Advisory 913333 was published yesterday, it being another remote WMF vulnerability (just get the user's computer to display it). This one requires <IE 6 on 2000 SP4 or ME though, IE6 (and thus XP and 2003) aren't affected. My guess is there won't be a patch, as the recommendation is just to download and install IE6. Fun.
As a semi-related note, Advisory 914457 gives another reason to upgrade XP/2003 to the latest service pack.
These things are getting old. We have a week and 3 days to figure this one out. Summary and some other info.
Bank tape lost with data on 90,000 customers. The lulls between these things are never long enough. Pretty routine story as far as these go, but there's a good quote. "In addition, the tape can't be read without a mainframe and software, according to the bank." Guess they've never heard of regular expressions or used "strings".
In case you somehow haven't heard, Microsoft released the WMF patch early rather than waiting until the normal 2nd Tuesday. Those using Windows should probably hit Windows Update to manually update right away rather than waiting for Automatic Updates to get it. Unfortunately it does want a restart. Of course at least having AU download and notify if not install should already be set anyways. Unfortunately it's not considered critical for 98 and ME, so anyone using those OSes has to make due with the third-party one or upgrade to something newer or not Microsoft.
Oh yea, on the topic of images and exploits, anyone have an ATI video card?
I don't know how many people have noticed this because of the WMF stuff, but there are also vulnerabilitys for DOS and Code Execution on BES (Blackberry Enterprise Server) when attempting to handle TIFF and PNG images for the Blackberrys connected to it. Basically special image files emailed to a Blackberry and there's issues.
Back on the WMF thing, it looks like email isn't a direct attack vector - one has to click a link in an email. Most people will click links in email without thinking, but at least it's something. That link also mentions no problems with the patch which is false. There's IE issues and printing issues. The latter is sorta scary, since the vulnerability is linked to printing, so it appears poorly designed/outdated drivers could be broken by a real patch too.
My favorite workaround so far is probably unregistering the DLL as Microsoft suggests, but also changing ACLs to prevent shimgvw.dll from reloading.
In other news, a good summary is available from SANS ISC, which mentions that DEP available in XP SP2 could help with the right system. "However, to work well, it requires hardware support. Some CPUs, like AMD's 64 Bit CPUs, will provide full DEP protection and will prevent the exploit."
Also, there's an interesting writeup on the whole issue with image file vulnerabilities (which have been found in pretty much every OS in the last year or two, although not as a designed in feature like WMF).
Jesper Johansson, a security guy at Microsoft, has a good analysis (his, not official Microsoft opinion) of the benefits and drawbacks, both technical and procedural, of different ways of dealing with the WMF Exploit before an official patch is available.
There's now a worm spreading the exploit around on MSN. If you have no clue what I'm talking about, you can read about the exploit. I'm not sure about the worm specifically, but there is some nasty code out there for this. Basically it takes advantage of Windows looking at the content and not the extension to send it as a .jpg, it splits it over the Ethernet MTU (biggest a single packet can be on the network, 1500 bytes, actually a bit less actual data after IP and TCP) so sniffers that don't reassemble streams can't detect it, plus the usual random size/name/method of implementation. This should be a fun one...
Unfortunately Microsoft says the only fix at this point is to unregister a dll, but the problem is really in gdi and not that one, so if many people do that there'll just be modifications made. Windows users may want to take appropriate action.
Copyright ©2000-2008 Jeremy Mooney (jeremy-at-qux-dot-net)
