and is now
> in the process of being validated to insure that it meets their release
> standards. The MS patch has a tentative release date of January 10, 2006,
> one week from today.

One week is a very long time with an exploit like this circulating. Not
only can the exploit be used to take over your PC and execute virtually any
code that the attacker wants....the exploit is so simple that any script
kiddie can do it - and lots of them are.

From Symantec's website.... "It has been reported that the following Web
sites may contain malicious files that trigger the exploit:


a.. [http://]h0nest.org/[REMOVED]/12.exe (IP address 195.0.210.192)
a.. [http://]kube.isa-geek.com/[REMOVED]/wen/up.exe (IP address not found)
a.. [http://]charmedmadgic.free.fr/[REMOVED]/sdbot05b.jpg (IP address
212.27.63.117)
a.. [http://]69.50.171.122/[REMOVED]/test1.php
a.. [http://]www.jerrynews.com/[REMOVED]/calc.exe (IP address
211.100.26.169)
a.. [http://]apperception.biz/[REMOVED]/main.exe (IP address 66.226.64.19)
a.. [http://]apperception.biz/[REMOVED]/calc.exe (IP address 66.226.64.19)
a.. [http://]sploso.com/[REMOVED]/starter2.exe (IP address 72.5.54.36)
a.. [ftp://]x.www2.ninoa.com/[REMOVED]/pub/ied.exe (IP address
205.177.28.180)
a.. [ftp://]x.www2.ninoa.com/[REMOVED]/pub/epl.exe (IP address
205.177.28.180)
a.. [http://]www.freecat.biz/[REMOVED]/tr/pawn005.exe (IP address not found)
a.. [http://]fullchain.net/[REMOVED]/apa/dex.exe (IP address
192.225.177.21)"

>
> As most AV vendors now guard against any attack of this vulnerability,
> keeping your AV signatures up to date will keep you protected. If, after
> gathering all information on this you feel you are still at risk, then
> installing the patch available on the SANS website will add additional
> protection. Understand though that the SANS patch has not gone through
> the same level of testing that the MS patch will have gone through so has
> the potential of causing problems.

I'd rather be safe than sorry. Some Antivirus products have been updated to
catch the 2 variants that have appeared at first. But, as I am sure that
you are aware, variants of exploits rarely stop at 2 code variants.

>
> In the past, files have been offered as patches to vulnerabilities that
> were themselves an exploit of some sort. It is always best to be wary of
> patches from any non-verifiable source.

Users should always be wary of executing ANY code on thier systems. Only
run code from trusted sources. That is why I gave the SANS link instead of
my company website. SANS is more widely known and has a history of
trustworthiness that a small company like mine has yet to attain.

While I understand your sketicism and applaude your watchful eye for any
code that will run on your system. We should also take any means nec. to
ensure the protection of the masses.

More people than you think do not have up-to-date antivirus protection.
This is not to say that this tool in any way negates the need for such
protection. Rather it is a stop-gap measure that will offer a measure of
protection, to those willing to take advantage of it, until Microsoft is
comfortable releasing thier patch.

Thanks for your feedback.

Jim


Reply With Quote