• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Windows WMF flaw: How to protect against attacks

IGBT

IGBT

Lifer
Text

"WMF exploitation has rapidly become a major threat, especially as the work week resumes after a long holiday weekend," iDefense spokesman Ken Dunham said in an e-mail advisory. "The situation is rapidly escalating now with hundreds of hostile sites purported, dozens confirmed, and more from public and private data shared to date. ...Traditionally, any rapid exploitation on a widespread basis within seven days or less has led to a major meta-event."
 
I think this is the biggest Windows exploit that we've seen in a couple of years. It might be good for my business, but, in general, it really sucks. 🙁

I hope that MS patches this REALLY soon.

The only good thing that's come out of it for me is that I've joined my own Domain (finally), and am actually working as a Limited Domain User. (Not that this will prevent the WMF exploit, because it won't). But I'm finding that, in general, I'm getting along OK. I had some severe file permssion issues at first, and still hate it that I can't change certain things that I can normally change instantly, but I'm getting along....
Most people (who aren't IT professionals), could probably survive fine, once the file permission bugs are worked out.
 
I hope that MS patches this REALLY soon.
Click to expand...
They've already stated they will release a patch for it on Tuesday (the 10th). There are work-arounds available to help mitigate the risk until than.
...and am actually working as a Limited Domain User. (Not that this will prevent the WMF exploit, because it won't)
Click to expand...
Actually this is a great way to mitigate the risks; since any exploit would have to run under the security context of the logged in user running as a non-admin seriously limits what any malicious code could do.
 
Originally posted by: spyordie007
Actually this is a great way to mitigate the risks; since any exploit would have to run under the security context of the logged in user running as a non-admin seriously limits what any malicious code could do.
Click to expand...
In general it is, but I believe I read somewhere that in the case of this specific exploit, it runs under the SYSTEM context.

Edit: I apologize. I did read this earlier today, but it turns out the report was false. The WMF exploit runs with current user permissions.
 
This exploit, in it's current form is a manual exploit. This means that the only way you can get hit is if someone manages to get you to visit their website or click on their link in in email or IM.

Safe computing habits, up to date antivirus definitions, and running with least privilege will reduce the risk of infection dramatically. The number of reported infections of this exploit are very low. And in the case of large networks, if a machine is infected there is currently no way for it to propagate to the rest of the network.

If you want to install the third-party patch, that is up to you, but I believe it to be an unnecessary risk and a knee-jerk reaction when safe and proven defense in depth security measures are in place.
 
There's another scenario that is worth thinking about. A formerly-safe site that we visit already gets hacked. No luring required, we were already going to go there. Who remembers AnandTech.com getting hacked a couple years ago? Couple million visitors a day... hmmm 🙂 For a concrete example, SANS reports that < irony > a knoppix-std.org server was hacked and dishing out WMF exploits to visitors < / irony >.

Or there's the Bofra incident at The Register. The third-party advertiser got hacked, hence its customer's site turned toxic. Or the report at Sunbelt's blog of wallpapers4u.com's advertising partner switching to exploit-bearing advertisements.

If anyone is interested in seeing or just reading about some firsthand experimentation, I did test the Limited/Restricted-User approach with an actual exploit file, as well as hardware DEP, and lastly a Windows2000 box, and the write-ups are here if anyone's interested. I'm not a super genius at this stuff, being an ex-bicycle mechanic and a bottom-rung IT drone, but take it FWIW.
 
Or, in the same vein, a site hosting the third-party patch gets hacked. Defense in depth practices still apply, just has they always have. The only difference in this case is that someone wrote a patch, and people are suddenly forgetting how to effectively and safely reduce their risk.

IMO 🙂
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top