Educause Security Discussion mailing list archives
Re: Example of WMF Exploit SPAM Targetting Schools?
From: David Gillett <gillettdavid () FHDA EDU>
Date: Tue, 10 Jan 2006 09:54:43 -0800
I recall that, a few years back, it was common for Microsoft to downplay IE bugs with this "must get user to visit a suspicious site" argument. And then some hacker crew broke into a hosting company and defaced 500+ legit websites, adding code that exploited some of those vulnerabilities. The notion that users can have any real idea, a priori, about the actual safety of any site is just false. [On average, I'd agree that some sites are *more likely* than others to be booby-trapped, and that factor may have its place in the policy and "user education" sides of security management. But I don't think it's really useful in assessing the severity of a vulnerability.] David Gillett
-----Original Message----- From: Russell Fulton [mailto:r.fulton () AUCKLAND AC NZ] Sent: Monday, January 09, 2006 10:44 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Example of WMF Exploit SPAM Targetting Schools? Gary Flynn wrote:Mitigating Factors for Graphics Rendering EngineVulnerability- CVE-2005-4560: "In all cases, however, an attacker would have no way toforce usersto visit these Web sites. Instead, an attacker would haveto persuadeusers to visit the Web site, typically by getting them toclick a linkin an e-mail or Instant Messenger request that takes users to the attacker's Web site." Not much of a mitigating factor in my mind. Any half waydecent socialengineering attack would be better than 80% effectiveunless everyonewas being told "don't click anything because yourcomputer's securityhas been completely compromised by a safety defect" or some other equally politically difficult drastic measures were in place.You don't even need that. At the beginning of the attack I set up argus to record the first 100 characters of each outbound session on port 80 and then examined the urls that whose downloads triggered my snort rules. The most persistent source addresses were in 85.255.112-119. These addresses will be well known to anyone who has looked at the source of spyware recently. The addresses are registered to a hosting company based in the Ukraine but traceroute suggest they are being used in the US (at least the immediate upstream is a major US ISP). All the url seem to be referred from porn sites. It is not clear if these sites have been compromised to redirect suckers to the malicious web sites or if they are willing participants in this scam. All the active addresses were supplied to MS via ISC but MS failed to get them shut down. Hmmm.... It is misleading of MS to suggest that this requires user action when in fact all that is required is that the victim visit a malicious web site which may be hosting other 'legitimate' material. Moral: don't use windows to view porn :) Russell
Current thread:
- Example of WMF Exploit SPAM Targetting Schools? Gary Flynn (Jan 05)
- <Possible follow-ups>
- Re: Example of WMF Exploit SPAM Targetting Schools? H. Morrow Long (Jan 05)
- Re: Example of WMF Exploit SPAM Targetting Schools? Gary Flynn (Jan 05)
- Re: Example of WMF Exploit SPAM Targetting Schools? Barbara Chung (DURTSCHI) (Jan 06)
- Re: Example of WMF Exploit SPAM Targetting Schools? Russell Fulton (Jan 09)
- Re: Example of WMF Exploit SPAM Targetting Schools? David Gillett (Jan 10)