Re: Example of WMF Exploit SPAM Targetting Schools?

["Barbara Chung (DURTSCHI)" <bchung () MICROSOFT COM>]

<lurking here>

Just so you all know, Microsoft is recommending that you apply the patch
immediately. 

Please let me know if there's anything I can help you with.  

Barbara Chung, CISSP, CISM
Security Advisor, Education
Cell:  917-592-0185

-----Original Message-----
From: Gary Flynn [mailto:flynngn () JMU EDU] 
Sent: Thursday, January 05, 2006 8:22 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Example of WMF Exploit SPAM Targetting Schools?

H. Morrow Long wrote:

> We weren't very happy that Mikko put that particular
> email message with our domain name in it on F-Secure's
> public weblog.  The sender email address is forged and the
> content and name at the bottom are completely fictional.
>
> We received many spam and other complaints -- primarily
> from recipients in the UK.
>
> Examination of the email headers revealed that most of the
> email messages also originated (surprisingly enough) from
> UK ISP IP addresses.
>
> Comcast took the webpage with WMF exploit on it down quickly.


That could easily be any of us. Or worse, all of us. Think about
that message being from security () yourdomain edu. A person
could target a couple individuals at each university and the code
could include an email worm that knows to change the domain
name. Then make the link text read something () yourdomain edu
instead of that playtimepiano thing. We've all seen a lot of worms
in the past that change their domain according to target. I'd bet
under those circumstances the majority of computer operators
that saw such a message would click the link. And under the
present circumstances with the population of XP and 2000
computers running IE out there, we'd all have a BIG problem.


          Mitigating Factors for Graphics Rendering Engine Vulnerability
          - CVE-2005-4560:

"In all cases, however, an attacker would have no way to force
 users to visit these Web sites. Instead, an attacker would have
 to persuade users to visit the Web site, typically by getting
 them to click a link in an e-mail or Instant Messenger request
 that takes users to the attacker's Web site."

Not much of a mitigating factor in my mind. Any half way decent
social engineering attack would be better than 80% effective
unless everyone was being told "don't click anything because
your computer's security has been completely compromised
by a safety defect" or some other equally politically difficult
drastic measures were in place.


One of our people here received an email message today "from"
another university person containing a rather racy cartoon for
sexual enhancement products. It was sent from Brazil and the
image link was to a site in China. It alarmed me at first because
of the image but it was just business as usual on the Internet.

Happy patching everyone. We've got a more or less
homogeneous platform base and after quickly testing on
a few machines, we went ahead and synchronized our
SUS server and approved it for distribution. Didn't
want to wait for the weekend. I don't think we're out of
the woods on this one yet.

Now to make sure word gets out to the students coming
back this weekend.


> Morrow
>
> On Jan 5, 2006, at 5:50 PM, Gary Flynn wrote:
>
> > I thought you might find this interesting. I plan to
> > incorporate it into some awareness presentations as
> > an example of mildly targeted social engineering:
> >
> > http://www.f-secure.com/weblog/archives/archive-012006.html#00000768
> >
> > I seem to remember some other type of virus or fraud
> > using a similar message in the past regarding campus
> > vandalism.
> >
> > It was also interesting that it also tried exploiting Firefox.
> >
> > http://www.frsirt.com/exploits/20060101.mozilla_compareto.pm.php
> >
> >
> > -- 
> > Gary Flynn
> > Security Engineer
> > James Madison University
> > www.jmu.edu/computing/security